Analysis
-
max time kernel
134s -
max time network
238s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
20-08-2023 04:47
Static task
static1
Behavioral task
behavioral1
Sample
07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe
Resource
win10-20230703-en
General
-
Target
07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe
-
Size
1.1MB
-
MD5
2181684f545183f80560fef4bfc7be5c
-
SHA1
0a09c859c9ac8a46112249b551ee1a9584762786
-
SHA256
07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a
-
SHA512
234b5ce60053d1aa2424939949fbf32317333c709ab58e77c3b846568da3be238652327cac4b14fd5bec3f48eccaa80b0c64eba1df6ec20be0fa34ede2a861f0
-
SSDEEP
24576:TkGMg7vOg4aI0IciemH9M8+Rbsitm4R9g8I1:F7WgElveQM88sitn
Malware Config
Extracted
C:\info.hta
class='mark'>[email protected]</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 2 IoCs
Processes:
resource yara_rule behavioral2/files/0x0003000000016e8a-13406.dat family_ammyyadmin behavioral2/files/0x0003000000016e8a-13510.dat family_ammyyadmin -
Detect rhadamanthys stealer shellcode 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2508-1212-0x0000000002F50000-0x0000000003350000-memory.dmp family_rhadamanthys behavioral2/memory/2508-1214-0x0000000002F50000-0x0000000003350000-memory.dmp family_rhadamanthys behavioral2/memory/2508-1226-0x0000000002F50000-0x0000000003350000-memory.dmp family_rhadamanthys behavioral2/memory/2508-1228-0x0000000002F50000-0x0000000003350000-memory.dmp family_rhadamanthys -
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exedescription pid Process procid_target PID 2508 created 3296 2508 07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe 32 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exepid Process 420 bcdedit.exe 4728 bcdedit.exe 4832 bcdedit.exe 4136 bcdedit.exe -
Renames multiple (371) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exewbadmin.exepid Process 4292 wbadmin.exe 4948 wbadmin.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Deletes itself 1 IoCs
Processes:
certreq.exepid Process 652 certreq.exe -
Drops startup file 1 IoCs
Processes:
WRk)uKf9.exedescription ioc Process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\WRk)uKf9.exe WRk)uKf9.exe -
Executes dropped EXE 12 IoCs
Processes:
WRk)uKf9.exe232.exe35%_BVe.exekG2FSz2eJ.exeWRk)uKf9.exeWRk)uKf9.exe232.exeWRk)uKf9.exeWRk)uKf9.exeWRk)uKf9.exe6C9B.exe742D.exepid Process 4600 WRk)uKf9.exe 2076 232.exe 2616 35%_BVe.exe 4424 kG2FSz2eJ.exe 4440 WRk)uKf9.exe 3292 WRk)uKf9.exe 2372 232.exe 376 WRk)uKf9.exe 2020 WRk)uKf9.exe 1644 WRk)uKf9.exe 3432 6C9B.exe 2152 742D.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WRk)uKf9.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WRk)uKf9 = "C:\\Users\\Admin\\AppData\\Local\\WRk)uKf9.exe" WRk)uKf9.exe Set value (str) \REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000\Software\Microsoft\Windows\CurrentVersion\Run\WRk)uKf9 = "C:\\Users\\Admin\\AppData\\Local\\WRk)uKf9.exe" WRk)uKf9.exe -
Drops desktop.ini file(s) 5 IoCs
Processes:
WRk)uKf9.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-488886677-2269338296-1239465872-1000\desktop.ini WRk)uKf9.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-488886677-2269338296-1239465872-1000\desktop.ini WRk)uKf9.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini WRk)uKf9.exe File opened for modification C:\Program Files\desktop.ini WRk)uKf9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI WRk)uKf9.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exeWRk)uKf9.exe232.exeWRk)uKf9.exedescription pid Process procid_target PID 4236 set thread context of 2508 4236 07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe 69 PID 4600 set thread context of 3292 4600 WRk)uKf9.exe 78 PID 2076 set thread context of 2372 2076 232.exe 80 PID 376 set thread context of 1644 376 WRk)uKf9.exe 101 -
Drops file in Program Files directory 64 IoCs
Processes:
WRk)uKf9.exedescription ioc Process File created C:\Program Files\Mozilla Firefox\uninstall\helper.exe.id[ED282BD9-3483].[[email protected]].8base WRk)uKf9.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mlp_plugin.dll WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5311_24x24x32.png WRk)uKf9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CHAKRACORE.DLL.id[ED282BD9-3483].[[email protected]].8base WRk)uKf9.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAB.TTF WRk)uKf9.exe File created C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png.id[ED282BD9-3483].[[email protected]].8base WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\Movie-TVStoreLogo.scale-150.png WRk)uKf9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml WRk)uKf9.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms.id[ED282BD9-3483].[[email protected]].8base WRk)uKf9.exe File created C:\Program Files\Java\jre1.8.0_66\lib\management\jmxremote.access.id[ED282BD9-3483].[[email protected]].8base WRk)uKf9.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms.id[ED282BD9-3483].[[email protected]].8base WRk)uKf9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt WRk)uKf9.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe.id[ED282BD9-3483].