phobos | a81c88ad0eb4d2dfa7ea25b0326e1b1b8ffe630791647129f85312aeb50df207

Analysis

max time kernel
114s
max time network
155s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
15-07-2023 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a81c88ad0eb4d2dfa7ea25b0326e1b1b8ffe630791647129f85312aeb50df207.exe
Size

374KB
MD5

11576ac18b5197c705e4282db22f0295
SHA1

2fbc5d63c8de05d5f1102a8066d5b394612128fc
SHA256

a81c88ad0eb4d2dfa7ea25b0326e1b1b8ffe630791647129f85312aeb50df207
SHA512

ce194dee6ad0e72e330dbd817c9dc8b93b9e5bc7fac9f3e3d8395268b2f5b9f98de97fa83f864cae4e943f94b2cf7980bd7ad34130e2413e17d2c46937112d65
SSDEEP

6144:OHLXQ54uIlhxS4eDVFXbDu9l+9xj6RHARigv:cjQ5NkEhPLir+9wRHqiU

Score

10^/10

phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

systembc

adstat477d.xyz:4044

demstat577d.xyz:4044

Extracted

Family

smokeloader

Version

2022

http://serverxlogs21.xyz/statweb255/

http://servxblog79.xyz/statweb255/

http://demblog289.xyz/statweb255/

http://admlogs77x.online/statweb255/

http://blogxstat38.xyz/statweb255/

http://blogxstat25.xyz/statweb255/

rc4.i32

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>cartilage</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #C6B5C4; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #B5CC8E; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #e6ecf2; border-left: 10px solid #B58CB2; } .alert { background: #FFE4E4; border-left: 10px solid #FFA07A; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC.</div> <div class='bold'>If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Or write us to the Tox: <span class='mark'>78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>0F555336-3483</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Signatures

Detect rhadamanthys stealer shellcode 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1304-124-0x00000000024D0000-0x00000000028D0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1304-122-0x00000000024D0000-0x00000000028D0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1304-123-0x00000000024D0000-0x00000000028D0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1304-125-0x00000000024D0000-0x00000000028D0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1304-139-0x00000000024D0000-0x00000000028D0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1304-142-0x00000000024D0000-0x00000000028D0000-memory.dmp	family_rhadamanthys

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

a81c88ad0eb4d2dfa7ea25b0326e1b1b8ffe630791647129f85312aeb50df207.exe

description pid process target process

PID 1304 created 2444 1304 a81c88ad0eb4d2dfa7ea25b0326e1b1b8ffe630791647129f85312aeb50df207.exe Explorer.EXE
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

2968 bcdedit.exe
4756 bcdedit.exe
4288 bcdedit.exe
2968 bcdedit.exe
Renames multiple (436) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

952 wbadmin.exe
1600 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

3124 netsh.exe
3148 netsh.exe
Deletes itself 1 IoCs

Processes:

certreq.exe

pid process

348 certreq.exe
Drops startup file 1 IoCs

Processes:

fywk61(l.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\fywk61(l.exe fywk61(l.exe
Executes dropped EXE 8 IoCs

Processes:

z8{AQZ.exefywk61(l.exeq%5P_G.exefywk61(l.exez8{AQZ.exe352.exe585.exeB04.exe

pid process

4780 z8{AQZ.exe
1576 fywk61(l.exe
4492 q%5P_G.exe
1056 fywk61(l.exe
904 z8{AQZ.exe
3744 352.exe
3100 585.exe
3060 B04.exe
Loads dropped DLL 2 IoCs

Processes:

AppLaunch.exe

pid process

4016 AppLaunch.exe
4016 AppLaunch.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 1304 created 2444	1304	a81c88ad0eb4d2dfa7ea25b0326e1b1b8ffe630791647129f85312aeb50df207.exe	Explorer.EXE

pid	process
2968	bcdedit.exe
4756	bcdedit.exe
4288	bcdedit.exe
2968	bcdedit.exe

pid	process
952	wbadmin.exe
1600	wbadmin.exe

pid	process
3124	netsh.exe
3148	netsh.exe

pid	process
348	certreq.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\fywk61(l.exe	fywk61(l.exe

pid	process
4780	z8{AQZ.exe
1576	fywk61(l.exe
4492	q%5P_G.exe
1056	fywk61(l.exe
904	z8{AQZ.exe
3744	352.exe
3100	585.exe
3060	B04.exe

pid	process
4016	AppLaunch.exe
4016	AppLaunch.exe

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

Processes:

certreq.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fywk61(l.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Windows\CurrentVersion\Run\fywk61(l = "C:\\Users\\Admin\\AppData\\Local\\fywk61(l.exe"	fywk61(l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fywk61(l = "C:\\Users\\Admin\\AppData\\Local\\fywk61(l.exe"	fywk61(l.exe

Drops desktop.ini file(s) 25 IoCs

Processes:

fywk61(l.exe

description	ioc	process
File opened for modification	C:\Program Files\desktop.ini	fywk61(l.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	fywk61(l.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	fywk61(l.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	fywk61(l.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	fywk61(l.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	fywk61(l.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	fywk61(l.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	fywk61(l.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	fywk61(l.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	fywk61(l.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4175128012-676912335-1083716439-1000\desktop.ini	fywk61(l.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	fywk61(l.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	fywk61(l.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	fywk61(l.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	fywk61(l.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	fywk61(l.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	fywk61(l.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	fywk61(l.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	fywk61(l.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4175128012-676912335-1083716439-1000\desktop.ini	fywk61(l.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	fywk61(l.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	fywk61(l.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	fywk61(l.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	fywk61(l.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	fywk61(l.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

z8{AQZ.exeB04.exe

description	pid	process	target process
PID 4780 set thread context of 904	4780	z8{AQZ.exe	z8{AQZ.exe
PID 3060 set thread context of 4016	3060	B04.exe	AppLaunch.exe

Drops file in Program Files directory 64 IoCs

Processes:

fywk61(l.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml	fywk61(l.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms.id[0F555336-3483].[[email protected]].8base	fywk61(l.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo.id[0F555336-3483].[[email protected]].8base	fywk61(l.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Moon.png	fywk61(l.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-20.png	fywk61(l.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleLargeTile.scale-200.png	fywk61(l.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\SmallTile.scale-200.png	fywk61(l.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-48_altform-unplated.png	fywk61(l.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png	fywk61(l.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Square44x44Logo.scale-125.png	fywk61(l.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCache-Light.scale-240.png	fywk61(l.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\uk-ua\ui-strings.js.id[0F555336-3483].[[email protected]].8base	fywk61(l.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml.id[0F555336-3483].[[email protected]].8base	fywk61(l.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookSmallTile.scale-400.png	fywk61(l.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_delete_18.svg.id[0F555336-3483].[[email protected]].8base	fywk61(l.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Linq.Resources.dll	fywk61(l.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HighBeamCardLogo.png.id[0F555336-3483].[[email protected]].8base	fywk61(l.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyclient.jar	fywk61(l.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-pl.xrm-ms.id[0F555336-3483].[[email protected]].8base	fywk61(l.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\vlc.mo	fywk61(l.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\182.png	fywk61(l.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.News\Assets\news_button_down.png	fywk61(l.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\faf_icons.png	fywk61(l.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libmono_plugin.dll	fywk61(l.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ul-oob.xrm-ms	fywk61(l.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\THMBNAIL.PNG.id[0F555336-3483].[[email protected]].8base	fywk61(l.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-48_altform-unplated.png	fywk61(l.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Audio\Skype_Call_Connecting.m4a	fywk61(l.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_link_18.svg.id[0F555336-3483].[[email protected]].8base	fywk61(l.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png.id[0F555336-3483].[[email protected]].8base	fywk61(l.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-72.png	fywk61(l.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar.id[0F555336-3483].[[email protected]].8base	fywk61(l.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms.id[0F555336-3483].[[email protected]].8base	fywk61(l.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesstylish.dotx	fywk61(l.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN096.XML	fywk61(l.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libtimecode_plugin.dll	fywk61(l.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\iheart-radio.scale-100_contrast-black.png	fywk61(l.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Images\image_placeholder.scale-200.png	fywk61(l.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\createpdf.svg.id[0F555336-3483].[[email protected]].8base	fywk61(l.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryLetter.dotx.id[0F555336-3483].[[email protected]].8base	fywk61(l.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\Microsoft.PowerShell.PackageManagement.resources.dll	fywk61(l.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\selector.js	fywk61(l.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.bmp	fywk61(l.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-24_altform-unplated_contrast-white.png	fywk61(l.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\9724_20x20x32.png	fywk61(l.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\ui-strings.js.id[0F555336-3483].[[email protected]].8base	fywk61(l.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeNullOrEmpty.Tests.ps1	fywk61(l.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_gridview_selected-hover.svg.id[0F555336-3483].[[email protected]].8base	fywk61(l.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms	fywk61(l.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\cli.luac.id[0F555336-3483].[[email protected]].8base	fywk61(l.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\ui-strings.js	fywk61(l.exe
File created	C:\Program Files (x86)\desktop.ini.id[0F555336-3483].[[email protected]].8base	fywk61(l.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Gimme_Five_.png	fywk61(l.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\AppxBlockMap.xml	fywk61(l.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml	fywk61(l.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\EXPEDITN.INF	fywk61(l.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libftp_plugin.dll	fywk61(l.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\SmallTile.scale-125.png	fywk61(l.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\CompleteCheckmark.png	fywk61(l.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\es-ES\wordpad.exe.mui	fywk61(l.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN107.XML.id[0F555336-3483].[[email protected]].8base	fywk61(l.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VCCORLIB140_APP.DLL	fywk61(l.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui	fywk61(l.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.VisualElementsManifest.xml	fywk61(l.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
4760	1304	WerFault.exe	a81c88ad0eb4d2dfa7ea25b0326e1b1b8ffe630791647129f85312aeb50df207.exe
4736	3060	WerFault.exe	B04.exe

