Malware Analysis Report

2024-11-16 12:19

Sample ID 230715-g77elshb39
Target 437254cf9cf1247e0c8abc2b917b785f77bc5b7caffeb45ed6e46ac4f874e2cb
SHA256 437254cf9cf1247e0c8abc2b917b785f77bc5b7caffeb45ed6e46ac4f874e2cb
Tags
phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

437254cf9cf1247e0c8abc2b917b785f77bc5b7caffeb45ed6e46ac4f874e2cb

Threat Level: Known bad

The file 437254cf9cf1247e0c8abc2b917b785f77bc5b7caffeb45ed6e46ac4f874e2cb was found to be: Known bad.

Malicious Activity Summary

phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan

Detect rhadamanthys stealer shellcode

SmokeLoader

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys

Phobos

SystemBC

Renames multiple (462) files with added filename extension

Deletes shadow copies

Modifies boot configuration data using bcdedit

Modifies Windows Firewall

Deletes backup catalog

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Deletes itself

Drops startup file

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses Microsoft Outlook profiles

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious behavior: MapViewOfSection

Interacts with shadow copies

Checks processor information in registry

Modifies registry class

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Checks SCSI registry key(s)

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Uses Volume Shadow Copy service COM API

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-15 06:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-15 06:27

Reported

2023-07-15 06:30

Platform

win10-20230703-en

Max time kernel

108s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4924 created 3724 N/A C:\Users\Admin\AppData\Local\Temp\437254cf9cf1247e0c8abc2b917b785f77bc5b7caffeb45ed6e46ac4f874e2cb.exe C:\Windows\Explorer.EXE

SystemBC

trojan systembc

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (462) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\certreq.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\vr`.exe C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vr` = "C:\\Users\\Admin\\AppData\\Local\\vr`.exe" C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Windows\CurrentVersion\Run\vr` = "C:\\Users\\Admin\\AppData\\Local\\vr`.exe" C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3229013990-3330391637-2814184332-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4856 set thread context of 1540 N/A C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe
PID 4452 set thread context of 2196 N/A C:\Users\Admin\AppData\Local\Temp\929E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewComment.White.png.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libinvert_plugin.dll C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-256.png C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.scale-200.png C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoCanary.png.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7dd.png C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\ui-strings.js.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.LEX C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\Deal\New-Deal-up.png C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_download_audit_report_18.svg.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\ui-strings.js.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-convert-l1-1-0.dll C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_flac_plugin.dll.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\190.png C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_12d.png C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress-indeterminate.gif.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-100.png.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sv-se\ui-strings.js C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\youtube.luac C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpsychedelic_plugin.dll C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main.css C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_sv_135x40.svg C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libfaad_plugin.dll C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\form_responses.gif.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\bin\jawt.dll.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down.gif C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-ms.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONBttnOL.dll C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PREVIEW.GIF.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-filesystem-l1-1-0.dll C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Wood.dxt C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsvorepository_plugin.dll C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\gh_16x11.png C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-150.png C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\ui-strings.js.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-keyring-fallback.jar.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchMedTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\offsym.ttf C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Program Files\7-Zip\Lang\fi.txt.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_link_18.svg.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_uk.dll.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.RunTime.Serialization.Resources.dll C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ms_get.svg.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\file_info2x.png.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_de.properties.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\application.ini C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\[email protected] C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\dot.cur.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.ecore_2.10.1.v20140901-1043.jar.id[C20D5CCA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileSmallSquare.scale-100.png C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\437254cf9cf1247e0c8abc2b917b785f77bc5b7caffeb45ed6e46ac4f874e2cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\437254cf9cf1247e0c8abc2b917b785f77bc5b7caffeb45ed6e46ac4f874e2cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\437254cf9cf1247e0c8abc2b917b785f77bc5b7caffeb45ed6e46ac4f874e2cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\437254cf9cf1247e0c8abc2b917b785f77bc5b7caffeb45ed6e46ac4f874e2cb.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\vr`.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4924 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\437254cf9cf1247e0c8abc2b917b785f77bc5b7caffeb45ed6e46ac4f874e2cb.exe C:\Windows\system32\certreq.exe
PID 4924 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\437254cf9cf1247e0c8abc2b917b785f77bc5b7caffeb45ed6e46ac4f874e2cb.exe C:\Windows\system32\certreq.exe
PID 4924 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\437254cf9cf1247e0c8abc2b917b785f77bc5b7caffeb45ed6e46ac4f874e2cb.exe C:\Windows\system32\certreq.exe
PID 4924 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\437254cf9cf1247e0c8abc2b917b785f77bc5b7caffeb45ed6e46ac4f874e2cb.exe C:\Windows\system32\certreq.exe
PID 4856 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe
PID 4856 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe
PID 4856 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe
PID 4856 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe
PID 4856 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe
PID 4856 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe
PID 5072 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Microsoft\vr`.exe C:\Windows\system32\cmd.exe
PID 5072 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Microsoft\vr`.exe C:\Windows\system32\cmd.exe
PID 5072 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Microsoft\vr`.exe C:\Windows\system32\cmd.exe
PID 5072 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Microsoft\vr`.exe C:\Windows\system32\cmd.exe
PID 4652 wrote to memory of 2924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4652 wrote to memory of 2924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4776 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4776 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4652 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4652 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4776 wrote to memory of 4196 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4776 wrote to memory of 4196 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4776 wrote to memory of 580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4776 wrote to memory of 580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4776 wrote to memory of 936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4776 wrote to memory of 936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4776 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4776 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3724 wrote to memory of 692 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\89A4.exe
PID 3724 wrote to memory of 692 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\89A4.exe
PID 3724 wrote to memory of 692 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\89A4.exe
PID 3724 wrote to memory of 3240 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8B99.exe
PID 3724 wrote to memory of 3240 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8B99.exe
PID 3724 wrote to memory of 3240 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8B99.exe
PID 3724 wrote to memory of 4452 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\929E.exe
PID 3724 wrote to memory of 4452 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\929E.exe
PID 3724 wrote to memory of 4452 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\929E.exe
PID 3724 wrote to memory of 1092 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3724 wrote to memory of 1092 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3724 wrote to memory of 1092 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3724 wrote to memory of 1092 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3724 wrote to memory of 5076 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3724 wrote to memory of 5076 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3724 wrote to memory of 5076 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 4452 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\929E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4452 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\929E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4452 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\929E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4452 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\929E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3724 wrote to memory of 4128 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3724 wrote to memory of 4128 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3724 wrote to memory of 4128 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3724 wrote to memory of 4128 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 4452 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\929E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3724 wrote to memory of 4684 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3724 wrote to memory of 4684 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3724 wrote to memory of 4684 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3724 wrote to memory of 4684 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3724 wrote to memory of 4808 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3724 wrote to memory of 4808 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3724 wrote to memory of 4808 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3724 wrote to memory of 4808 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3724 wrote to memory of 2544 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3724 wrote to memory of 2544 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3724 wrote to memory of 2544 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\437254cf9cf1247e0c8abc2b917b785f77bc5b7caffeb45ed6e46ac4f874e2cb.exe