[[email protected]].8base WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\LargePyramidTile.jpg WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\FreeCell\Goal_3.jpg WRk)uKf9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css WRk)uKf9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\CardBacks\Spider.png WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\MedTile.scale-200.png WRk)uKf9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN048.XML WRk)uKf9.exe File created C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe.id[ED282BD9-3483].[[email protected]].8base WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-400.png WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailLargeTile.scale-125.png WRk)uKf9.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar.id[ED282BD9-3483].[[email protected]].8base WRk)uKf9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml WRk)uKf9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms WRk)uKf9.exe File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-BOLD.TTF.id[ED282BD9-3483].[[email protected]].8base WRk)uKf9.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscale_plugin.dll WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.scale-100.png WRk)uKf9.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaSansRegular.ttf.id[ED282BD9-3483].[[email protected]].8base WRk)uKf9.exe File created C:\Program Files\Java\jre1.8.0_66\LICENSE.id[ED282BD9-3483].[[email protected]].8base WRk)uKf9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL083.XML WRk)uKf9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-30_altform-colorize.png WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\LargeTile.scale-200.png WRk)uKf9.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.id[ED282BD9-3483].[[email protected]].8base WRk)uKf9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-pl.xrm-ms WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp4.scale-100.png WRk)uKf9.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\WATERMAR.ELM.id[ED282BD9-3483].[[email protected]].8base WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.24123.0_x64__8wekyb3d8bbwe\vcomp140_app.dll WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6416_20x20x32.png WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-32_altform-unplated.png WRk)uKf9.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\PrizeHistory\badges_diamond.png WRk)uKf9.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms.id[ED282BD9-3483].[[email protected]].8base WRk)uKf9.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Microsoft.Office.Interop.Access.dao.dll WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Statistics\AwardsDefinitions.xml WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp7.scale-100.png WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24.png WRk)uKf9.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar.id[ED282BD9-3483].[[email protected]].8base WRk)uKf9.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\calendars.properties WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\makeup.png WRk)uKf9.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml WRk)uKf9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ppd.xrm-ms WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosWideTile.contrast-black_scale-125.png WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-200.png WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookLargeTile.scale-200.png WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-40.png WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsStoreLogo.scale-200.png WRk)uKf9.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.id[ED282BD9-3483].[[email protected]].8base WRk)uKf9.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\ole db\xmlrwbin.dll.id[ED282BD9-3483].[[email protected]].8base WRk)uKf9.exe File created C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\vlc.mo.id[ED282BD9-3483].[[email protected]].8base WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\icon.png WRk)uKf9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\strings\en-us\resources.resjson WRk)uKf9.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid Process 4284 vssadmin.exe 4868 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.execertreq.exeWRk)uKf9.exe232.exeExplorer.EXEWRk)uKf9.exepid Process 2508 07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe 2508 07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe 2508 07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe 2508 07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe 652 certreq.exe 652 certreq.exe 652 certreq.exe 652 certreq.exe 4600 WRk)uKf9.exe 4600 WRk)uKf9.exe 2372 232.exe 2372 232.exe 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3292 WRk)uKf9.exe 3292 WRk)uKf9.exe 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3292 WRk)uKf9.exe 3292 WRk)uKf9.exe 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3292 WRk)uKf9.exe 3292 WRk)uKf9.exe 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3292 WRk)uKf9.exe 3296 Explorer.EXE 3296 Explorer.EXE 3292 WRk)uKf9.exe 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE -
Suspicious behavior: MapViewOfSection 29 IoCs
Processes:
232.exeExplorer.EXEpid Process 2372 232.exe 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exeWRk)uKf9.exe232.exe35%_BVe.exeWRk)uKf9.exeWRk)uKf9.exevssvc.exeWMIC.exeExplorer.EXEwbengine.exedescription pid Process Token: SeDebugPrivilege 4236 07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe Token: SeDebugPrivilege 4600 WRk)uKf9.exe Token: SeDebugPrivilege 2076 232.exe Token: SeDebugPrivilege 2616 35%_BVe.exe Token: SeDebugPrivilege 376 WRk)uKf9.exe Token: SeDebugPrivilege 3292 WRk)uKf9.exe Token: SeBackupPrivilege 3304 vssvc.exe Token: SeRestorePrivilege 3304 vssvc.exe Token: SeAuditPrivilege 3304 vssvc.exe Token: SeIncreaseQuotaPrivilege 1268 WMIC.exe Token: SeSecurityPrivilege 1268 WMIC.exe Token: SeTakeOwnershipPrivilege 1268 WMIC.exe Token: SeLoadDriverPrivilege 1268 WMIC.exe Token: SeSystemProfilePrivilege 1268 WMIC.exe Token: SeSystemtimePrivilege 1268 WMIC.exe Token: SeProfSingleProcessPrivilege 1268 WMIC.exe Token: SeIncBasePriorityPrivilege 1268 WMIC.exe Token: SeCreatePagefilePrivilege 1268 WMIC.exe Token: SeBackupPrivilege 1268 WMIC.exe Token: SeRestorePrivilege 1268 WMIC.exe Token: SeShutdownPrivilege 1268 WMIC.exe Token: SeDebugPrivilege 1268 WMIC.exe Token: SeSystemEnvironmentPrivilege 1268 WMIC.exe Token: SeRemoteShutdownPrivilege 1268 WMIC.exe Token: SeUndockPrivilege 1268 WMIC.exe Token: SeManageVolumePrivilege 1268 WMIC.exe Token: 33 1268 WMIC.exe Token: 34 1268 WMIC.exe Token: 35 1268 WMIC.exe Token: 36 1268 WMIC.exe Token: SeIncreaseQuotaPrivilege 1268 WMIC.exe Token: SeSecurityPrivilege 1268 WMIC.exe Token: SeTakeOwnershipPrivilege 1268 WMIC.exe Token: SeLoadDriverPrivilege 1268 WMIC.exe Token: SeSystemProfilePrivilege 1268 WMIC.exe Token: SeSystemtimePrivilege 1268 WMIC.exe Token: SeProfSingleProcessPrivilege 1268 WMIC.exe Token: SeIncBasePriorityPrivilege 1268 WMIC.exe Token: SeCreatePagefilePrivilege 1268 WMIC.exe Token: SeBackupPrivilege 1268 WMIC.exe Token: SeRestorePrivilege 1268 WMIC.exe Token: SeShutdownPrivilege 1268 WMIC.exe Token: SeDebugPrivilege 1268 WMIC.exe Token: SeSystemEnvironmentPrivilege 1268 WMIC.exe Token: SeRemoteShutdownPrivilege 1268 WMIC.exe Token: SeUndockPrivilege 1268 WMIC.exe Token: SeManageVolumePrivilege 1268 WMIC.exe Token: 33 1268 WMIC.exe Token: 34 1268 WMIC.exe Token: 35 1268 WMIC.exe Token: 36 1268 WMIC.exe Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeBackupPrivilege 2892 wbengine.exe Token: SeRestorePrivilege 2892 wbengine.exe Token: SeSecurityPrivilege 2892 wbengine.exe Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exeWRk)uKf9.exe232.exeWRk)uKf9.execmd.exeWRk)uKf9.exeExplorer.EXEdescription pid Process procid_target PID 4236 wrote to memory of 2508 4236 07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe 69 PID 4236 wrote to memory of 2508 4236 07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe 69 PID 4236 wrote to memory of 2508 4236 07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe 69 PID 4236 wrote to memory of 2508 4236 07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe 69 PID 4236 wrote to memory of 2508 4236 07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe 69 PID 4236 wrote to memory of 2508 4236 07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe 69 PID 4236 wrote to memory of 2508 4236 07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe 69 PID 4236 wrote to memory of 2508 4236 07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe 69 PID 2508 wrote to memory of 652 2508 07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe 71 PID 2508 wrote to memory of 652 2508 07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe 71 PID 2508 wrote to memory of 652 2508 07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe 71 PID 2508 wrote to memory of 652 2508 07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe 71 PID 4600 wrote to memory of 4440 4600 WRk)uKf9.exe 77 PID 4600 wrote to memory of 4440 4600 WRk)uKf9.exe 77 PID 4600 wrote to memory of 4440 4600 WRk)uKf9.exe 77 PID 4600 wrote to memory of 3292 4600 WRk)uKf9.exe 78 PID 4600 wrote to memory of 3292 4600 WRk)uKf9.exe 78 PID 4600 wrote to memory of 3292 4600 WRk)uKf9.exe 78 PID 4600 wrote to memory of 3292 4600 WRk)uKf9.exe 78 PID 4600 wrote to memory of 3292 4600 WRk)uKf9.exe 78 PID 4600 wrote to memory of 3292 4600 WRk)uKf9.exe 78 PID 4600 wrote to memory of 3292 4600 WRk)uKf9.exe 78 PID 4600 wrote to memory of 3292 4600 WRk)uKf9.exe 78 PID 4600 wrote to memory of 3292 4600 WRk)uKf9.exe 78 PID 4600 wrote to memory of 3292 4600 WRk)uKf9.exe 78 PID 2076 wrote to memory of 2372 2076 232.exe 80 PID 2076 wrote to memory of 2372 2076 232.exe 80 PID 2076 wrote to memory of 2372 2076 232.exe 80 PID 2076 wrote to memory of 2372 2076 232.exe 80 PID 2076 wrote to memory of 2372 2076 232.exe 80 PID 2076 wrote to memory of 2372 2076 232.exe 80 PID 3292 wrote to memory of 2964 3292 WRk)uKf9.exe 82 PID 3292 wrote to memory of 2964 3292 WRk)uKf9.exe 82 PID 3292 wrote to memory of 788 3292 WRk)uKf9.exe 83 PID 3292 wrote to memory of 788 3292 WRk)uKf9.exe 83 PID 2964 wrote to memory of 4284 2964 86 PID 2964 wrote to memory of 4284 2964 86 PID 788 wrote to memory of 3412 788 cmd.exe 87 PID 788 wrote to memory of 3412 788 cmd.exe 87 PID 788 wrote to memory of 4892 788 cmd.exe 91 PID 788 wrote to memory of 4892 788 cmd.exe 91 PID 2964 wrote to memory of 1268 2964 92 PID 2964 wrote to memory of 1268 2964 92 PID 2964 wrote