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exez8{AQZ.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	z8{AQZ.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	z8{AQZ.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	z8{AQZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AppLaunch.execertreq.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AppLaunch.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AppLaunch.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2240 timeout.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1672 vssadmin.exe
5888 vssadmin.exe

pid	process
2240	timeout.exe

pid	process
1672	vssadmin.exe
5888	vssadmin.exe

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a81c88ad0eb4d2dfa7ea25b0326e1b1b8ffe630791647129f85312aeb50df207.execertreq.exez8{AQZ.exefywk61(l.exeExplorer.EXE

pid	process
1304	a81c88ad0eb4d2dfa7ea25b0326e1b1b8ffe630791647129f85312aeb50df207.exe
1304	a81c88ad0eb4d2dfa7ea25b0326e1b1b8ffe630791647129f85312aeb50df207.exe
1304	a81c88ad0eb4d2dfa7ea25b0326e1b1b8ffe630791647129f85312aeb50df207.exe
1304	a81c88ad0eb4d2dfa7ea25b0326e1b1b8ffe630791647129f85312aeb50df207.exe
348	certreq.exe
348	certreq.exe
348	certreq.exe
348	certreq.exe
904	z8{AQZ.exe
904	z8{AQZ.exe
1576	fywk61(l.exe
1576	fywk61(l.exe
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
1576	fywk61(l.exe
1576	fywk61(l.exe
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
1576	fywk61(l.exe
1576	fywk61(l.exe
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
1576	fywk61(l.exe
1576	fywk61(l.exe
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
1576	fywk61(l.exe
1576	fywk61(l.exe
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2444 Explorer.EXE

pid	process
2444	Explorer.EXE

Suspicious behavior: MapViewOfSection 31 IoCs

Processes:

z8{AQZ.exeExplorer.EXE

pid	process
904	z8{AQZ.exe
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE
2444	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

fywk61(l.exevssvc.exeWMIC.exeExplorer.EXEwbengine.exe

description	pid	process
Token: SeDebugPrivilege	1576	fywk61(l.exe
Token: SeBackupPrivilege	4748	vssvc.exe
Token: SeRestorePrivilege	4748	vssvc.exe
Token: SeAuditPrivilege	4748	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4872	WMIC.exe
Token: SeSecurityPrivilege	4872	WMIC.exe
Token: SeTakeOwnershipPrivilege	4872	WMIC.exe
Token: SeLoadDriverPrivilege	4872	WMIC.exe
Token: SeSystemProfilePrivilege	4872	WMIC.exe
Token: SeSystemtimePrivilege	4872	WMIC.exe
Token: SeProfSingleProcessPrivilege	4872	WMIC.exe
Token: SeIncBasePriorityPrivilege	4872	WMIC.exe
Token: SeCreatePagefilePrivilege	4872	WMIC.exe
Token: SeBackupPrivilege	4872	WMIC.exe
Token: SeRestorePrivilege	4872	WMIC.exe
Token: SeShutdownPrivilege	4872	WMIC.exe
Token: SeDebugPrivilege	4872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4872	WMIC.exe
Token: SeRemoteShutdownPrivilege	4872	WMIC.exe
Token: SeUndockPrivilege	4872	WMIC.exe
Token: SeManageVolumePrivilege	4872	WMIC.exe
Token: 33	4872	WMIC.exe
Token: 34	4872	WMIC.exe
Token: 35	4872	WMIC.exe
Token: 36	4872	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4872	WMIC.exe
Token: SeSecurityPrivilege	4872	WMIC.exe
Token: SeTakeOwnershipPrivilege	4872	WMIC.exe
Token: SeLoadDriverPrivilege	4872	WMIC.exe
Token: SeSystemProfilePrivilege	4872	WMIC.exe
Token: SeSystemtimePrivilege	4872	WMIC.exe
Token: SeProfSingleProcessPrivilege	4872	WMIC.exe
Token: SeIncBasePriorityPrivilege	4872	WMIC.exe
Token: SeCreatePagefilePrivilege	4872	WMIC.exe
Token: SeBackupPrivilege	4872	WMIC.exe
Token: SeRestorePrivilege	4872	WMIC.exe
Token: SeShutdownPrivilege	4872	WMIC.exe
Token: SeDebugPrivilege	4872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4872	WMIC.exe
Token: SeRemoteShutdownPrivilege	4872	WMIC.exe
Token: SeUndockPrivilege	4872	WMIC.exe
Token: SeManageVolumePrivilege	4872	WMIC.exe
Token: 33	4872	WMIC.exe
Token: 34	4872	WMIC.exe
Token: 35	4872	WMIC.exe
Token: 36	4872	WMIC.exe
Token: SeShutdownPrivilege	2444	Explorer.EXE
Token: SeCreatePagefilePrivilege	2444	Explorer.EXE
Token: SeShutdownPrivilege	2444	Explorer.EXE
Token: SeCreatePagefilePrivilege	2444	Explorer.EXE
Token: SeBackupPrivilege	4992	wbengine.exe
Token: SeRestorePrivilege	4992	wbengine.exe
Token: SeSecurityPrivilege	4992	wbengine.exe
Token: SeShutdownPrivilege	2444	Explorer.EXE
Token: SeCreatePagefilePrivilege	2444	Explorer.EXE
Token: SeShutdownPrivilege	2444	Explorer.EXE
Token: SeCreatePagefilePrivilege	2444	Explorer.EXE
Token: SeShutdownPrivilege	2444	Explorer.EXE
Token: SeCreatePagefilePrivilege	2444	Explorer.EXE
Token: SeShutdownPrivilege	2444	Explorer.EXE
Token: SeCreatePagefilePrivilege	2444	Explorer.EXE
Token: SeShutdownPrivilege	2444	Explorer.EXE
Token: SeCreatePagefilePrivilege	2444	Explorer.EXE
Token: SeShutdownPrivilege	2444	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a81c88ad0eb4d2dfa7ea25b0326e1b1b8ffe630791647129f85312aeb50df207.exez8{AQZ.exefywk61(l.execmd.execmd.exeExplorer.EXEB04.exe