"C:\Users\Admin\AppData\Local\Temp\437254cf9cf1247e0c8abc2b917b785f77bc5b7caffeb45ed6e46ac4f874e2cb.exe"

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 860

C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe

"C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe"

C:\Users\Admin\AppData\Local\Microsoft\vr`.exe

"C:\Users\Admin\AppData\Local\Microsoft\vr`.exe"

C:\Users\Admin\AppData\Local\Microsoft\mJB(xN.exe

"C:\Users\Admin\AppData\Local\Microsoft\mJB(xN.exe"

C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe

"C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe"

C:\Users\Admin\AppData\Local\Microsoft\vr`.exe

"C:\Users\Admin\AppData\Local\Microsoft\vr`.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Users\Admin\AppData\Local\Temp\89A4.exe

C:\Users\Admin\AppData\Local\Temp\89A4.exe

C:\Users\Admin\AppData\Local\Temp\8B99.exe

C:\Users\Admin\AppData\Local\Temp\8B99.exe

C:\Users\Admin\AppData\Local\Temp\929E.exe

C:\Users\Admin\AppData\Local\Temp\929E.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 360

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 admlogs195.xyz udp
EE 46.36.219.3:80 admlogs195.xyz tcp
US 8.8.8.8:53 3.219.36.46.in-addr.arpa udp
EE 46.36.219.3:80 admlogs195.xyz tcp
EE 46.36.219.3:80 admlogs195.xyz tcp
EE 46.36.219.3:80 admlogs195.xyz tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 serverxlogs21.xyz udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 120.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 admhexlogs215.xyz udp
EE 46.36.218.224:80 admhexlogs215.xyz tcp
US 8.8.8.8:53 224.218.36.46.in-addr.arpa udp
US 8.8.8.8:53 liiala0j.beget.tech udp
RU 5.101.152.100:80 liiala0j.beget.tech tcp
US 8.8.8.8:53 100.152.101.5.in-addr.arpa udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 185.244.48.81:80 185.244.48.81 tcp
US 8.8.8.8:53 81.48.244.185.in-addr.arpa udp
US 8.8.8.8:53 221.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/4924-121-0x00000000006B0000-0x00000000007B0000-memory.dmp

memory/4924-122-0x00000000021A0000-0x0000000002211000-memory.dmp

memory/4924-123-0x0000000000400000-0x0000000000517000-memory.dmp

memory/4924-124-0x00000000005A0000-0x00000000005A7000-memory.dmp

memory/4924-125-0x0000000002460000-0x0000000002860000-memory.dmp

memory/4924-126-0x0000000002460000-0x0000000002860000-memory.dmp

memory/4924-127-0x0000000002460000-0x0000000002860000-memory.dmp

memory/4924-128-0x0000000002460000-0x0000000002860000-memory.dmp

memory/4924-129-0x0000000000400000-0x0000000000517000-memory.dmp

memory/4924-130-0x00000000006B0000-0x00000000007B0000-memory.dmp

memory/2336-131-0x0000016830B10000-0x0000016830B13000-memory.dmp

memory/4924-134-0x00000000021A0000-0x0000000002211000-memory.dmp

memory/4924-135-0x00000000031A0000-0x00000000031D6000-memory.dmp

memory/4924-141-0x00000000031A0000-0x00000000031D6000-memory.dmp

memory/4924-142-0x0000000002460000-0x0000000002860000-memory.dmp

memory/4924-144-0x0000000000400000-0x0000000000517000-memory.dmp

memory/4924-145-0x0000000002460000-0x0000000002860000-memory.dmp

memory/2336-147-0x0000016830B10000-0x0000016830B13000-memory.dmp

memory/2336-150-0x0000016830EC0000-0x0000016830EC7000-memory.dmp

memory/2336-151-0x00007FF6F04D0000-0x00007FF6F05FD000-memory.dmp

memory/2336-152-0x00007FF6F04D0000-0x00007FF6F05FD000-memory.dmp

memory/2336-153-0x00007FF6F04D0000-0x00007FF6F05FD000-memory.dmp

memory/2336-154-0x00007FF6F04D0000-0x00007FF6F05FD000-memory.dmp

memory/2336-155-0x00007FF6F04D0000-0x00007FF6F05FD000-memory.dmp

memory/2336-158-0x00007FF6F04D0000-0x00007FF6F05FD000-memory.dmp

memory/2336-160-0x00007FF6F04D0000-0x00007FF6F05FD000-memory.dmp

memory/2336-161-0x00007FF6F04D0000-0x00007FF6F05FD000-memory.dmp

memory/2336-162-0x00007FF6F04D0000-0x00007FF6F05FD000-memory.dmp

memory/2336-163-0x00007FFE04E10000-0x00007FFE04FEB000-memory.dmp

memory/2336-164-0x00007FF6F04D0000-0x00007FF6F05FD000-memory.dmp

memory/2336-165-0x00007FF6F04D0000-0x00007FF6F05FD000-memory.dmp

memory/2336-166-0x00007FF6F04D0000-0x00007FF6F05FD000-memory.dmp

memory/2336-167-0x00007FF6F04D0000-0x00007FF6F05FD000-memory.dmp

memory/2336-168-0x00007FF6F04D0000-0x00007FF6F05FD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe

MD5 7d39a3778ad4a5d5e6c7e78fc9e05a00
SHA1 2b030e3180efb06721404fa0de1fbe4998618225
SHA256 21a3bdc28c80ad2f590418c95fa8ff8c21f2e8b80166c7dea43ddc70c16bfaf9
SHA512 1a0693245d226de50eacd2c8ae0081cea3c20e8b9f6f0f0dff69468aba294c402fba321920129346528bc1d5512e6db31f551f049b95177add129dae6148cc2e