to memory of 420 2964 93 PID 2964 wrote to memory of 420 2964 93 PID 2964 wrote to memory of 4728 2964 94 PID 2964 wrote to memory of 4728 2964 94 PID 2964 wrote to memory of 4292 2964 95 PID 2964 wrote to memory of 4292 2964 95 PID 376 wrote to memory of 2020 376 WRk)uKf9.exe 100 PID 376 wrote to memory of 2020 376 WRk)uKf9.exe 100 PID 376 wrote to memory of 2020 376 WRk)uKf9.exe 100 PID 376 wrote to memory of 1644 376 WRk)uKf9.exe 101 PID 376 wrote to memory of 1644 376 WRk)uKf9.exe 101 PID 376 wrote to memory of 1644 376 WRk)uKf9.exe 101 PID 376 wrote to memory of 1644 376 WRk)uKf9.exe 101 PID 376 wrote to memory of 1644 376 WRk)uKf9.exe 101 PID 376 wrote to memory of 1644 376 WRk)uKf9.exe 101 PID 376 wrote to memory of 1644 376 WRk)uKf9.exe 101 PID 376 wrote to memory of 1644 376 WRk)uKf9.exe 101 PID 376 wrote to memory of 1644 376 WRk)uKf9.exe 101 PID 376 wrote to memory of 1644 376 WRk)uKf9.exe 101 PID 3296 wrote to memory of 3432 3296 Explorer.EXE 102 PID 3296 wrote to memory of 3432 3296 Explorer.EXE 102
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Users\Admin\AppData\Local\Temp\07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe"C:\Users\Admin\AppData\Local\Temp\07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Users\Admin\AppData\Local\Temp\07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exeC:\Users\Admin\AppData\Local\Temp\07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2508
-
-
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
PID:652
-
-
C:\Users\Admin\AppData\Local\Temp\6C9B.exeC:\Users\Admin\AppData\Local\Temp\6C9B.exe2⤵
- Executes dropped EXE
PID:3432 -
C:\Users\Admin\AppData\Local\Temp\6C9B.exeC:\Users\Admin\AppData\Local\Temp\6C9B.exe3⤵PID:1512
-
-
-
C:\Users\Admin\AppData\Local\Temp\742D.exeC:\Users\Admin\AppData\Local\Temp\742D.exe2⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵PID:2900
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2908
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:984
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4940
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:3848
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:3788
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:4208
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4188
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:1900
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:1288
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:4944
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:3764
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:984
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:356
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:3492
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\C75D.tmp\svchost.exeC:\Users\Admin\AppData\Local\Temp\C75D.tmp\svchost.exe -debug3⤵PID:424
-
C:\Windows\SysWOW64\ctfmon.exectfmon.exe4⤵PID:4244
-
-
C:\Windows\SysWOW64\ctfmon.exectfmon.exe4⤵PID:3092
-
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\WRk)uKf9.exe"C:\Users\Admin\AppData\Local\Microsoft\WRk)uKf9.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Users\Admin\AppData\Local\Microsoft\WRk)uKf9.exeC:\Users\Admin\AppData\Local\Microsoft\WRk)uKf9.exe2⤵
- Executes dropped EXE
PID:4440
-
-
C:\Users\Admin\AppData\Local\Microsoft\WRk)uKf9.exeC:\Users\Admin\AppData\Local\Microsoft\WRk)uKf9.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Users\Admin\AppData\Local\Microsoft\WRk)uKf9.exe"C:\Users\Admin\AppData\Local\Microsoft\WRk)uKf9.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Users\Admin\AppData\Local\Microsoft\WRk)uKf9.exeC:\Users\Admin\AppData\Local\Microsoft\WRk)uKf9.exe4⤵
- Executes dropped EXE
PID:2020
-
-
C:\Users\Admin\AppData\Local\Microsoft\WRk)uKf9.exeC:\Users\Admin\AppData\Local\Microsoft\WRk)uKf9.exe4⤵
- Executes dropped EXE
PID:1644
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:2964
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:4284
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1268
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:420
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:4728
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:4292
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
PID:3412
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable4⤵
- Modifies Windows Firewall
PID:4892
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:3820
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:880
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:396
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:3920
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:4116
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:4868
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵PID:2356
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:4832
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:4136
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:4948
-
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\232.exe"C:\Users\Admin\AppData\Local\Microsoft\232.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Microsoft\232.exeC:\Users\Admin\AppData\Local\Microsoft\232.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2372
-
-