description	pid	process	target process
PID 1304 wrote to memory of 348	1304	a81c88ad0eb4d2dfa7ea25b0326e1b1b8ffe630791647129f85312aeb50df207.exe	certreq.exe
PID 1304 wrote to memory of 348	1304	a81c88ad0eb4d2dfa7ea25b0326e1b1b8ffe630791647129f85312aeb50df207.exe	certreq.exe
PID 1304 wrote to memory of 348	1304	a81c88ad0eb4d2dfa7ea25b0326e1b1b8ffe630791647129f85312aeb50df207.exe	certreq.exe
PID 1304 wrote to memory of 348	1304	a81c88ad0eb4d2dfa7ea25b0326e1b1b8ffe630791647129f85312aeb50df207.exe	certreq.exe
PID 4780 wrote to memory of 904	4780	z8{AQZ.exe	z8{AQZ.exe
PID 4780 wrote to memory of 904	4780	z8{AQZ.exe	z8{AQZ.exe
PID 4780 wrote to memory of 904	4780	z8{AQZ.exe	z8{AQZ.exe
PID 4780 wrote to memory of 904	4780	z8{AQZ.exe	z8{AQZ.exe
PID 4780 wrote to memory of 904	4780	z8{AQZ.exe	z8{AQZ.exe
PID 4780 wrote to memory of 904	4780	z8{AQZ.exe	z8{AQZ.exe
PID 1576 wrote to memory of 4328	1576	fywk61(l.exe	cmd.exe
PID 1576 wrote to memory of 4328	1576	fywk61(l.exe	cmd.exe
PID 1576 wrote to memory of 164	1576	fywk61(l.exe	cmd.exe
PID 1576 wrote to memory of 164	1576	fywk61(l.exe	cmd.exe
PID 4328 wrote to memory of 1672	4328	cmd.exe	vssadmin.exe
PID 4328 wrote to memory of 1672	4328	cmd.exe	vssadmin.exe
PID 164 wrote to memory of 3124	164	cmd.exe	netsh.exe
PID 164 wrote to memory of 3124	164	cmd.exe	netsh.exe
PID 4328 wrote to memory of 4872	4328	cmd.exe	WMIC.exe
PID 4328 wrote to memory of 4872	4328	cmd.exe	WMIC.exe
PID 164 wrote to memory of 3148	164	cmd.exe	netsh.exe
PID 164 wrote to memory of 3148	164	cmd.exe	netsh.exe
PID 4328 wrote to memory of 2968	4328	cmd.exe	bcdedit.exe
PID 4328 wrote to memory of 2968	4328	cmd.exe	bcdedit.exe
PID 4328 wrote to memory of 4756	4328	cmd.exe	bcdedit.exe
PID 4328 wrote to memory of 4756	4328	cmd.exe	bcdedit.exe
PID 4328 wrote to memory of 952	4328	cmd.exe	wbadmin.exe
PID 4328 wrote to memory of 952	4328	cmd.exe	wbadmin.exe
PID 2444 wrote to memory of 3744	2444	Explorer.EXE	352.exe
PID 2444 wrote to memory of 3744	2444	Explorer.EXE	352.exe
PID 2444 wrote to memory of 3744	2444	Explorer.EXE	352.exe
PID 2444 wrote to memory of 3100	2444	Explorer.EXE	585.exe
PID 2444 wrote to memory of 3100	2444	Explorer.EXE	585.exe
PID 2444 wrote to memory of 3100	2444	Explorer.EXE	585.exe
PID 2444 wrote to memory of 3060	2444	Explorer.EXE	B04.exe
PID 2444 wrote to memory of 3060	2444	Explorer.EXE	B04.exe
PID 2444 wrote to memory of 3060	2444	Explorer.EXE	B04.exe
PID 2444 wrote to memory of 1128	2444	Explorer.EXE	explorer.exe
PID 2444 wrote to memory of 1128	2444	Explorer.EXE	explorer.exe
PID 2444 wrote to memory of 1128	2444	Explorer.EXE	explorer.exe
PID 2444 wrote to memory of 1128	2444	Explorer.EXE	explorer.exe
PID 2444 wrote to memory of 3912	2444	Explorer.EXE	explorer.exe
PID 2444 wrote to memory of 3912	2444	Explorer.EXE	explorer.exe
PID 2444 wrote to memory of 3912	2444	Explorer.EXE	explorer.exe
PID 3060 wrote to memory of 4016	3060	B04.exe	AppLaunch.exe
PID 3060 wrote to memory of 4016	3060	B04.exe	AppLaunch.exe
PID 3060 wrote to memory of 4016	3060	B04.exe	AppLaunch.exe
PID 3060 wrote to memory of 4016	3060	B04.exe	AppLaunch.exe
PID 2444 wrote to memory of 4536	2444	Explorer.EXE	explorer.exe
PID 2444 wrote to memory of 4536	2444	Explorer.EXE	explorer.exe
PID 2444 wrote to memory of 4536	2444	Explorer.EXE	explorer.exe
PID 2444 wrote to memory of 4536	2444	Explorer.EXE	explorer.exe
PID 3060 wrote to memory of 4016	3060	B04.exe	AppLaunch.exe
PID 2444 wrote to memory of 4832	2444	Explorer.EXE	explorer.exe
PID 2444 wrote to memory of 4832	2444	Explorer.EXE	explorer.exe
PID 2444 wrote to memory of 4832	2444	Explorer.EXE	explorer.exe
PID 2444 wrote to memory of 4832	2444	Explorer.EXE	explorer.exe
PID 2444 wrote to memory of 4680	2444	Explorer.EXE	explorer.exe
PID 2444 wrote to memory of 4680	2444	Explorer.EXE	explorer.exe
PID 2444 wrote to memory of 4680	2444	Explorer.EXE	explorer.exe
PID 2444 wrote to memory of 4680	2444	Explorer.EXE	explorer.exe
PID 2444 wrote to memory of 3468	2444	Explorer.EXE	explorer.exe
PID 2444 wrote to memory of 3468	2444	Explorer.EXE	explorer.exe
PID 2444 wrote to memory of 3468	2444	Explorer.EXE	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444

C:\Users\Admin\AppData\Local\Temp\a81c88ad0eb4d2dfa7ea25b0326e1b1b8ffe630791647129f85312aeb50df207.exe
"C:\Users\Admin\AppData\Local\Temp\a81c88ad0eb4d2dfa7ea25b0326e1b1b8ffe630791647129f85312aeb50df207.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 860
3⤵
- Program crash
PID:4760

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Deletes itself
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:348

C:\Users\Admin\AppData\Local\Temp\352.exe
C:\Users\Admin\AppData\Local\Temp\352.exe
2⤵
- Executes dropped EXE
PID:3744

C:\Users\Admin\AppData\Local\Temp\585.exe
C:\Users\Admin\AppData\Local\Temp\585.exe
2⤵
- Executes dropped EXE
PID:3100

C:\Users\Admin\AppData\Local\Temp\B04.exe
C:\Users\Admin\AppData\Local\Temp\B04.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" & del "C:\ProgramData\*.dll"" & exit
4⤵
PID:2804

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
5⤵
- Delays execution with timeout.exe
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 368
3⤵
- Program crash
PID:4736

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1128

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:3912

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4536

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4832

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4680

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:3468

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4136

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4128

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4872

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2708

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2864

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:684

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:5104

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4084

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1776

C:\Users\Admin\AppData\Local\Microsoft\z8{AQZ.exe
"C:\Users\Admin\AppData\Local\Microsoft\z8{AQZ.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4780

C:\Users\Admin\AppData\Local\Microsoft\z8{AQZ.exe
"C:\Users\Admin\AppData\Local\Microsoft\z8{AQZ.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:904

C:\Users\Admin\AppData\Local\Microsoft\fywk61(l.exe
"C:\Users\Admin\AppData\Local\Microsoft\fywk61(l.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576

C:\Users\Admin\AppData\Local\Microsoft\fywk61(l.exe
"C:\Users\Admin\AppData\Local\Microsoft\fywk61(l.exe"
2⤵
- Executes dropped EXE
PID:1056

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:164

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:3124

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:3148

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1672

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:2968

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:4756

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:952

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:5820

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:4740

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:5852

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:228

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:5952

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:5888

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
PID:6128

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:4288

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:2968

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:1600

C:\Users\Admin\AppData\Local\Microsoft\q%5P_G.exe
"C:\Users\Admin\AppData\Local\Microsoft\q%5P_G.exe"
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4412

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[0F555336-3483].[[email protected]].8base
Filesize
3.2MB