C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe

MD5 7d39a3778ad4a5d5e6c7e78fc9e05a00
SHA1 2b030e3180efb06721404fa0de1fbe4998618225
SHA256 21a3bdc28c80ad2f590418c95fa8ff8c21f2e8b80166c7dea43ddc70c16bfaf9
SHA512 1a0693245d226de50eacd2c8ae0081cea3c20e8b9f6f0f0dff69468aba294c402fba321920129346528bc1d5512e6db31f551f049b95177add129dae6148cc2e

C:\Users\Admin\AppData\Local\Microsoft\vr`.exe

MD5 34f108f02f597ef5d4a838f76bd4777d
SHA1 f992c0b6282ebdfb4a059a16142177201534a89c
SHA256 89c65668def919cdf677df2774c5646540fee498031f7ecd5c7a6be7b62e9953
SHA512 1722dc18036cdc11aab0e8fdb1e9106132d644247029a72dd97806e28091bf757a516e31daeb9eff14041fabe975d08ccf21fa10d2b837770a3fe855c7f05de3

C:\Users\Admin\AppData\Local\Microsoft\vr`.exe

MD5 34f108f02f597ef5d4a838f76bd4777d
SHA1 f992c0b6282ebdfb4a059a16142177201534a89c
SHA256 89c65668def919cdf677df2774c5646540fee498031f7ecd5c7a6be7b62e9953
SHA512 1722dc18036cdc11aab0e8fdb1e9106132d644247029a72dd97806e28091bf757a516e31daeb9eff14041fabe975d08ccf21fa10d2b837770a3fe855c7f05de3

memory/2336-177-0x00007FFE04E10000-0x00007FFE04FEB000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\mJB(xN.exe

MD5 5e11dd2bc2627a60f664e37c36e735a7
SHA1 550d348ea3f28ba8a0e67675775e26de282fc51f
SHA256 204e68df323cbcabdd60a878fa5444df2ddd1fbaa8411d6350649e4a2e233434
SHA512 5eef7950796c878b368871463cab0f79899b13b0649c38ee36b6630b55ab15b04b5859e833285965fd394eaab846eb09773733529f02b8f2606c1e59f7afe8fe

C:\Users\Admin\AppData\Local\Microsoft\mJB(xN.exe

MD5 5e11dd2bc2627a60f664e37c36e735a7
SHA1 550d348ea3f28ba8a0e67675775e26de282fc51f
SHA256 204e68df323cbcabdd60a878fa5444df2ddd1fbaa8411d6350649e4a2e233434
SHA512 5eef7950796c878b368871463cab0f79899b13b0649c38ee36b6630b55ab15b04b5859e833285965fd394eaab846eb09773733529f02b8f2606c1e59f7afe8fe

memory/4856-182-0x0000000000850000-0x0000000000950000-memory.dmp

memory/4856-183-0x0000000000830000-0x0000000000839000-memory.dmp

memory/1540-184-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\7PzX.exe

MD5 7d39a3778ad4a5d5e6c7e78fc9e05a00
SHA1 2b030e3180efb06721404fa0de1fbe4998618225
SHA256 21a3bdc28c80ad2f590418c95fa8ff8c21f2e8b80166c7dea43ddc70c16bfaf9
SHA512 1a0693245d226de50eacd2c8ae0081cea3c20e8b9f6f0f0dff69468aba294c402fba321920129346528bc1d5512e6db31f551f049b95177add129dae6148cc2e

memory/5072-187-0x0000000000630000-0x0000000000730000-memory.dmp

memory/5072-188-0x00000000001F0000-0x00000000001FF000-memory.dmp

memory/1540-186-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5072-189-0x0000000000400000-0x00000000004E3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\vr`.exe

MD5 34f108f02f597ef5d4a838f76bd4777d
SHA1 f992c0b6282ebdfb4a059a16142177201534a89c
SHA256 89c65668def919cdf677df2774c5646540fee498031f7ecd5c7a6be7b62e9953
SHA512 1722dc18036cdc11aab0e8fdb1e9106132d644247029a72dd97806e28091bf757a516e31daeb9eff14041fabe975d08ccf21fa10d2b837770a3fe855c7f05de3

memory/2336-192-0x0000016830EC0000-0x0000016830EC5000-memory.dmp

memory/2336-193-0x00007FFE04E10000-0x00007FFE04FEB000-memory.dmp

memory/3724-194-0x0000000000A20000-0x0000000000A36000-memory.dmp

memory/1540-195-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[C20D5CCA-3483].[[email protected]].8base

MD5 48802d94952db8df8ef10df6ad3645bd
SHA1 9a60338cfe16f3dbe6029698b3a953d80e3286fa
SHA256 9ac5141e1928e8f69505077ff0f9adb6f0c2c540952197c5f5ae5dcbfb622d35
SHA512 e7668a84d28dfe56457c47e9c4dc47e44a1c48982d77e1cc38f6c38a3a84847883bb407e3d825e144f9469f08042d381274e6b1615bb6cb5d82e17f52644ca4c

memory/5072-901-0x00000000001F0000-0x00000000001FF000-memory.dmp

memory/5072-1249-0x0000000000630000-0x0000000000730000-memory.dmp

memory/2568-1250-0x0000000000570000-0x0000000000670000-memory.dmp

memory/5072-1258-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/5072-1334-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/2568-1295-0x00000000001F0000-0x00000000001F5000-memory.dmp

memory/2568-1377-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/3340-2275-0x0000000000680000-0x0000000000780000-memory.dmp

memory/3340-2281-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/2568-3059-0x0000000000570000-0x0000000000670000-memory.dmp

memory/5072-3862-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/3340-4388-0x0000000000400000-0x00000000004E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\89A4.exe

MD5 34f108f02f597ef5d4a838f76bd4777d
SHA1 f992c0b6282ebdfb4a059a16142177201534a89c
SHA256 89c65668def919cdf677df2774c5646540fee498031f7ecd5c7a6be7b62e9953
SHA512 1722dc18036cdc11aab0e8fdb1e9106132d644247029a72dd97806e28091bf757a516e31daeb9eff14041fabe975d08ccf21fa10d2b837770a3fe855c7f05de3