C:\Users\Admin\AppData\Local\Microsoft\35%_BVe.exe"C:\Users\Admin\AppData\Local\Microsoft\35%_BVe.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2616 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe2⤵PID:3496
-
-
C:\Users\Admin\AppData\Local\Microsoft\kG2FSz2eJ.exe"C:\Users\Admin\AppData\Local\Microsoft\kG2FSz2eJ.exe"1⤵
- Executes dropped EXE
PID:4424
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3304
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:5088
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:1160
-
C:\Users\Admin\AppData\Roaming\sgvucicC:\Users\Admin\AppData\Roaming\sgvucic1⤵PID:4528
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id[ED282BD9-3483].[[email protected]].8base
Filesize2.7MB
MD519a3fd3a9ccf71625d9f586c05d8fa21
SHA1467efaf9f69b34d4096ffd657f354b0161c34e82
SHA2568748ca802c2affe3da00834a63cb31b442e5ba36ae9d00f6cb53a717e3c3990f
SHA512e9e2a53ab96959c9f6bac82bfca9b0d7ffc36b22631e598650d682ff51e8f0f6b5bb9e4772303448ff24c5dcf2c7ae662ead202ff7eda79144212cfb59b3ae29
-
Filesize
972KB
MD547256545cece43ea73fe4ec88302dc56
SHA166580efe3eb9e7103212ae914232b653443197f4
SHA2563c67a185e46d3670081925a950f92fd596e6a3e1e89ce5b15986593f35a58430
SHA512b85e0d83102737b25e3e44b1c0d27716672ed80e4fe4da723c288427661d4d758bb21430e15a54ca023af1b782da32e6e5599f19291a01b27ec872a46e8d6697
-
Filesize
972KB
MD547256545cece43ea73fe4ec88302dc56
SHA166580efe3eb9e7103212ae914232b653443197f4
SHA2563c67a185e46d3670081925a950f92fd596e6a3e1e89ce5b15986593f35a58430
SHA512b85e0d83102737b25e3e44b1c0d27716672ed80e4fe4da723c288427661d4d758bb21430e15a54ca023af1b782da32e6e5599f19291a01b27ec872a46e8d6697
-
Filesize
972KB
MD547256545cece43ea73fe4ec88302dc56
SHA166580efe3eb9e7103212ae914232b653443197f4
SHA2563c67a185e46d3670081925a950f92fd596e6a3e1e89ce5b15986593f35a58430
SHA512b85e0d83102737b25e3e44b1c0d27716672ed80e4fe4da723c288427661d4d758bb21430e15a54ca023af1b782da32e6e5599f19291a01b27ec872a46e8d6697
-
Filesize
252KB
MD5754824bc45c86a9f9ead00ece1841faa
SHA10f0a2374fb400f7995880208e4af6fc4705795ca
SHA256538d19dc992df1d967a95ac3071aefb205d686eb975e05a2ded7d0579a35e03f
SHA512ab3f2769e9d0821680198882a48a59a4dd40aa5db725133e06efff99149c2dced2e098b66ada732d1ed8a8d1343bb35477b649d638a79a1d4e7c3c4f3fbfbde8
-
Filesize
252KB
MD5754824bc45c86a9f9ead00ece1841faa
SHA10f0a2374fb400f7995880208e4af6fc4705795ca
SHA256538d19dc992df1d967a95ac3071aefb205d686eb975e05a2ded7d0579a35e03f
SHA512ab3f2769e9d0821680198882a48a59a4dd40aa5db725133e06efff99149c2dced2e098b66ada732d1ed8a8d1343bb35477b649d638a79a1d4e7c3c4f3fbfbde8
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe.log
Filesize1KB
MD51d1ad81054ca4f7e1705e47dbbd38096
SHA1f43f4579bd5c6d61d2e3559801e4b92d2b0274ec
SHA25685774d8a9602cdd6dd90cf987551e9cc49a4d46610f071b8386706155dcaf079
SHA512a37abc8304bb8ab453f465cd635ba04d0381d1a3471806af337a4cc7d85dd0a3deaebea3875fdaf7b6d2032c03f9d7a8777145d1b5b09caf80858cf9a0407e65
-
Filesize
1KB
MD51d1ad81054ca4f7e1705e47dbbd38096
SHA1f43f4579bd5c6d61d2e3559801e4b92d2b0274ec
SHA25685774d8a9602cdd6dd90cf987551e9cc49a4d46610f071b8386706155dcaf079
SHA512a37abc8304bb8ab453f465cd635ba04d0381d1a3471806af337a4cc7d85dd0a3deaebea3875fdaf7b6d2032c03f9d7a8777145d1b5b09caf80858cf9a0407e65
-
Filesize
1KB
MD51d1ad81054ca4f7e1705e47dbbd38096
SHA1f43f4579bd5c6d61d2e3559801e4b92d2b0274ec
SHA25685774d8a9602cdd6dd90cf987551e9cc49a4d46610f071b8386706155dcaf079
SHA512a37abc8304bb8ab453f465cd635ba04d0381d1a3471806af337a4cc7d85dd0a3deaebea3875fdaf7b6d2032c03f9d7a8777145d1b5b09caf80858cf9a0407e65
-
Filesize
982KB
MD599c0b4a65e1062bb44126f15551d5c19
SHA19280c2e84fa0dd7512418b6e4523844a56fe384d
SHA2566cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2
SHA512408703b913c2e49308c0f48becca4be56a9c2a574ccbab00351c927f9ce751a3d5bbd76e21714f67748a66a263f788058691703b8a39e8c5a0061da9da4fad81
-
Filesize
982KB
MD599c0b4a65e1062bb44126f15551d5c19
SHA19280c2e84fa0dd7512418b6e4523844a56fe384d
SHA2566cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2
SHA512408703b913c2e49308c0f48becca4be56a9c2a574ccbab00351c927f9ce751a3d5bbd76e21714f67748a66a263f788058691703b8a39e8c5a0061da9da4fad81
-
Filesize
982KB
MD599c0b4a65e1062bb44126f15551d5c19
SHA19280c2e84fa0dd7512418b6e4523844a56fe384d
SHA2566cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2
SHA512408703b913c2e49308c0f48becca4be56a9c2a574ccbab00351c927f9ce751a3d5bbd76e21714f67748a66a263f788058691703b8a39e8c5a0061da9da4fad81
-
Filesize
982KB
MD599c0b4a65e1062bb44126f15551d5c19
SHA19280c2e84fa0dd7512418b6e4523844a56fe384d
SHA2566cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2
SHA512408703b913c2e49308c0f48becca4be56a9c2a574ccbab00351c927f9ce751a3d5bbd76e21714f67748a66a263f788058691703b8a39e8c5a0061da9da4fad81
-
Filesize
982KB
MD599c0b4a65e1062bb44126f15551d5c19
SHA19280c2e84fa0dd7512418b6e4523844a56fe384d
SHA2566cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2
SHA512408703b913c2e49308c0f48becca4be56a9c2a574ccbab00351c927f9ce751a3d5bbd76e21714f67748a66a263f788058691703b8a39e8c5a0061da9da4fad81
-
Filesize
982KB
MD599c0b4a65e1062bb44126f15551d5c19
SHA19280c2e84fa0dd7512418b6e4523844a56fe384d
SHA2566cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2
SHA512408703b913c2e49308c0f48becca4be56a9c2a574ccbab00351c927f9ce751a3d5bbd76e21714f67748a66a263f788058691703b8a39e8c5a0061da9da4fad81
-
Filesize
982KB