MD5
f53e91bf2b75a564c36655ee412925a4

SHA1
8cd2df53e200f16fd4099626b444de7db39cd232

SHA256
2ec251d305b162df5befee8d4f1b2b1b9b04c3139c42ae61e39e8e6817eecf5f

SHA512
7c9d27630b54044460830d73f10db2ac9751f361de87f59f4858a14de9ae1643bf7fb32cdd2a133854206cf2635567b65b9c62b79a092fbfb4ebf9c5cf712e08

Download Submit
C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\FBGCAAAA
Filesize
92KB

MD5
af5009cdd4f049305f4c28c436888d3a

SHA1
83c81b5cea60440658adee4a67bbc30eed70f4be

SHA256
04675530d043f487fd029ac90dd1de0551feea2b071576cc8af8bbd03d719ae8

SHA512
cf6a9ac59e0ac05c474a64a0b1f99b97108c29b83bb7011e3063b8157853b8eeab08c5f0909258cbddc52305b2f4d1834e55e470bdb865ce260c8aa06081f50e

Download Submit
C:\ProgramData\Files.docx
Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\ProgramData\freebl3.dll
Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll
Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.7MB

MD5
943fa75de8ff40c23e96619f651ae4c1

SHA1
7e6e57ec97194176728b8d6dd1c4eed2abdc5209

SHA256
b1c013b694e7c0202448bfb12f3bb8a2450ee87d0660128aa1c9e92f1d311f80

SHA512
da01d3279090c8ad0039f3f29fb8bec25c60713a8fe528bb152d846dc8ce10a7e8a6703631a8421561ff6e31011b178566d095bf0f7eade67bb400027a82f020

Download Submit
C:\ProgramData\softokn3.dll
Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll
Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
Filesize
984B

MD5
36ca56739de4e395e5b87e27be954bad

SHA1
2ac8094c6f124ebf93b4ae78cfa36079ff7b42fa

SHA256
702cb9f0c7f2bfb65721163e6012980f7d3ab5ef9c72f96ec058673a5f9840ac

SHA512
6098a55d5fab1657ee036f17e1e92afc1ee1b4334546ff8f2716f8ac7aed514e22c59d0ecc6c27a175a68470161f4c041a2ce06981ba55c4b370894be6b0e87f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\fywk61(l.exe
Filesize
164KB

MD5
7166d39e9c1cb17e1728d316531242b1

SHA1
d05810943685bcd70999ff0926215f5d6fe2637a

SHA256
8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7

SHA512
b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\fywk61(l.exe
Filesize
164KB

MD5
7166d39e9c1cb17e1728d316531242b1

SHA1
d05810943685bcd70999ff0926215f5d6fe2637a

SHA256
8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7

SHA512
b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\fywk61(l.exe
Filesize
164KB

MD5
7166d39e9c1cb17e1728d316531242b1

SHA1
d05810943685bcd70999ff0926215f5d6fe2637a

SHA256
8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7

SHA512
b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\q%5P_G.exe
Filesize
164KB

MD5
5e11dd2bc2627a60f664e37c36e735a7

SHA1
550d348ea3f28ba8a0e67675775e26de282fc51f

SHA256
204e68df323cbcabdd60a878fa5444df2ddd1fbaa8411d6350649e4a2e233434

SHA512
5eef7950796c878b368871463cab0f79899b13b0649c38ee36b6630b55ab15b04b5859e833285965fd394eaab846eb09773733529f02b8f2606c1e59f7afe8fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\q%5P_G.exe
Filesize
164KB

MD5
5e11dd2bc2627a60f664e37c36e735a7

SHA1
550d348ea3f28ba8a0e67675775e26de282fc51f

SHA256
204e68df323cbcabdd60a878fa5444df2ddd1fbaa8411d6350649e4a2e233434

SHA512
5eef7950796c878b368871463cab0f79899b13b0649c38ee36b6630b55ab15b04b5859e833285965fd394eaab846eb09773733529f02b8f2606c1e59f7afe8fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\z8{AQZ.exe
Filesize
163KB

MD5
7d39a3778ad4a5d5e6c7e78fc9e05a00

SHA1
2b030e3180efb06721404fa0de1fbe4998618225

SHA256
21a3bdc28c80ad2f590418c95fa8ff8c21f2e8b80166c7dea43ddc70c16bfaf9

SHA512
1a0693245d226de50eacd2c8ae0081cea3c20e8b9f6f0f0dff69468aba294c402fba321920129346528bc1d5512e6db31f551f049b95177add129dae6148cc2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\z8{AQZ.exe
Filesize
163KB

MD5
7d39a3778ad4a5d5e6c7e78fc9e05a00

SHA1
2b030e3180efb06721404fa0de1fbe4998618225

SHA256
21a3bdc28c80ad2f590418c95fa8ff8c21f2e8b80166c7dea43ddc70c16bfaf9

SHA512
1a0693245d226de50eacd2c8ae0081cea3c20e8b9f6f0f0dff69468aba294c402fba321920129346528bc1d5512e6db31f551f049b95177add129dae6148cc2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\z8{AQZ.exe
Filesize
163KB

MD5
7d39a3778ad4a5d5e6c7e78fc9e05a00

SHA1
2b030e3180efb06721404fa0de1fbe4998618225

SHA256
21a3bdc28c80ad2f590418c95fa8ff8c21f2e8b80166c7dea43ddc70c16bfaf9

SHA512
1a0693245d226de50eacd2c8ae0081cea3c20e8b9f6f0f0dff69468aba294c402fba321920129346528bc1d5512e6db31f551f049b95177add129dae6148cc2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\352.exe
Filesize
164KB

MD5
7166d39e9c1cb17e1728d316531242b1

SHA1
d05810943685bcd70999ff0926215f5d6fe2637a

SHA256
8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7

SHA512
b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

Download Submit
C:\Users\Admin\AppData\Local\Temp\352.exe
Filesize
164KB

MD5
7166d39e9c1cb17e1728d316531242b1

SHA1
d05810943685bcd70999ff0926215f5d6fe2637a

SHA256
8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7

SHA512
b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

Download Submit
C:\Users\Admin\AppData\Local\Temp\352.exe
Filesize
164KB

MD5
7166d39e9c1cb17e1728d316531242b1

SHA1
d05810943685bcd70999ff0926215f5d6fe2637a

SHA256
8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7

SHA512
b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.Background.winmd
Filesize
7KB

MD5
64d3f93322e5e6932ad162365441301d

SHA1
832e1b6e6560f8dae2b8282b72a1d80545ea5891

SHA256
df52db081c34a78391d85832bcb2190a9417fb34e468d5f15e84ac1916a085cc

SHA512
86b8e1f699321c6eb187b597a08bdfdd4b47686681e495783b981ca82cfaaa8be22d1775143cfd0a6d3c7b381b419930609c8370e67a906eba9e1b6a5024eb20

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll
Filesize
349KB

MD5
49ba729dd7ad347eb8ad44dcc3f20de4

SHA1
36bfc3b216daa23e7c3a1e89df88ca533ad878d1

SHA256
88fd9d7794d1e0549facf9534da6abcb3db4be57e2fd045f678b621f7f5a6f3d

SHA512
c7a6750d34e85534fdf3be543a12340de9623ed7c094b9f8f8dd8e7f7308406e5ee90fe7b3c147b170ed67948bb875f72ad5035ecde3f608843fa74d19f9bf0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe
Filesize
15KB

MD5
a4bd1ce8b5026e59037a3903cd6e4e3a

SHA1
352243b758a585cf869cd9f9354cd302463f4d9d

SHA256
39d69cd43e452c4899dbf1aa5b847c2a2d251fb8e13df9232ebdb5f0fdc3594c

SHA512
c86901a1bdcebc5721743fca6ac7f1909b64518e046752f3b412183db940563c088e0ec12613ad0b763c814bc3b6bf99dd3b6f8a6bce54add30a10d29e38400c

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletLockScreenLogo.scale-200.png
Filesize
268B

MD5
541abea8b402b4ddd7463b2cd1bf54ec

SHA1
e0bfa993adcc35d6cc955be49c2f952529660ad5

SHA256
d436906bb661ba5d0ae3ad2d949b709f92bf50eb79a9faedd7f66d5598e07f16

SHA512
b22478881f719ac94392ef43dbf553c4644e2b3676191cb35c7bd212f496978e5b4e15869d254b96a393314a30e2ce397a6d6bf44cac45a2eff38d997b40c7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSplashScreen.png
Filesize
1KB