C:\Users\Admin\AppData\Local\Temp\89A4.exe

MD5 34f108f02f597ef5d4a838f76bd4777d
SHA1 f992c0b6282ebdfb4a059a16142177201534a89c
SHA256 89c65668def919cdf677df2774c5646540fee498031f7ecd5c7a6be7b62e9953
SHA512 1722dc18036cdc11aab0e8fdb1e9106132d644247029a72dd97806e28091bf757a516e31daeb9eff14041fabe975d08ccf21fa10d2b837770a3fe855c7f05de3

C:\Users\Admin\AppData\Local\Temp\89A4.exe

MD5 34f108f02f597ef5d4a838f76bd4777d
SHA1 f992c0b6282ebdfb4a059a16142177201534a89c
SHA256 89c65668def919cdf677df2774c5646540fee498031f7ecd5c7a6be7b62e9953
SHA512 1722dc18036cdc11aab0e8fdb1e9106132d644247029a72dd97806e28091bf757a516e31daeb9eff14041fabe975d08ccf21fa10d2b837770a3fe855c7f05de3

C:\Users\Admin\AppData\Local\Temp\8B99.exe

MD5 5aaa271e450f4be6a269af69aefb2768
SHA1 64465c850b883c9dee5dfe9877b2a03d72bc3f3b
SHA256 a79846e5685f2e79e36614a9f8c17476c6eb140b44954234a8842590cd7e7c29
SHA512 7a7981016391eb7bebb155711ac40c9808b9ad7464daaed850793f37c8fd404878e493c8894049b125fb7b03c92e64da62794b6fbdd481e2753ab62a0bc20213

C:\Users\Admin\AppData\Local\Temp\8B99.exe

MD5 5aaa271e450f4be6a269af69aefb2768
SHA1 64465c850b883c9dee5dfe9877b2a03d72bc3f3b
SHA256 a79846e5685f2e79e36614a9f8c17476c6eb140b44954234a8842590cd7e7c29
SHA512 7a7981016391eb7bebb155711ac40c9808b9ad7464daaed850793f37c8fd404878e493c8894049b125fb7b03c92e64da62794b6fbdd481e2753ab62a0bc20213

C:\Users\Admin\AppData\Local\Temp\929E.exe

MD5 4a9777a2bf4fa6e8945a0b48dfac8108
SHA1 36777152e87eb30a58e4b22430888ee0b065864e
SHA256 67e2316b799a36c92f468f339002f1b3e1c2a984c1fbff5a73f0659a13209ad8
SHA512 ddc703fbcf4909e65395a5911404c08991c03d234295d4e24484d92648e6b2e8a99fdafd8851b45e29d77c0e8aba0a4b0fc0c709ebbdee9939712fcc476a897a

memory/1092-4871-0x0000000003310000-0x000000000337B000-memory.dmp

memory/1092-4872-0x0000000003380000-0x00000000033F5000-memory.dmp

memory/1092-4873-0x0000000003310000-0x000000000337B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\929E.exe

MD5 4a9777a2bf4fa6e8945a0b48dfac8108
SHA1 36777152e87eb30a58e4b22430888ee0b065864e
SHA256 67e2316b799a36c92f468f339002f1b3e1c2a984c1fbff5a73f0659a13209ad8
SHA512 ddc703fbcf4909e65395a5911404c08991c03d234295d4e24484d92648e6b2e8a99fdafd8851b45e29d77c0e8aba0a4b0fc0c709ebbdee9939712fcc476a897a

memory/5076-4876-0x00000000001C0000-0x00000000001C7000-memory.dmp

memory/5076-4877-0x00000000001B0000-0x00000000001BC000-memory.dmp

memory/5076-4875-0x00000000001B0000-0x00000000001BC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xcsgzdt0.default-release\cookies.sqlite.id[C20D5CCA-3483].[[email protected]].8base

MD5 88eccf4845bd8e01224efb0143eb849f
SHA1 268dfaa3ba8ff05beb75156e74c5f123ce0bb956
SHA256 165c846a42ea0754c85bab2b548ce0d356c77b43642f4d00126da669fc2e13c7
SHA512 868bc88fb94b0e984274ea47e12b6648dfd03f0caa69b69d746989b5c2f39c103f09e647affa8adf31634641656d718a606bcc1b351e0f88b3cc4ec2319295d9

memory/2196-4977-0x0000000000400000-0x000000000062D000-memory.dmp

memory/4452-4976-0x0000000001370000-0x00000000014A9000-memory.dmp

memory/4128-5019-0x0000000000730000-0x0000000000739000-memory.dmp

memory/4128-5065-0x0000000000730000-0x0000000000739000-memory.dmp

memory/4128-5035-0x0000000000740000-0x0000000000744000-memory.dmp

memory/2196-5078-0x0000000000400000-0x000000000062D000-memory.dmp

memory/4684-5138-0x0000000000520000-0x000000000052B000-memory.dmp

memory/5072-5139-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/4684-5140-0x0000000000530000-0x0000000000531000-memory.dmp

memory/1092-5144-0x0000000003310000-0x000000000337B000-memory.dmp

memory/4684-5143-0x0000000000520000-0x000000000052B000-memory.dmp

memory/4808-5385-0x00000000003B0000-0x00000000003BB000-memory.dmp

memory/4808-5384-0x00000000003C0000-0x00000000003C7000-memory.dmp

memory/2544-5598-0x0000000000E80000-0x0000000000E8F000-memory.dmp

memory/2544-5614-0x0000000000E80000-0x0000000000E8F000-memory.dmp

memory/2544-5599-0x0000000000E90000-0x0000000000E99000-memory.dmp

memory/2196-5619-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/3420-5693-0x0000000000CD0000-0x0000000000CD5000-memory.dmp

memory/3420-5712-0x0000000000CC0000-0x0000000000CC9000-memory.dmp

memory/4128-5749-0x0000000000740000-0x0000000000744000-memory.dmp

memory/1532-5750-0x0000000000CC0000-0x0000000000CC9000-memory.dmp

memory/1532-5751-0x00000000009E0000-0x00000000009EC000-memory.dmp

C:\ProgramData\KFBAECBA

MD5 32bb8ea35279c436279a97f9760e01bb
SHA1 ae53a488303d09e9ebd66420d38d3da3062ae3b2
SHA256 1e54d702319225b2b4d128674cbd934f03698f58658b4740978a7428d72badc5
SHA512 86752c0075d522547ddc72f09c2a17bdbc8315bcaa941f504d220b5cac54cba05b7df72b7eb10a96cf9d533bbeaff1c37d16f23d29e1b280986830fabe1b4922