MD599c0b4a65e1062bb44126f15551d5c19
SHA19280c2e84fa0dd7512418b6e4523844a56fe384d
SHA2566cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2
SHA512408703b913c2e49308c0f48becca4be56a9c2a574ccbab00351c927f9ce751a3d5bbd76e21714f67748a66a263f788058691703b8a39e8c5a0061da9da4fad81
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001e.db.id[ED282BD9-3483].[[email protected]].8base
Filesize93KB
MD5a121797cd3318b54d3f88e98c28033d0
SHA10fa5f817d38eaa4f01703de62a78a12a35c74b83
SHA256cd827178aa7538bd75973e3d795377e64d453f0227093302c3e36d6c49cbe3a3
SHA512cf429068e401dfac0fe16cd267e2d0ed8e724527561b09af64c19b373e111c4a58671de57463595590b4e31633904a797552196f6ae097de109aafb3c23754e5
-
Filesize
863KB
MD5f6e85642fc09e19439f74e1ee1898a26
SHA1ad145352ea54048915731d5a67e811859d1fb7d5
SHA2567cf2bc581c27ed9df235303a4306d875f54a62715f842cd98a6aa8d8afb873f5
SHA5126cc95d9b43ad0db94caee19fabb61fb4f3e062cfeb84b318750a28f3a31f9f3f01b156a413d16d9a09cf1f48085337cd5643827a896c50f7e94b10c103cc7166
-
Filesize
863KB
MD5f6e85642fc09e19439f74e1ee1898a26
SHA1ad145352ea54048915731d5a67e811859d1fb7d5
SHA2567cf2bc581c27ed9df235303a4306d875f54a62715f842cd98a6aa8d8afb873f5
SHA5126cc95d9b43ad0db94caee19fabb61fb4f3e062cfeb84b318750a28f3a31f9f3f01b156a413d16d9a09cf1f48085337cd5643827a896c50f7e94b10c103cc7166
-
Filesize
982KB
MD599c0b4a65e1062bb44126f15551d5c19
SHA19280c2e84fa0dd7512418b6e4523844a56fe384d
SHA2566cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2
SHA512408703b913c2e49308c0f48becca4be56a9c2a574ccbab00351c927f9ce751a3d5bbd76e21714f67748a66a263f788058691703b8a39e8c5a0061da9da4fad81
-
Filesize
982KB
MD599c0b4a65e1062bb44126f15551d5c19
SHA19280c2e84fa0dd7512418b6e4523844a56fe384d
SHA2566cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2
SHA512408703b913c2e49308c0f48becca4be56a9c2a574ccbab00351c927f9ce751a3d5bbd76e21714f67748a66a263f788058691703b8a39e8c5a0061da9da4fad81
-
Filesize
982KB
MD599c0b4a65e1062bb44126f15551d5c19
SHA19280c2e84fa0dd7512418b6e4523844a56fe384d
SHA2566cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2
SHA512408703b913c2e49308c0f48becca4be56a9c2a574ccbab00351c927f9ce751a3d5bbd76e21714f67748a66a263f788058691703b8a39e8c5a0061da9da4fad81
-
Filesize
245KB
MD5d743b737c248670e3c103bceeff882af
SHA1a24061e5c9bcd147106b8ecc3cfb4aa847c65c6f
SHA2561137c048a4a828cd3641bd84d27ea60357ff161c7389913513c7193e5b9fbc40
SHA5128fe48b1943d3e8f540af17864de892d9d2de96fa86134164e346b0a53310ab9b0b065158824b91abec7a575686cf14b292d5d91e0dcf8dc13959f4b1ccdf5e1c
-
Filesize
245KB
MD5d743b737c248670e3c103bceeff882af
SHA1a24061e5c9bcd147106b8ecc3cfb4aa847c65c6f
SHA2561137c048a4a828cd3641bd84d27ea60357ff161c7389913513c7193e5b9fbc40
SHA5128fe48b1943d3e8f540af17864de892d9d2de96fa86134164e346b0a53310ab9b0b065158824b91abec7a575686cf14b292d5d91e0dcf8dc13959f4b1ccdf5e1c
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.Background.winmd
Filesize7KB
MD564d3f93322e5e6932ad162365441301d
SHA1832e1b6e6560f8dae2b8282b72a1d80545ea5891
SHA256df52db081c34a78391d85832bcb2190a9417fb34e468d5f15e84ac1916a085cc
SHA51286b8e1f699321c6eb187b597a08bdfdd4b47686681e495783b981ca82cfaaa8be22d1775143cfd0a6d3c7b381b419930609c8370e67a906eba9e1b6a5024eb20
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll
Filesize349KB
MD549ba729dd7ad347eb8ad44dcc3f20de4
SHA136bfc3b216daa23e7c3a1e89df88ca533ad878d1
SHA25688fd9d7794d1e0549facf9534da6abcb3db4be57e2fd045f678b621f7f5a6f3d
SHA512c7a6750d34e85534fdf3be543a12340de9623ed7c094b9f8f8dd8e7f7308406e5ee90fe7b3c147b170ed67948bb875f72ad5035ecde3f608843fa74d19f9bf0b
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe
Filesize15KB
MD5a4bd1ce8b5026e59037a3903cd6e4e3a
SHA1352243b758a585cf869cd9f9354cd302463f4d9d
SHA25639d69cd43e452c4899dbf1aa5b847c2a2d251fb8e13df9232ebdb5f0fdc3594c
SHA512c86901a1bdcebc5721743fca6ac7f1909b64518e046752f3b412183db940563c088e0ec12613ad0b763c814bc3b6bf99dd3b6f8a6bce54add30a10d29e38400c
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletLockScreenLogo.scale-200.png
Filesize268B
MD5541abea8b402b4ddd7463b2cd1bf54ec
SHA1e0bfa993adcc35d6cc955be49c2f952529660ad5
SHA256d436906bb661ba5d0ae3ad2d949b709f92bf50eb79a9faedd7f66d5598e07f16
SHA512b22478881f719ac94392ef43dbf553c4644e2b3676191cb35c7bd212f496978e5b4e15869d254b96a393314a30e2ce397a6d6bf44cac45a2eff38d997b40c7f6
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSplashScreen.png
Filesize1KB
MD552bf805c4241200c576401a59f9e211a
SHA1a10074a87d7c244fcee9b8d45005673aa48140a1
SHA256adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c
SHA5129142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare150x150Logo.scale-200.png
Filesize946B
MD50262d1daca4c1c1e22dec63b012e3641
SHA1609258b00f17f2a9dd586fe5a7e485573ef477c9
SHA2568b0ccafcace92ee624e057fa91550d306efd5dc21bb0c850c174ef38d79754fc
SHA512a1ad7e32bfabfa4ecf32be9ab96db5c84ecf48a8b8a6e267cb106281e119669fed0fb12eaea024e21aa2f13de8f14fa0b805f869b53ec85524b60dc1db7743d0
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.scale-200.png
Filesize14KB
MD51572efa3e47162a7b2198893a362b803
SHA1a291f6f1cae15d03d5ef0f748b83bee024aa2fca
SHA256d39fb03894ed83d57acf16976ae256c9912bd7e9feb63cb5c85709e1617e90dc
SHA5124267d64626b808e9b338d973335794a5b3c3586c26fb0d11c96b07c2ad551486150449d83d5ae2756451c32365a8877a0c59592e5b173a27142464787de7ff45