MD5
52bf805c4241200c576401a59f9e211a

SHA1
a10074a87d7c244fcee9b8d45005673aa48140a1

SHA256
adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c

SHA512
9142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare150x150Logo.scale-200.png
Filesize
946B

MD5
0262d1daca4c1c1e22dec63b012e3641

SHA1
609258b00f17f2a9dd586fe5a7e485573ef477c9

SHA256
8b0ccafcace92ee624e057fa91550d306efd5dc21bb0c850c174ef38d79754fc

SHA512
a1ad7e32bfabfa4ecf32be9ab96db5c84ecf48a8b8a6e267cb106281e119669fed0fb12eaea024e21aa2f13de8f14fa0b805f869b53ec85524b60dc1db7743d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.scale-200.png
Filesize
14KB

MD5
1572efa3e47162a7b2198893a362b803

SHA1
a291f6f1cae15d03d5ef0f748b83bee024aa2fca

SHA256
d39fb03894ed83d57acf16976ae256c9912bd7e9feb63cb5c85709e1617e90dc

SHA512
4267d64626b808e9b338d973335794a5b3c3586c26fb0d11c96b07c2ad551486150449d83d5ae2756451c32365a8877a0c59592e5b173a27142464787de7ff45

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.targetsize-24_altform-unplated.png
Filesize
169B

MD5
2bb84fb822fe6ed44bf10bbf31122308

SHA1
e9049ca6522a736d75fc85b3b16a0ad0dc271334

SHA256
afb6768acc7e2229c7566d68dabf863bafdb8d59e2cca45f39370fc7261965dc

SHA512
1f24ca0e934881760a94c1f90d31ef6ccbab165d39c0155fb83b31e92abe4e5e3b70f49189f75d8cdd859796a55312f27c71fda0b8296e8cf30167a02d7391f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletStoreLogo.png
Filesize
174B

MD5
08de9d6a366fb174872e8043e2384099

SHA1
955114d06eefae5e498797f361493ee607676d95

SHA256
0289105cf9484cf5427630866c0525b60f6193dea0afacd0224f997ce8103861

SHA512
59004a4920d5e3b80b642c285ff649a2ee5c52df25b6209be46d2f927a9c2ab170534ea0819c7c70292534ee08eb90e36630d11da18edba502776fac42872ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletWide310x150Logo.scale-200.png
Filesize
1KB

MD5
52bf805c4241200c576401a59f9e211a

SHA1
a10074a87d7c244fcee9b8d45005673aa48140a1

SHA256
adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c

SHA512
9142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
1KB

MD5
5b333e85c957925ec5f7ae9c47872020

SHA1
97431745824321574e6e6c9666e79147b5a6ea67

SHA256
c2c28b18a9bbe65c7f29640ec18d5836fa51ce720b336dc6e44d49ff2d807d08

SHA512
377b42d7a432c597cbf41c5c9f4303592f88a3fef368e53532ec1474529d5d915f264ca1f099c269a4d4bc35fea22d35140d45c099f4fdb66be8cb109b533f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe.xml
Filesize
4KB

MD5
44628eb64853341f7678ec488959efe2

SHA1
60e37cb04f7941b6070d3ce035af3d434c78fbfd

SHA256
f44e196695dffbc9442ab694343447097b8362fccaf4269057890f39da50df2e

SHA512
0134c598e3ada0a5ae47c9803b1c0f248d88a92c5fd79dd2baea7dea82322ff52f8b218be41bd3b72f270fe170ad36df5106d2f21ca51be5f8f3c6791da9d86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
1KB

MD5
5b333e85c957925ec5f7ae9c47872020

SHA1
97431745824321574e6e6c9666e79147b5a6ea67

SHA256
c2c28b18a9bbe65c7f29640ec18d5836fa51ce720b336dc6e44d49ff2d807d08

SHA512
377b42d7a432c597cbf41c5c9f4303592f88a3fef368e53532ec1474529d5d915f264ca1f099c269a4d4bc35fea22d35140d45c099f4fdb66be8cb109b533f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe.xml
Filesize
4KB

MD5
44628eb64853341f7678ec488959efe2

SHA1
60e37cb04f7941b6070d3ce035af3d434c78fbfd

SHA256
f44e196695dffbc9442ab694343447097b8362fccaf4269057890f39da50df2e

SHA512
0134c598e3ada0a5ae47c9803b1c0f248d88a92c5fd79dd2baea7dea82322ff52f8b218be41bd3b72f270fe170ad36df5106d2f21ca51be5f8f3c6791da9d86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.Background.winmd
Filesize
7KB

MD5
64d3f93322e5e6932ad162365441301d

SHA1
832e1b6e6560f8dae2b8282b72a1d80545ea5891

SHA256
df52db081c34a78391d85832bcb2190a9417fb34e468d5f15e84ac1916a085cc

SHA512
86b8e1f699321c6eb187b597a08bdfdd4b47686681e495783b981ca82cfaaa8be22d1775143cfd0a6d3c7b381b419930609c8370e67a906eba9e1b6a5024eb20

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll
Filesize
349KB

MD5
49ba729dd7ad347eb8ad44dcc3f20de4

SHA1
36bfc3b216daa23e7c3a1e89df88ca533ad878d1

SHA256
88fd9d7794d1e0549facf9534da6abcb3db4be57e2fd045f678b621f7f5a6f3d

SHA512
c7a6750d34e85534fdf3be543a12340de9623ed7c094b9f8f8dd8e7f7308406e5ee90fe7b3c147b170ed67948bb875f72ad5035ecde3f608843fa74d19f9bf0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe
Filesize
15KB

MD5
a4bd1ce8b5026e59037a3903cd6e4e3a

SHA1
352243b758a585cf869cd9f9354cd302463f4d9d

SHA256
39d69cd43e452c4899dbf1aa5b847c2a2d251fb8e13df9232ebdb5f0fdc3594c

SHA512
c86901a1bdcebc5721743fca6ac7f1909b64518e046752f3b412183db940563c088e0ec12613ad0b763c814bc3b6bf99dd3b6f8a6bce54add30a10d29e38400c

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletLockScreenLogo.scale-200.png
Filesize
268B

MD5
541abea8b402b4ddd7463b2cd1bf54ec

SHA1
e0bfa993adcc35d6cc955be49c2f952529660ad5

SHA256
d436906bb661ba5d0ae3ad2d949b709f92bf50eb79a9faedd7f66d5598e07f16

SHA512
b22478881f719ac94392ef43dbf553c4644e2b3676191cb35c7bd212f496978e5b4e15869d254b96a393314a30e2ce397a6d6bf44cac45a2eff38d997b40c7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSplashScreen.png
Filesize
1KB

MD5
52bf805c4241200c576401a59f9e211a

SHA1
a10074a87d7c244fcee9b8d45005673aa48140a1

SHA256
adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c

SHA512
9142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare150x150Logo.scale-200.png
Filesize
946B

MD5
0262d1daca4c1c1e22dec63b012e3641

SHA1
609258b00f17f2a9dd586fe5a7e485573ef477c9

SHA256
8b0ccafcace92ee624e057fa91550d306efd5dc21bb0c850c174ef38d79754fc

SHA512
a1ad7e32bfabfa4ecf32be9ab96db5c84ecf48a8b8a6e267cb106281e119669fed0fb12eaea024e21aa2f13de8f14fa0b805f869b53ec85524b60dc1db7743d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.scale-200.png
Filesize
14KB

MD5
1572efa3e47162a7b2198893a362b803

SHA1
a291f6f1cae15d03d5ef0f748b83bee024aa2fca

SHA256
d39fb03894ed83d57acf16976ae256c9912bd7e9feb63cb5c85709e1617e90dc

SHA512
4267d64626b808e9b338d973335794a5b3c3586c26fb0d11c96b07c2ad551486150449d83d5ae2756451c32365a8877a0c59592e5b173a27142464787de7ff45

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.targetsize-24_altform-unplated.png
Filesize
169B