memory/2264-5846-0x00000000009E0000-0x00000000009EC000-memory.dmp

memory/2264-5871-0x0000000000110000-0x0000000000119000-memory.dmp

memory/4684-5822-0x0000000000520000-0x000000000052B000-memory.dmp

memory/4808-5874-0x00000000003C0000-0x00000000003C7000-memory.dmp

memory/4168-5988-0x0000000000630000-0x0000000000635000-memory.dmp

memory/4808-6106-0x00000000003B0000-0x00000000003BB000-memory.dmp

memory/4168-6042-0x0000000000620000-0x0000000000629000-memory.dmp

memory/2544-6283-0x0000000000E90000-0x0000000000E99000-memory.dmp

memory/4512-6336-0x0000000000180000-0x00000000001A7000-memory.dmp

memory/4512-6312-0x0000000000620000-0x0000000000629000-memory.dmp

memory/3420-6504-0x0000000000CD0000-0x0000000000CD5000-memory.dmp

memory/4616-6506-0x0000000000180000-0x00000000001A7000-memory.dmp

memory/4616-6507-0x00000000004C0000-0x00000000004C9000-memory.dmp

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/1532-6532-0x0000000000CC0000-0x0000000000CC9000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\ProgramData\Files.docx

MD5 4a8fbd593a733fc669169d614021185b
SHA1 166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA512 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

C:\ProgramData\freebl3.dll

MD5 550686c0ee48c386dfcb40199bd076ac
SHA1 ee5134da4d3efcb466081fb6197be5e12a5b22ab
SHA256 edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa
SHA512 0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

C:\ProgramData\nss3.dll

MD5 615284e726285c31861770b8f964d234
SHA1 174595c1c8cbee066bad5780e444454245405028
SHA256 8bf4fc4632162d62d4aec1d5bf944ee9629a1712b3736a946690f27ac8b03517
SHA512 d02d93d8d3a1c0bf4ace0f890a01ba29f7756ecc20279f1e9df87829f905b5d1a67fee03afdd9577a426ce5aedcafe6d604f2ebb125c5f13accc6ce44244deb9

C:\ProgramData\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\vcruntime140.dll

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

MD5 906093793019587502a06f922878bd35
SHA1 40242c9d64e85b128094b1531fadfda2c47e9cc8
SHA256 280aeee60fc844b8cd6ba38870f25ac42715611e635f294cedd6e8fff84d9813
SHA512 1372370822843e2fe3d8862a52879092b0158e2ba1df35fe2b4501c90701289958eab6c8135e0b319738c00d81efb37b43a1da93449fa9b1d313e9b4bf8520c3

C:\Users\Admin\AppData\Local\Temp\BD94\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll

MD5 49ba729dd7ad347eb8ad44dcc3f20de4
SHA1 36bfc3b216daa23e7c3a1e89df88ca533ad878d1
SHA256 88fd9d7794d1e0549facf9534da6abcb3db4be57e2fd045f678b621f7f5a6f3d
SHA512 c7a6750d34e85534fdf3be543a12340de9623ed7c094b9f8f8dd8e7f7308406e5ee90fe7b3c147b170ed67948bb875f72ad5035ecde3f608843fa74d19f9bf0b

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~es-ES~10.0.15063.0.cat

MD5 463a0532986607cb1ad6b26e94153c05
SHA1 9aa5b80581530693c1f3cb32a1e107532a2a1a96
SHA256 e07a11415f11c98fa5d6e8fb8baa515be4fd071d3528910273efcbec9e882075
SHA512 a004a39ec97d816f7e2f43cd4b1bd52acbdbc5f358a5bfe6d997bfed223af2b9a9653fee8fb57e0d4ed11135802a49b85a8286a8119996a4ed88c78f641b1f80

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.mum

MD5 741bc0bd78e3693cb950954aa1bf2e52
SHA1 bd322ece9153b51214eda41bba0c6b803d6caa30
SHA256 a349648c7ac60c4711585d09d0c9012f2c8b96077ccaf957c672b34a05c5ad8d
SHA512 b6dd9a8b794ee35fe99f04f5d78b2168157e3fed76752a98b8a39cc5c567ec23581b5c348da6e149ab28ea0cb89c0c0d0f08545174f01ba9d45a860a4eb73b7c

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\servicing\Packages\Microsoft-OneCore-WalletService-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.mum

MD5 faa5d3edf8f8b47e17173dab27aff8f7
SHA1 ca402e701fe1da5188c8cb1583978a4a02be3e06
SHA256 c0056140377ab9c71080b45b0a4752cdb74bcbbab953033dba99088e132153db
SHA512 639bdf2114392ab5fea653348ead79727f08d63821db5d37f83923911b7da7dbd3a867163b2fc306626641ee0c16ae9956ca559192c0f5892c61df7947596cba

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\servicing\Packages\Microsoft-OneCore-WalletService-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.cat

MD5 7defe9e392b71ddb561f14c55db5e0c7
SHA1 c9474a81bdd48067ef8862a0326896921ce50104
SHA256 441bccb6966c27b25627a4941fe4889b6962cc94db091593fc776b6be01219e8
SHA512 ff19c0a82b829f1eb65f861a539b2e92891f72bc6f5d6645c2b136ef5c1c237064efbe70c51bfd864c80af1f0655f9e34756ce44eac884bd0a37ae27ffd30dc4

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~~10.0.15063.0.mum

MD5 c0ba2a5e38998a8241042491e1b48588
SHA1 39f7ab5e1fee3052a82e651070d5a8ed7de43685
SHA256 2d1336891463292c98d11cb42dd72d8c4335a311fc0b37bccc2161fdd55ff726
SHA512 01b46c0d2aed24b3f5c6ea9e50e2960c4855129e48207cff969843f4ae72ed15dacf531875d92ebbead031f82f70317446608d012d1be8f776c017a9f28c3d2d

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat

MD5 241be6be4b06da4a85f1e110c01427c6
SHA1 42ee3232b1c182159696f66c15800a9878177bfb
SHA256 1ee08c4f17b4c7bebf42a09f6c5d8cf09257218b30bede48db3045fc8c07bb8f
SHA512 71df8d3d84393abd418b9c498960b3faf90d85caf60905961482b3c22c200782f55b6f69e23552c3938fe241baba6ad5d012038890f4ee882a0b824f4e091664