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.targetsize-24_altform-unplated.png
Filesize169B
MD52bb84fb822fe6ed44bf10bbf31122308
SHA1e9049ca6522a736d75fc85b3b16a0ad0dc271334
SHA256afb6768acc7e2229c7566d68dabf863bafdb8d59e2cca45f39370fc7261965dc
SHA5121f24ca0e934881760a94c1f90d31ef6ccbab165d39c0155fb83b31e92abe4e5e3b70f49189f75d8cdd859796a55312f27c71fda0b8296e8cf30167a02d7391f5
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletStoreLogo.png
Filesize174B
MD508de9d6a366fb174872e8043e2384099
SHA1955114d06eefae5e498797f361493ee607676d95
SHA2560289105cf9484cf5427630866c0525b60f6193dea0afacd0224f997ce8103861
SHA51259004a4920d5e3b80b642c285ff649a2ee5c52df25b6209be46d2f927a9c2ab170534ea0819c7c70292534ee08eb90e36630d11da18edba502776fac42872ed0
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletWide310x150Logo.scale-200.png
Filesize1KB
MD552bf805c4241200c576401a59f9e211a
SHA1a10074a87d7c244fcee9b8d45005673aa48140a1
SHA256adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c
SHA5129142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe.xml
Filesize1KB
MD55b333e85c957925ec5f7ae9c47872020
SHA197431745824321574e6e6c9666e79147b5a6ea67
SHA256c2c28b18a9bbe65c7f29640ec18d5836fa51ce720b336dc6e44d49ff2d807d08
SHA512377b42d7a432c597cbf41c5c9f4303592f88a3fef368e53532ec1474529d5d915f264ca1f099c269a4d4bc35fea22d35140d45c099f4fdb66be8cb109b533f80
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe.xml
Filesize4KB
MD544628eb64853341f7678ec488959efe2
SHA160e37cb04f7941b6070d3ce035af3d434c78fbfd
SHA256f44e196695dffbc9442ab694343447097b8362fccaf4269057890f39da50df2e
SHA5120134c598e3ada0a5ae47c9803b1c0f248d88a92c5fd79dd2baea7dea82322ff52f8b218be41bd3b72f270fe170ad36df5106d2f21ca51be5f8f3c6791da9d86f
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe.xml
Filesize1KB
MD55b333e85c957925ec5f7ae9c47872020
SHA197431745824321574e6e6c9666e79147b5a6ea67
SHA256c2c28b18a9bbe65c7f29640ec18d5836fa51ce720b336dc6e44d49ff2d807d08
SHA512377b42d7a432c597cbf41c5c9f4303592f88a3fef368e53532ec1474529d5d915f264ca1f099c269a4d4bc35fea22d35140d45c099f4fdb66be8cb109b533f80
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe.xml
Filesize4KB
MD544628eb64853341f7678ec488959efe2
SHA160e37cb04f7941b6070d3ce035af3d434c78fbfd
SHA256f44e196695dffbc9442ab694343447097b8362fccaf4269057890f39da50df2e
SHA5120134c598e3ada0a5ae47c9803b1c0f248d88a92c5fd79dd2baea7dea82322ff52f8b218be41bd3b72f270fe170ad36df5106d2f21ca51be5f8f3c6791da9d86f
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.Background.winmd
Filesize7KB
MD564d3f93322e5e6932ad162365441301d
SHA1832e1b6e6560f8dae2b8282b72a1d80545ea5891
SHA256df52db081c34a78391d85832bcb2190a9417fb34e468d5f15e84ac1916a085cc
SHA51286b8e1f699321c6eb187b597a08bdfdd4b47686681e495783b981ca82cfaaa8be22d1775143cfd0a6d3c7b381b419930609c8370e67a906eba9e1b6a5024eb20
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll
Filesize349KB
MD549ba729dd7ad347eb8ad44dcc3f20de4
SHA136bfc3b216daa23e7c3a1e89df88ca533ad878d1
SHA25688fd9d7794d1e0549facf9534da6abcb3db4be57e2fd045f678b621f7f5a6f3d
SHA512c7a6750d34e85534fdf3be543a12340de9623ed7c094b9f8f8dd8e7f7308406e5ee90fe7b3c147b170ed67948bb875f72ad5035ecde3f608843fa74d19f9bf0b
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe
Filesize15KB
MD5a4bd1ce8b5026e59037a3903cd6e4e3a
SHA1352243b758a585cf869cd9f9354cd302463f4d9d
SHA25639d69cd43e452c4899dbf1aa5b847c2a2d251fb8e13df9232ebdb5f0fdc3594c
SHA512c86901a1bdcebc5721743fca6ac7f1909b64518e046752f3b412183db940563c088e0ec12613ad0b763c814bc3b6bf99dd3b6f8a6bce54add30a10d29e38400c
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletLockScreenLogo.scale-200.png
Filesize268B
MD5541abea8b402b4ddd7463b2cd1bf54ec
SHA1e0bfa993adcc35d6cc955be49c2f952529660ad5
SHA256d436906bb661ba5d0ae3ad2d949b709f92bf50eb79a9faedd7f66d5598e07f16
SHA512b22478881f719ac94392ef43dbf553c4644e2b3676191cb35c7bd212f496978e5b4e15869d254b96a393314a30e2ce397a6d6bf44cac45a2eff38d997b40c7f6
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSplashScreen.png
Filesize1KB
MD552bf805c4241200c576401a59f9e211a
SHA1a10074a87d7c244fcee9b8d45005673aa48140a1
SHA256adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c
SHA5129142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare150x150Logo.scale-200.png
Filesize946B
MD50262d1daca4c1c1e22dec63b012e3641
SHA1609258b00f17f2a9dd586fe5a7e485573ef477c9
SHA2568b0ccafcace92ee624e057fa91550d306efd5dc21bb0c850c174ef38d79754fc
SHA512a1ad7e32bfabfa4ecf32be9ab96db5c84ecf48a8b8a6e267cb106281e119669fed0fb12eaea024e21aa2f13de8f14fa0b805f869b53ec85524b60dc1db7743d0
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.scale-200.png
Filesize14KB
MD51572efa3e47162a7b2198893a362b803
SHA1a291f6f1cae15d03d5ef0f748b83bee024aa2fca
SHA256d39fb03894ed83d57acf16976ae256c9912bd7e9feb63cb5c85709e1617e90dc
SHA5124267d64626b808e9b338d973335794a5b3c3586c26fb0d11c96b07c2ad551486150449d83d5ae2756451c32365a8877a0c59592e5b173a27142464787de7ff45
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.targetsize-24_altform-unplated.png
Filesize169B
MD52bb84fb822fe6ed44bf10bbf31122308
SHA1e9049ca6522a736d75fc85b3b16a0ad0dc271334
SHA256afb6768acc7e2229c7566d68dabf863bafdb8d59e2cca45f39370fc7261965dc
SHA5121f24ca0e934881760a94c1f90d31ef6ccbab165d39c0155fb83b31e92abe4e5e3b70f49189f75d8cdd859796a55312f27c71fda0b8296e8cf30167a02d7391f5