MD5
2bb84fb822fe6ed44bf10bbf31122308

SHA1
e9049ca6522a736d75fc85b3b16a0ad0dc271334

SHA256
afb6768acc7e2229c7566d68dabf863bafdb8d59e2cca45f39370fc7261965dc

SHA512
1f24ca0e934881760a94c1f90d31ef6ccbab165d39c0155fb83b31e92abe4e5e3b70f49189f75d8cdd859796a55312f27c71fda0b8296e8cf30167a02d7391f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletStoreLogo.png
Filesize
174B

MD5
08de9d6a366fb174872e8043e2384099

SHA1
955114d06eefae5e498797f361493ee607676d95

SHA256
0289105cf9484cf5427630866c0525b60f6193dea0afacd0224f997ce8103861

SHA512
59004a4920d5e3b80b642c285ff649a2ee5c52df25b6209be46d2f927a9c2ab170534ea0819c7c70292534ee08eb90e36630d11da18edba502776fac42872ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletWide310x150Logo.scale-200.png
Filesize
1KB

MD5
52bf805c4241200c576401a59f9e211a

SHA1
a10074a87d7c244fcee9b8d45005673aa48140a1

SHA256
adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c

SHA512
9142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\WinSxS\wow64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.15063.0_none_5f8e4354b974f702\WalletBackgroundServiceProxy.dll
Filesize
10KB

MD5
d3c040e9217f31648250f4ef718fa13d

SHA1
72e1174edd4ee04b9c72e6d233af0b83fbfc17dc

SHA256
52e4a039e563ee5b63bbf86bdaf28c2e91c87947f4edeebb42691502cb07cbd7

SHA512
e875f1ff68a425567024800c6000a861275c5b882f671178ca97d0dbf0dda2bdd832f38f02138a16817871aa2ddb154998987efc4a9b49ccaac6a22a9713a3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\WinSxS\wow64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.15063.0_none_c4bc07330185781a\WalletProxy.dll
Filesize
36KB

MD5
590c906654ff918bbe91a14daac58627

SHA1
f598edc38b61654f12f57ab1ddad0f576fe74d0d

SHA256
5d37fbfe7320aa0e215be9d8b05d77a0f5ace2deec010606b512572af2bb4dfc

SHA512
98a50429b039f98dd9adda775e7d2a0d51bb2beea2452247a2041e1f20b3f13b505bcdeecd833030bbecb58f74a82721cc577932dec086fff64ecef5432e8f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\WinSxS\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.15063.0_none_e6c3164a2494c88b\Windows.ApplicationModel.Wallet.dll
Filesize
405KB

MD5
6161c69d5d0ea175d6c88d7921e41385

SHA1
088b440405ddba778df1736b71459527aca63363

SHA256
8128dff83791b26a01ce2146302f1d8b1159f4943844ab325522cf0fc1e2597e

SHA512
cba6e3d1fcb3147193adde3b0f4a95848996999180b59e7bdf16e834e055261cf53548c3972e84d81f840d862c5af53d44945cf4319f24705aecc7d47d1cda07

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.cat
Filesize
8KB

MD5
6523a368322f50d964b00962f74b3f65

SHA1
5f360ae5b5b5e76f390e839cf1b440333506e4e8

SHA256
652687424e20a2d6c16ea15ae653150467cfae4993d5ca28dc30106ff8a0ca67

SHA512
210737efc4e2775f261b0dc00ca1ad2aa1a7630633688c5bb9190fa5ff791e9757bbae190f4f7e931f8a4c7e4acf1effce479fdafd3952777ee40d08bdf1c046

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.mum
Filesize
1KB

MD5
f82f048efc3466bd287ecaa6f5a2d679

SHA1
9eedd9499deae645ffe402eb50361e83def12f14

SHA256
e35cd2ee9eae753175b9b88e032d4973672ff5677b9b7b79eaff1839e0c3044c

SHA512
5cc7337eebc480c482d56a8a5a2c788daa5c4e0370dc33d612caf59c65757cfa7cfc3cbb3321a7e01c6bb97e827962c4d156cfa661ea0b230a43e67940c81230

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat
Filesize
8KB

MD5
be70c63aeccef9f4c5175a8741b13b69

SHA1
c5ef2591b7f1df2ecbca40219d2513d516825e9a

SHA256
d648d365d08a7c503edc75535a58f15b865f082b49355254d539a41bf3af87ff

SHA512
b93bf53a5c71a587df7b59fdcaf8046c47e5d82838666ca12e6f56e26c0b9223edf7bf3dbb9352d5718486c531e34a060a05d7924896ab3b6d370dd4ef262186

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.mum
Filesize
1KB

MD5
741bc0bd78e3693cb950954aa1bf2e52

SHA1
bd322ece9153b51214eda41bba0c6b803d6caa30

SHA256
a349648c7ac60c4711585d09d0c9012f2c8b96077ccaf957c672b34a05c5ad8d

SHA512
b6dd9a8b794ee35fe99f04f5d78b2168157e3fed76752a98b8a39cc5c567ec23581b5c348da6e149ab28ea0cb89c0c0d0f08545174f01ba9d45a860a4eb73b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~es-ES~10.0.15063.0.cat
Filesize
8KB

MD5
463a0532986607cb1ad6b26e94153c05

SHA1
9aa5b80581530693c1f3cb32a1e107532a2a1a96

SHA256
e07a11415f11c98fa5d6e8fb8baa515be4fd071d3528910273efcbec9e882075

SHA512
a004a39ec97d816f7e2f43cd4b1bd52acbdbc5f358a5bfe6d997bfed223af2b9a9653fee8fb57e0d4ed11135802a49b85a8286a8119996a4ed88c78f641b1f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~es-ES~10.0.15063.0.mum
Filesize
1KB

MD5
ac62b24ee1c94ba09ff3b85bba930bf2

SHA1
9a9aa17c629d9e2dc09078764f59f081f69bebab

SHA256
a044c0e9036e355cc530e88831cbbe60165477929d0f838c786a513937ff1628

SHA512
1168537c3a9b92c8534434f8cf68a3d4d95a48086beb194c68519db9b65f3f57706a678bb7accf085b9f121c069a8c1fae78a1a64df853fb039a761efebf130d

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~fr-FR~10.0.15063.0.cat
Filesize
8KB

MD5
8f1ab8d6a77c7c01da26f26ddfe8b0f6

SHA1
4cae8a293cdf2b439dcd915ab070d9d94855411e

SHA256
f21e412d461eb8138fdc0f4f25d66882deed8c2498a2cbd764de5be116548a52

SHA512
17204b39b08a1275962949acb45b8f12d2d9f57ce49b16d369c58630fa185ac213ed87590dd8bc438e6bc1d477460c604bc346608744e526180b50c6f5e0a5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~fr-FR~10.0.15063.0.mum
Filesize
1KB

MD5
1d420956e62d902c9bd65a62ba34bc2b

SHA1
fc917590f656b79d5d55112926dfa8e8e5635f45

SHA256
a29100bbcc276666b7182bf3b41cf6ddc1cac090dbc109f7674f2b46027fd67c

SHA512
c63177c1615d7635eb3eb13b55d67543954409acd06f19467c0bc20981278866fc3edd07cecf75c9d2256734fd315f05eb5f5f5f646e3960d89f5a969d3ca981

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~it-IT~10.0.15063.0.cat
Filesize
8KB

MD5
1ece20c692f338709ea3b121feb5ad38

SHA1
e5eb5b5cc4acb056088c6874e8b415d5c72c4d63

SHA256
7240a7307734a427de9afecd44929e13ae4d2bb1d1ea7c45806b809d43ac7d4a

SHA512
c7cb73e3bf8504860546c365b2d2ce112855f5b7d746c6ae889e21f0cfa9abead94dfe090268fd9e07314cb292a9ade5f6b7a37e7bfeea15c1b740c5bccdbdcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~it-IT~10.0.15063.0.mum
Filesize
1KB

MD5
b62ccf58661ccf5f36e5150711bbfe1b

SHA1
ba057cf26ebcc7b3951ac44b58637ea3d9d2e516

SHA256
d8be26c66596f9f4a4ce5776d22d686dd31abd1bb5c659cb2d75faeb7e3e14d1

SHA512
3b10394f954621bf7c5add004fd3bef18c9ebba5765122358bf9015788f31cba1f334efcdfcd913d7351fa03d4e8f89f11ccb93dbd1ac9bc7bbfadaa654a9dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~ja-JP~10.0.15063.0.cat
Filesize
8KB