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~it-IT~10.0.15063.0.mum

MD5 b62ccf58661ccf5f36e5150711bbfe1b
SHA1 ba057cf26ebcc7b3951ac44b58637ea3d9d2e516
SHA256 d8be26c66596f9f4a4ce5776d22d686dd31abd1bb5c659cb2d75faeb7e3e14d1
SHA512 3b10394f954621bf7c5add004fd3bef18c9ebba5765122358bf9015788f31cba1f334efcdfcd913d7351fa03d4e8f89f11ccb93dbd1ac9bc7bbfadaa654a9dd8

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~ja-JP~10.0.15063.0.mum

MD5 47ddc67f27f9e7d00e60b68be2ef1fd8
SHA1 6b804bbe0bfd5b15c86c7f2b01a3bd72c1d3e63e
SHA256 ae7030129ca67d8b57025cd91cf9978b9dbf7d4446420a846bee00c1ac6da75b
SHA512 dc9616d7f532d58de72375e913de1aac3dd2c953728288fedb95f491b8f04bd25b7c22c0fe28c87e0ff9465b7f1acf77ae64cb3f0dda87dc642b04ea8328f309

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~ja-JP~10.0.15063.0.cat

MD5 d93ac1e6d7078f07ab83a2c96dfc71d9
SHA1 5326a1b1b3c9b950134b3d05a755355b07881a2b
SHA256 0e44999d33b50a526870b2d7210e7abd46696dc469a698fc52372104169098f6
SHA512 cab43acf474ec02753d0fd062791bad49b46bb63e1968b00eed566b7fc9cd73f089a84817f741ece99a895ea59206041904e68bc8a68ad6ff6287d5687c786fd

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~it-IT~10.0.15063.0.cat

MD5 1ece20c692f338709ea3b121feb5ad38
SHA1 e5eb5b5cc4acb056088c6874e8b415d5c72c4d63
SHA256 7240a7307734a427de9afecd44929e13ae4d2bb1d1ea7c45806b809d43ac7d4a
SHA512 c7cb73e3bf8504860546c365b2d2ce112855f5b7d746c6ae889e21f0cfa9abead94dfe090268fd9e07314cb292a9ade5f6b7a37e7bfeea15c1b740c5bccdbdcf

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~es-ES~10.0.15063.0.mum

MD5 ac62b24ee1c94ba09ff3b85bba930bf2
SHA1 9a9aa17c629d9e2dc09078764f59f081f69bebab
SHA256 a044c0e9036e355cc530e88831cbbe60165477929d0f838c786a513937ff1628
SHA512 1168537c3a9b92c8534434f8cf68a3d4d95a48086beb194c68519db9b65f3f57706a678bb7accf085b9f121c069a8c1fae78a1a64df853fb039a761efebf130d

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~fr-FR~10.0.15063.0.mum

MD5 1d420956e62d902c9bd65a62ba34bc2b
SHA1 fc917590f656b79d5d55112926dfa8e8e5635f45
SHA256 a29100bbcc276666b7182bf3b41cf6ddc1cac090dbc109f7674f2b46027fd67c
SHA512 c63177c1615d7635eb3eb13b55d67543954409acd06f19467c0bc20981278866fc3edd07cecf75c9d2256734fd315f05eb5f5f5f646e3960d89f5a969d3ca981

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~fr-FR~10.0.15063.0.cat

MD5 8f1ab8d6a77c7c01da26f26ddfe8b0f6
SHA1 4cae8a293cdf2b439dcd915ab070d9d94855411e
SHA256 f21e412d461eb8138fdc0f4f25d66882deed8c2498a2cbd764de5be116548a52
SHA512 17204b39b08a1275962949acb45b8f12d2d9f57ce49b16d369c58630fa185ac213ed87590dd8bc438e6bc1d477460c604bc346608744e526180b50c6f5e0a5aa

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat

MD5 be70c63aeccef9f4c5175a8741b13b69
SHA1 c5ef2591b7f1df2ecbca40219d2513d516825e9a
SHA256 d648d365d08a7c503edc75535a58f15b865f082b49355254d539a41bf3af87ff
SHA512 b93bf53a5c71a587df7b59fdcaf8046c47e5d82838666ca12e6f56e26c0b9223edf7bf3dbb9352d5718486c531e34a060a05d7924896ab3b6d370dd4ef262186

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.mum

MD5 f82f048efc3466bd287ecaa6f5a2d679
SHA1 9eedd9499deae645ffe402eb50361e83def12f14
SHA256 e35cd2ee9eae753175b9b88e032d4973672ff5677b9b7b79eaff1839e0c3044c
SHA512 5cc7337eebc480c482d56a8a5a2c788daa5c4e0370dc33d612caf59c65757cfa7cfc3cbb3321a7e01c6bb97e827962c4d156cfa661ea0b230a43e67940c81230

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.cat

MD5 6523a368322f50d964b00962f74b3f65
SHA1 5f360ae5b5b5e76f390e839cf1b440333506e4e8
SHA256 652687424e20a2d6c16ea15ae653150467cfae4993d5ca28dc30106ff8a0ca67
SHA512 210737efc4e2775f261b0dc00ca1ad2aa1a7630633688c5bb9190fa5ff791e9757bbae190f4f7e931f8a4c7e4acf1effce479fdafd3952777ee40d08bdf1c046

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe

MD5 a4bd1ce8b5026e59037a3903cd6e4e3a
SHA1 352243b758a585cf869cd9f9354cd302463f4d9d
SHA256 39d69cd43e452c4899dbf1aa5b847c2a2d251fb8e13df9232ebdb5f0fdc3594c
SHA512 c86901a1bdcebc5721743fca6ac7f1909b64518e046752f3b412183db940563c088e0ec12613ad0b763c814bc3b6bf99dd3b6f8a6bce54add30a10d29e38400c

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll

MD5 49ba729dd7ad347eb8ad44dcc3f20de4
SHA1 36bfc3b216daa23e7c3a1e89df88ca533ad878d1
SHA256 88fd9d7794d1e0549facf9534da6abcb3db4be57e2fd045f678b621f7f5a6f3d
SHA512 c7a6750d34e85534fdf3be543a12340de9623ed7c094b9f8f8dd8e7f7308406e5ee90fe7b3c147b170ed67948bb875f72ad5035ecde3f608843fa74d19f9bf0b