MD5
d93ac1e6d7078f07ab83a2c96dfc71d9

SHA1
5326a1b1b3c9b950134b3d05a755355b07881a2b

SHA256
0e44999d33b50a526870b2d7210e7abd46696dc469a698fc52372104169098f6

SHA512
cab43acf474ec02753d0fd062791bad49b46bb63e1968b00eed566b7fc9cd73f089a84817f741ece99a895ea59206041904e68bc8a68ad6ff6287d5687c786fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~ja-JP~10.0.15063.0.mum
Filesize
1KB

MD5
47ddc67f27f9e7d00e60b68be2ef1fd8

SHA1
6b804bbe0bfd5b15c86c7f2b01a3bd72c1d3e63e

SHA256
ae7030129ca67d8b57025cd91cf9978b9dbf7d4446420a846bee00c1ac6da75b

SHA512
dc9616d7f532d58de72375e913de1aac3dd2c953728288fedb95f491b8f04bd25b7c22c0fe28c87e0ff9465b7f1acf77ae64cb3f0dda87dc642b04ea8328f309

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat
Filesize
10KB

MD5
241be6be4b06da4a85f1e110c01427c6

SHA1
42ee3232b1c182159696f66c15800a9878177bfb

SHA256
1ee08c4f17b4c7bebf42a09f6c5d8cf09257218b30bede48db3045fc8c07bb8f

SHA512
71df8d3d84393abd418b9c498960b3faf90d85caf60905961482b3c22c200782f55b6f69e23552c3938fe241baba6ad5d012038890f4ee882a0b824f4e091664

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~~10.0.15063.0.mum
Filesize
843B

MD5
c0ba2a5e38998a8241042491e1b48588

SHA1
39f7ab5e1fee3052a82e651070d5a8ed7de43685

SHA256
2d1336891463292c98d11cb42dd72d8c4335a311fc0b37bccc2161fdd55ff726

SHA512
01b46c0d2aed24b3f5c6ea9e50e2960c4855129e48207cff969843f4ae72ed15dacf531875d92ebbead031f82f70317446608d012d1be8f776c017a9f28c3d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\servicing\Packages\Microsoft-OneCore-WalletService-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.cat
Filesize
9KB

MD5
7defe9e392b71ddb561f14c55db5e0c7

SHA1
c9474a81bdd48067ef8862a0326896921ce50104

SHA256
441bccb6966c27b25627a4941fe4889b6962cc94db091593fc776b6be01219e8

SHA512
ff19c0a82b829f1eb65f861a539b2e92891f72bc6f5d6645c2b136ef5c1c237064efbe70c51bfd864c80af1f0655f9e34756ce44eac884bd0a37ae27ffd30dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C6\C\Windows\servicing\Packages\Microsoft-OneCore-WalletService-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.mum
Filesize
1KB

MD5
faa5d3edf8f8b47e17173dab27aff8f7

SHA1
ca402e701fe1da5188c8cb1583978a4a02be3e06

SHA256
c0056140377ab9c71080b45b0a4752cdb74bcbbab953033dba99088e132153db

SHA512
639bdf2114392ab5fea653348ead79727f08d63821db5d37f83923911b7da7dbd3a867163b2fc306626641ee0c16ae9956ca559192c0f5892c61df7947596cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\585.exe
Filesize
164KB

MD5
5e11dd2bc2627a60f664e37c36e735a7

SHA1
550d348ea3f28ba8a0e67675775e26de282fc51f

SHA256
204e68df323cbcabdd60a878fa5444df2ddd1fbaa8411d6350649e4a2e233434

SHA512
5eef7950796c878b368871463cab0f79899b13b0649c38ee36b6630b55ab15b04b5859e833285965fd394eaab846eb09773733529f02b8f2606c1e59f7afe8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\585.exe
Filesize
164KB

MD5
5e11dd2bc2627a60f664e37c36e735a7

SHA1
550d348ea3f28ba8a0e67675775e26de282fc51f

SHA256
204e68df323cbcabdd60a878fa5444df2ddd1fbaa8411d6350649e4a2e233434

SHA512
5eef7950796c878b368871463cab0f79899b13b0649c38ee36b6630b55ab15b04b5859e833285965fd394eaab846eb09773733529f02b8f2606c1e59f7afe8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\B04.exe
Filesize
1.2MB

MD5
4a9777a2bf4fa6e8945a0b48dfac8108

SHA1
36777152e87eb30a58e4b22430888ee0b065864e

SHA256
67e2316b799a36c92f468f339002f1b3e1c2a984c1fbff5a73f0659a13209ad8

SHA512
ddc703fbcf4909e65395a5911404c08991c03d234295d4e24484d92648e6b2e8a99fdafd8851b45e29d77c0e8aba0a4b0fc0c709ebbdee9939712fcc476a897a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B04.exe
Filesize
1.2MB

MD5
4a9777a2bf4fa6e8945a0b48dfac8108

SHA1
36777152e87eb30a58e4b22430888ee0b065864e

SHA256
67e2316b799a36c92f468f339002f1b3e1c2a984c1fbff5a73f0659a13209ad8

SHA512
ddc703fbcf4909e65395a5911404c08991c03d234295d4e24484d92648e6b2e8a99fdafd8851b45e29d77c0e8aba0a4b0fc0c709ebbdee9939712fcc476a897a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9laesmh3.default-release\cookies.sqlite.id[0F555336-3483].[[email protected]].8base
Filesize
96KB

MD5
953a5338c341e65f5e24365217cd82b6

SHA1
386574a7d41ba97d1a96dd7ab4772334c6e3c6b3

SHA256
c6c508522291f2acdee192c4bb478859659c43300a2ae42bf2fdebf9ae94915a

SHA512
a14ae6e9fad2a3029ebd6b2cb5c4135890e0abfd862f83d84b79b8fd7b5b9a4c38137fd90a04340dca34e2bf2030bfac51a7ee87c022f1394f56c71ce737ac1b

Download Submit
C:\info.hta
Filesize
5KB

MD5
8f87c9303e5a3fb1a29edf1ccda5d59c

SHA1
fa8c6c275768b440fda79e5ca2d26649399c19b2

SHA256
6671bf663b181d913e5dcd152a1a618aa72646053d10f21f3ea7df2b947d9bdc

SHA512
c5b7c3f6adf51fb08e4489c0766411c8f3c0ff6e3fffac813dcba9d7eae2315d746619871a9521d24b9a8d39a5bbd9e37393d5239b2262b3a3d7d25783ac47c2

Download Submit
\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/348-157-0x00007FF6D03B0000-0x00007FF6D04DD000-memory.dmp