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.Background.winmd

MD5 64d3f93322e5e6932ad162365441301d
SHA1 832e1b6e6560f8dae2b8282b72a1d80545ea5891
SHA256 df52db081c34a78391d85832bcb2190a9417fb34e468d5f15e84ac1916a085cc
SHA512 86b8e1f699321c6eb187b597a08bdfdd4b47686681e495783b981ca82cfaaa8be22d1775143cfd0a6d3c7b381b419930609c8370e67a906eba9e1b6a5024eb20

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletWide310x150Logo.scale-200.png

MD5 52bf805c4241200c576401a59f9e211a
SHA1 a10074a87d7c244fcee9b8d45005673aa48140a1
SHA256 adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c
SHA512 9142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletStoreLogo.png

MD5 08de9d6a366fb174872e8043e2384099
SHA1 955114d06eefae5e498797f361493ee607676d95
SHA256 0289105cf9484cf5427630866c0525b60f6193dea0afacd0224f997ce8103861
SHA512 59004a4920d5e3b80b642c285ff649a2ee5c52df25b6209be46d2f927a9c2ab170534ea0819c7c70292534ee08eb90e36630d11da18edba502776fac42872ed0

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.targetsize-24_altform-unplated.png

MD5 2bb84fb822fe6ed44bf10bbf31122308
SHA1 e9049ca6522a736d75fc85b3b16a0ad0dc271334
SHA256 afb6768acc7e2229c7566d68dabf863bafdb8d59e2cca45f39370fc7261965dc
SHA512 1f24ca0e934881760a94c1f90d31ef6ccbab165d39c0155fb83b31e92abe4e5e3b70f49189f75d8cdd859796a55312f27c71fda0b8296e8cf30167a02d7391f5

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.scale-200.png

MD5 1572efa3e47162a7b2198893a362b803
SHA1 a291f6f1cae15d03d5ef0f748b83bee024aa2fca
SHA256 d39fb03894ed83d57acf16976ae256c9912bd7e9feb63cb5c85709e1617e90dc
SHA512 4267d64626b808e9b338d973335794a5b3c3586c26fb0d11c96b07c2ad551486150449d83d5ae2756451c32365a8877a0c59592e5b173a27142464787de7ff45

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare150x150Logo.scale-200.png

MD5 0262d1daca4c1c1e22dec63b012e3641
SHA1 609258b00f17f2a9dd586fe5a7e485573ef477c9
SHA256 8b0ccafcace92ee624e057fa91550d306efd5dc21bb0c850c174ef38d79754fc
SHA512 a1ad7e32bfabfa4ecf32be9ab96db5c84ecf48a8b8a6e267cb106281e119669fed0fb12eaea024e21aa2f13de8f14fa0b805f869b53ec85524b60dc1db7743d0

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSplashScreen.png

MD5 52bf805c4241200c576401a59f9e211a
SHA1 a10074a87d7c244fcee9b8d45005673aa48140a1
SHA256 adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c
SHA512 9142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletLockScreenLogo.scale-200.png

MD5 541abea8b402b4ddd7463b2cd1bf54ec
SHA1 e0bfa993adcc35d6cc955be49c2f952529660ad5
SHA256 d436906bb661ba5d0ae3ad2d949b709f92bf50eb79a9faedd7f66d5598e07f16
SHA512 b22478881f719ac94392ef43dbf553c4644e2b3676191cb35c7bd212f496978e5b4e15869d254b96a393314a30e2ce397a6d6bf44cac45a2eff38d997b40c7f6

C:\Users\Admin\AppData\Local\Temp\BD94\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe.xml

MD5 44628eb64853341f7678ec488959efe2
SHA1 60e37cb04f7941b6070d3ce035af3d434c78fbfd
SHA256 f44e196695dffbc9442ab694343447097b8362fccaf4269057890f39da50df2e
SHA512 0134c598e3ada0a5ae47c9803b1c0f248d88a92c5fd79dd2baea7dea82322ff52f8b218be41bd3b72f270fe170ad36df5106d2f21ca51be5f8f3c6791da9d86f

C:\Users\Admin\AppData\Local\Temp\BD94\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe.xml

MD5 5b333e85c957925ec5f7ae9c47872020
SHA1 97431745824321574e6e6c9666e79147b5a6ea67
SHA256 c2c28b18a9bbe65c7f29640ec18d5836fa51ce720b336dc6e44d49ff2d807d08
SHA512 377b42d7a432c597cbf41c5c9f4303592f88a3fef368e53532ec1474529d5d915f264ca1f099c269a4d4bc35fea22d35140d45c099f4fdb66be8cb109b533f80

C:\Users\Admin\AppData\Local\Temp\BD94\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe.xml

MD5 44628eb64853341f7678ec488959efe2
SHA1 60e37cb04f7941b6070d3ce035af3d434c78fbfd
SHA256 f44e196695dffbc9442ab694343447097b8362fccaf4269057890f39da50df2e
SHA512 0134c598e3ada0a5ae47c9803b1c0f248d88a92c5fd79dd2baea7dea82322ff52f8b218be41bd3b72f270fe170ad36df5106d2f21ca51be5f8f3c6791da9d86f

C:\Users\Admin\AppData\Local\Temp\BD94\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe.xml

MD5 5b333e85c957925ec5f7ae9c47872020
SHA1 97431745824321574e6e6c9666e79147b5a6ea67
SHA256 c2c28b18a9bbe65c7f29640ec18d5836fa51ce720b336dc6e44d49ff2d807d08
SHA512 377b42d7a432c597cbf41c5c9f4303592f88a3fef368e53532ec1474529d5d915f264ca1f099c269a4d4bc35fea22d35140d45c099f4fdb66be8cb109b533f80

C:\Users\Admin\AppData\Local\Temp\BD94\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe

MD5 a4bd1ce8b5026e59037a3903cd6e4e3a
SHA1 352243b758a585cf869cd9f9354cd302463f4d9d
SHA256 39d69cd43e452c4899dbf1aa5b847c2a2d251fb8e13df9232ebdb5f0fdc3594c
SHA512 c86901a1bdcebc5721743fca6ac7f1909b64518e046752f3b412183db940563c088e0ec12613ad0b763c814bc3b6bf99dd3b6f8a6bce54add30a10d29e38400c

C:\Users\Admin\AppData\Local\Temp\BD94\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.Background.winmd

MD5 64d3f93322e5e6932ad162365441301d
SHA1 832e1b6e6560f8dae2b8282b72a1d80545ea5891
SHA256 df52db081c34a78391d85832bcb2190a9417fb34e468d5f15e84ac1916a085cc
SHA512 86b8e1f699321c6eb187b597a08bdfdd4b47686681e495783b981ca82cfaaa8be22d1775143cfd0a6d3c7b381b419930609c8370e67a906eba9e1b6a5024eb20

C:\Users\Admin\AppData\Local\Temp\BD94\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletWide310x150Logo.scale-200.png

MD5 52bf805c4241200c576401a59f9e211a
SHA1 a10074a87d7c244fcee9b8d45005673aa48140a1
SHA256 adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c
SHA512 9142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688

C:\Users\Admin\AppData\Local\Temp\BD94\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletStoreLogo.png

MD5 08de9d6a366fb174872e8043e2384099
SHA1 955114d06eefae5e498797f361493ee607676d95
SHA256 0289105cf9484cf5427630866c0525b60f6193dea0afacd0224f997ce8103861
SHA512 59004a4920d5e3b80b642c285ff649a2ee5c52df25b6209be46d2f927a9c2ab170534ea0819c7c70292534ee08eb90e36630d11da18edba502776fac42872ed0

C:\Users\Admin\AppData\Local\Temp\BD94\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare150x150Logo.scale-200.png

MD5 0262d1daca4c1c1e22dec63b012e3641
SHA1 609258b00f17f2a9dd586fe5a7e485573ef477c9
SHA256 8b0ccafcace92ee624e057fa91550d306efd5dc21bb0c850c174ef38d79754fc
SHA512 a1ad7e32bfabfa4ecf32be9ab96db5c84ecf48a8b8a6e267cb106281e119669fed0fb12eaea024e21aa2f13de8f14fa0b805f869b53ec85524b60dc1db7743d0

C:\Users\Admin\AppData\Local\Temp\BD94\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSplashScreen.png

MD5 52bf805c4241200c576401a59f9e211a
SHA1 a10074a87d7c244fcee9b8d45005673aa48140a1
SHA256 adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c
SHA512 9142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688

C:\Users\Admin\AppData\Local\Temp\BD94\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.targetsize-24_altform-unplated.png

MD5 2bb84fb822fe6ed44bf10bbf31122308
SHA1 e9049ca6522a736d75fc85b3b16a0ad0dc271334
SHA256 afb6768acc7e2229c7566d68dabf863bafdb8d59e2cca45f39370fc7261965dc
SHA512 1f24ca0e934881760a94c1f90d31ef6ccbab165d39c0155fb83b31e92abe4e5e3b70f49189f75d8cdd859796a55312f27c71fda0b8296e8cf30167a02d7391f5

C:\Users\Admin\AppData\Local\Temp\BD94\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.scale-200.png

MD5 1572efa3e47162a7b2198893a362b803
SHA1 a291f6f1cae15d03d5ef0f748b83bee024aa2fca
SHA256 d39fb03894ed83d57acf16976ae256c9912bd7e9feb63cb5c85709e1617e90dc
SHA512 4267d64626b808e9b338d973335794a5b3c3586c26fb0d11c96b07c2ad551486150449d83d5ae2756451c32365a8877a0c59592e5b173a27142464787de7ff45

C:\Users\Admin\AppData\Local\Temp\BD94\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletLockScreenLogo.scale-200.png

MD5 541abea8b402b4ddd7463b2cd1bf54ec
SHA1 e0bfa993adcc35d6cc955be49c2f952529660ad5
SHA256 d436906bb661ba5d0ae3ad2d949b709f92bf50eb79a9faedd7f66d5598e07f16
SHA512 b22478881f719ac94392ef43dbf553c4644e2b3676191cb35c7bd212f496978e5b4e15869d254b96a393314a30e2ce397a6d6bf44cac45a2eff38d997b40c7f6

C:\info.hta

MD5 98f453368290af0a8f159a1c5e517ac0
SHA1 052327ee92b0638d2402c7014418e164279a858b
SHA256 092e1c3b4cd7be772d0723a2fa92e84015b062c423a2df87a87de86aa238e43f
SHA512 9c7ad118e841987a4e3c45c2fc9a7b3803c562cd5535537c779af5193318c100a206cf9cb5ee7156de5cf3d18eeb16af126eaca623c94518879673f2337704c4

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\WinSxS\wow64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.15063.0_none_c4bc07330185781a\WalletProxy.dll

MD5 590c906654ff918bbe91a14daac58627
SHA1 f598edc38b61654f12f57ab1ddad0f576fe74d0d
SHA256 5d37fbfe7320aa0e215be9d8b05d77a0f5ace2deec010606b512572af2bb4dfc
SHA512 98a50429b039f98dd9adda775e7d2a0d51bb2beea2452247a2041e1f20b3f13b505bcdeecd833030bbecb58f74a82721cc577932dec086fff64ecef5432e8f9a

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\WinSxS\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.15063.0_none_e6c3164a2494c88b\Windows.ApplicationModel.Wallet.dll

MD5 6161c69d5d0ea175d6c88d7921e41385
SHA1 088b440405ddba778df1736b71459527aca63363
SHA256 8128dff83791b26a01ce2146302f1d8b1159f4943844ab325522cf0fc1e2597e
SHA512 cba6e3d1fcb3147193adde3b0f4a95848996999180b59e7bdf16e834e055261cf53548c3972e84d81f840d862c5af53d44945cf4319f24705aecc7d47d1cda07

C:\Users\Admin\AppData\Local\Temp\BD94\C\Windows\WinSxS\wow64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.15063.0_none_5f8e4354b974f702\WalletBackgroundServiceProxy.dll

MD5 d3c040e9217f31648250f4ef718fa13d
SHA1 72e1174edd4ee04b9c72e6d233af0b83fbfc17dc
SHA256 52e4a039e563ee5b63bbf86bdaf28c2e91c87947f4edeebb42691502cb07cbd7
SHA512 e875f1ff68a425567024800c6000a861275c5b882f671178ca97d0dbf0dda2bdd832f38f02138a16817871aa2ddb154998987efc4a9b49ccaac6a22a9713a3d7