Filesize
1.2MB

Download
memory/348-158-0x00007FF6D03B0000-0x00007FF6D04DD000-memory.dmp

Filesize
1.2MB

Download
memory/348-165-0x00007FF6D03B0000-0x00007FF6D04DD000-memory.dmp

Filesize
1.2MB

Download
memory/348-164-0x00007FF6D03B0000-0x00007FF6D04DD000-memory.dmp

Filesize
1.2MB

Download
memory/348-179-0x000001C3BF920000-0x000001C3BF925000-memory.dmp

Filesize
20KB

Download
memory/348-180-0x00007FFAECBF0000-0x00007FFAECDCB000-memory.dmp

Filesize
1.9MB

Download
memory/348-163-0x00007FF6D03B0000-0x00007FF6D04DD000-memory.dmp

Filesize
1.2MB

Download
memory/348-162-0x00007FF6D03B0000-0x00007FF6D04DD000-memory.dmp

Filesize
1.2MB

Download
memory/348-161-0x00007FF6D03B0000-0x00007FF6D04DD000-memory.dmp

Filesize
1.2MB

Download
memory/348-144-0x000001C3BF790000-0x000001C3BF793000-memory.dmp

Filesize
12KB

Download
memory/348-147-0x000001C3BF920000-0x000001C3BF927000-memory.dmp

Filesize
28KB

Download
memory/348-148-0x00007FF6D03B0000-0x00007FF6D04DD000-memory.dmp

Filesize
1.2MB

Download
memory/348-149-0x00007FF6D03B0000-0x00007FF6D04DD000-memory.dmp

Filesize
1.2MB

Download
memory/348-150-0x00007FF6D03B0000-0x00007FF6D04DD000-memory.dmp

Filesize
1.2MB

Download
memory/348-160-0x00007FFAECBF0000-0x00007FFAECDCB000-memory.dmp

Filesize
1.9MB

Download
memory/348-159-0x00007FF6D03B0000-0x00007FF6D04DD000-memory.dmp

Filesize
1.2MB

Download
memory/348-170-0x00007FFAECBF0000-0x00007FFAECDCB000-memory.dmp

Filesize
1.9MB

Download
memory/348-155-0x00007FF6D03B0000-0x00007FF6D04DD000-memory.dmp

Filesize
1.2MB

Download
memory/348-128-0x000001C3BF790000-0x000001C3BF793000-memory.dmp

Filesize
12KB

Download
memory/348-151-0x00007FF6D03B0000-0x00007FF6D04DD000-memory.dmp

Filesize
1.2MB

Download
memory/348-152-0x00007FF6D03B0000-0x00007FF6D04DD000-memory.dmp

Filesize
1.2MB

Download
memory/684-6332-0x0000000002B30000-0x0000000002B39000-memory.dmp

Filesize
36KB

Download
memory/684-6313-0x0000000002B40000-0x0000000002B45000-memory.dmp

Filesize
20KB

Download
memory/904-188-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/904-241-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/904-192-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1056-1594-0x0000000000690000-0x0000000000790000-memory.dmp

Filesize
1024KB

Download
memory/1056-1595-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1128-5173-0x0000000003030000-0x000000000309B000-memory.dmp

Filesize
428KB

Download
memory/1128-4989-0x0000000003030000-0x000000000309B000-memory.dmp

Filesize
428KB

Download
memory/1128-4967-0x0000000003030000-0x000000000309B000-memory.dmp

Filesize
428KB

Download
memory/1128-4972-0x00000000030A0000-0x0000000003115000-memory.dmp

Filesize
468KB

Download
memory/1304-118-0x0000000000620000-0x0000000000720000-memory.dmp

Filesize
1024KB

Download
memory/1304-138-0x0000000002330000-0x0000000002366000-memory.dmp

Filesize
216KB

Download
memory/1304-142-0x00000000024D0000-0x00000000028D0000-memory.dmp

Filesize
4.0MB

Download
memory/1304-132-0x0000000002330000-0x0000000002366000-memory.dmp

Filesize
216KB

Download
memory/1304-126-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1304-127-0x0000000000620000-0x0000000000720000-memory.dmp

Filesize
1024KB

Download
memory/1304-141-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1304-131-0x0000000002100000-0x0000000002171000-memory.dmp

Filesize
452KB

Download
memory/1304-139-0x00000000024D0000-0x00000000028D0000-memory.dmp

Filesize
4.0MB

Download
memory/1304-125-0x00000000024D0000-0x00000000028D0000-memory.dmp

Filesize
4.0MB

Download
memory/1304-123-0x00000000024D0000-0x00000000028D0000-memory.dmp

Filesize
4.0MB

Download
memory/1304-122-0x00000000024D0000-0x00000000028D0000-memory.dmp

Filesize
4.0MB

Download
memory/1304-124-0x00000000024D0000-0x00000000028D0000-memory.dmp

Filesize
4.0MB

Download
memory/1304-121-0x0000000002190000-0x0000000002197000-memory.dmp

Filesize
28KB

Download
memory/1304-120-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1304-119-0x0000000002100000-0x0000000002171000-memory.dmp

Filesize
452KB

Download
memory/1576-181-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1576-2305-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1576-312-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1576-4394-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1576-497-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1576-182-0x0000000000550000-0x000000000055F000-memory.dmp

Filesize
60KB

Download
memory/1576-183-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1576-859-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1776-6559-0x0000000002E60000-0x0000000002E6B000-memory.dmp

Filesize
44KB

Download
memory/1776-6545-0x0000000002E70000-0x0000000002E78000-memory.dmp

Filesize
32KB

Download
memory/2444-205-0x0000000000650000-0x0000000000666000-memory.dmp

Filesize
88KB

Download
memory/2708-6005-0x0000000000AE0000-0x0000000000AE9000-memory.dmp

Filesize
36KB

Download
memory/2708-6004-0x0000000000160000-0x0000000000169000-memory.dmp

Filesize
36KB

Download
memory/2864-6270-0x0000000002980000-0x00000000029A7000-memory.dmp

Filesize
156KB

Download
memory/2864-6267-0x0000000000AE0000-0x0000000000AE9000-memory.dmp

Filesize
36KB

Download
memory/3060-4959-0x0000000000BE0000-0x0000000000D19000-memory.dmp

Filesize
1.2MB

Download
memory/3468-6243-0x00000000004F0000-0x00000000004F9000-memory.dmp

Filesize
36KB

Download
memory/3468-5492-0x00000000004E0000-0x00000000004EF000-memory.dmp

Filesize
60KB

Download
memory/3468-5480-0x00000000004F0000-0x00000000004F9000-memory.dmp

Filesize
36KB

Download
memory/3468-5464-0x00000000004E0000-0x00000000004EF000-memory.dmp

Filesize
60KB

Download
memory/3912-4958-0x0000000000EC0000-0x0000000000ECC000-memory.dmp

Filesize
48KB

Download
memory/3912-4957-0x0000000000EC0000-0x0000000000ECC000-memory.dmp

Filesize
48KB

Download
memory/4016-4961-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/4016-5070-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/4016-5609-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4084-6535-0x0000000000170000-0x000000000017D000-memory.dmp

Filesize
52KB

Download
memory/4084-6534-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/4128-5806-0x0000000002A70000-0x0000000002A79000-memory.dmp

Filesize
36KB

Download
memory/4128-5832-0x00000000001A0000-0x00000000001AC000-memory.dmp

Filesize
48KB

Download
memory/4136-5619-0x0000000002A70000-0x0000000002A79000-memory.dmp

Filesize
36KB

Download
memory/4136-6283-0x0000000002A80000-0x0000000002A85000-memory.dmp

Filesize
20KB

Download
memory/4136-5621-0x0000000002A80000-0x0000000002A85000-memory.dmp

Filesize
20KB

Download
memory/4136-5622-0x0000000002A70000-0x0000000002A79000-memory.dmp

Filesize
36KB

Download
memory/4492-191-0x0000000000550000-0x0000000000555000-memory.dmp

Filesize
20KB

Download
memory/4492-1460-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/4492-190-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/4492-193-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4536-5046-0x0000000000300000-0x0000000000309000-memory.dmp

Filesize
36KB

Download
memory/4536-5020-0x0000000000300000-0x0000000000309000-memory.dmp

Filesize
36KB

Download
memory/4680-6003-0x0000000003270000-0x0000000003277000-memory.dmp

Filesize
28KB

Download
memory/4680-5260-0x0000000003260000-0x000000000326B000-memory.dmp

Filesize
44KB

Download
memory/4680-5317-0x0000000003270000-0x0000000003277000-memory.dmp

Filesize
28KB

Download
memory/4680-5318-0x0000000003260000-0x000000000326B000-memory.dmp

Filesize
44KB

Download
memory/4780-185-0x0000000000580000-0x0000000000680000-memory.dmp

Filesize
1024KB

Download
memory/4780-184-0x0000000000550000-0x0000000000559000-memory.dmp

Filesize
36KB

Download
memory/4832-5096-0x0000000002B00000-0x0000000002B0B000-memory.dmp

Filesize
44KB

Download
memory/4832-5097-0x0000000002B10000-0x0000000002B1A000-memory.dmp

Filesize
40KB

Download
memory/4832-5098-0x0000000002B00000-0x0000000002B0B000-memory.dmp

Filesize
44KB

Download
memory/4872-5936-0x00000000001A0000-0x00000000001AC000-memory.dmp

Filesize
48KB

Download
memory/4872-5957-0x0000000000160000-0x0000000000169000-memory.dmp

Filesize
36KB

Download
memory/5104-6524-0x0000000002B30000-0x0000000002B39000-memory.dmp

Filesize
36KB

Download
memory/5104-6525-0x0000000002DE0000-0x0000000002DEB000-memory.dmp

Filesize
44KB

Download