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletStoreLogo.png
Filesize174B
MD508de9d6a366fb174872e8043e2384099
SHA1955114d06eefae5e498797f361493ee607676d95
SHA2560289105cf9484cf5427630866c0525b60f6193dea0afacd0224f997ce8103861
SHA51259004a4920d5e3b80b642c285ff649a2ee5c52df25b6209be46d2f927a9c2ab170534ea0819c7c70292534ee08eb90e36630d11da18edba502776fac42872ed0
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletWide310x150Logo.scale-200.png
Filesize1KB
MD552bf805c4241200c576401a59f9e211a
SHA1a10074a87d7c244fcee9b8d45005673aa48140a1
SHA256adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c
SHA5129142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\WinSxS\wow64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.15063.0_none_5f8e4354b974f702\WalletBackgroundServiceProxy.dll
Filesize10KB
MD5d3c040e9217f31648250f4ef718fa13d
SHA172e1174edd4ee04b9c72e6d233af0b83fbfc17dc
SHA25652e4a039e563ee5b63bbf86bdaf28c2e91c87947f4edeebb42691502cb07cbd7
SHA512e875f1ff68a425567024800c6000a861275c5b882f671178ca97d0dbf0dda2bdd832f38f02138a16817871aa2ddb154998987efc4a9b49ccaac6a22a9713a3d7
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\WinSxS\wow64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.15063.0_none_c4bc07330185781a\WalletProxy.dll
Filesize36KB
MD5590c906654ff918bbe91a14daac58627
SHA1f598edc38b61654f12f57ab1ddad0f576fe74d0d
SHA2565d37fbfe7320aa0e215be9d8b05d77a0f5ace2deec010606b512572af2bb4dfc
SHA51298a50429b039f98dd9adda775e7d2a0d51bb2beea2452247a2041e1f20b3f13b505bcdeecd833030bbecb58f74a82721cc577932dec086fff64ecef5432e8f9a
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\WinSxS\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.15063.0_none_e6c3164a2494c88b\Windows.ApplicationModel.Wallet.dll
Filesize405KB
MD56161c69d5d0ea175d6c88d7921e41385
SHA1088b440405ddba778df1736b71459527aca63363
SHA2568128dff83791b26a01ce2146302f1d8b1159f4943844ab325522cf0fc1e2597e
SHA512cba6e3d1fcb3147193adde3b0f4a95848996999180b59e7bdf16e834e055261cf53548c3972e84d81f840d862c5af53d44945cf4319f24705aecc7d47d1cda07
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.cat
Filesize8KB
MD56523a368322f50d964b00962f74b3f65
SHA15f360ae5b5b5e76f390e839cf1b440333506e4e8
SHA256652687424e20a2d6c16ea15ae653150467cfae4993d5ca28dc30106ff8a0ca67
SHA512210737efc4e2775f261b0dc00ca1ad2aa1a7630633688c5bb9190fa5ff791e9757bbae190f4f7e931f8a4c7e4acf1effce479fdafd3952777ee40d08bdf1c046
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.mum
Filesize1KB
MD5f82f048efc3466bd287ecaa6f5a2d679
SHA19eedd9499deae645ffe402eb50361e83def12f14
SHA256e35cd2ee9eae753175b9b88e032d4973672ff5677b9b7b79eaff1839e0c3044c
SHA5125cc7337eebc480c482d56a8a5a2c788daa5c4e0370dc33d612caf59c65757cfa7cfc3cbb3321a7e01c6bb97e827962c4d156cfa661ea0b230a43e67940c81230
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat
Filesize8KB
MD5be70c63aeccef9f4c5175a8741b13b69
SHA1c5ef2591b7f1df2ecbca40219d2513d516825e9a
SHA256d648d365d08a7c503edc75535a58f15b865f082b49355254d539a41bf3af87ff
SHA512b93bf53a5c71a587df7b59fdcaf8046c47e5d82838666ca12e6f56e26c0b9223edf7bf3dbb9352d5718486c531e34a060a05d7924896ab3b6d370dd4ef262186
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.mum
Filesize1KB
MD5741bc0bd78e3693cb950954aa1bf2e52
SHA1bd322ece9153b51214eda41bba0c6b803d6caa30
SHA256a349648c7ac60c4711585d09d0c9012f2c8b96077ccaf957c672b34a05c5ad8d
SHA512b6dd9a8b794ee35fe99f04f5d78b2168157e3fed76752a98b8a39cc5c567ec23581b5c348da6e149ab28ea0cb89c0c0d0f08545174f01ba9d45a860a4eb73b7c
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~es-ES~10.0.15063.0.cat
Filesize8KB
MD5463a0532986607cb1ad6b26e94153c05
SHA19aa5b80581530693c1f3cb32a1e107532a2a1a96
SHA256e07a11415f11c98fa5d6e8fb8baa515be4fd071d3528910273efcbec9e882075
SHA512a004a39ec97d816f7e2f43cd4b1bd52acbdbc5f358a5bfe6d997bfed223af2b9a9653fee8fb57e0d4ed11135802a49b85a8286a8119996a4ed88c78f641b1f80
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~es-ES~10.0.15063.0.mum
Filesize1KB
MD5ac62b24ee1c94ba09ff3b85bba930bf2
SHA19a9aa17c629d9e2dc09078764f59f081f69bebab
SHA256a044c0e9036e355cc530e88831cbbe60165477929d0f838c786a513937ff1628
SHA5121168537c3a9b92c8534434f8cf68a3d4d95a48086beb194c68519db9b65f3f57706a678bb7accf085b9f121c069a8c1fae78a1a64df853fb039a761efebf130d
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~fr-FR~10.0.15063.0.cat
Filesize8KB
MD58f1ab8d6a77c7c01da26f26ddfe8b0f6
SHA14cae8a293cdf2b439dcd915ab070d9d94855411e
SHA256f21e412d461eb8138fdc0f4f25d66882deed8c2498a2cbd764de5be116548a52
SHA51217204b39b08a1275962949acb45b8f12d2d9f57ce49b16d369c58630fa185ac213ed87590dd8bc438e6bc1d477460c604bc346608744e526180b50c6f5e0a5aa
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~fr-FR~10.0.15063.0.mum
Filesize1KB
MD51d420956e62d902c9bd65a62ba34bc2b
SHA1fc917590f656b79d5d55112926dfa8e8e5635f45
SHA256a29100bbcc276666b7182bf3b41cf6ddc1cac090dbc109f7674f2b46027fd67c
SHA512c63177c1615d7635eb3eb13b55d67543954409acd06f19467c0bc20981278866fc3edd07cecf75c9d2256734fd315f05eb5f5f5f646e3960d89f5a969d3ca981
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~it-IT~10.0.15063.0.cat
Filesize8KB
MD51ece20c692f338709ea3b121feb5ad38
SHA1e5eb5b5cc4acb056088c6874e8b415d5c72c4d63
SHA2567240a7307734a427de9afecd44929e13ae4d2bb1d1ea7c45806b809d43ac7d4a
SHA512c7cb73e3bf8504860546c365b2d2ce112855f5b7d746c6ae889e21f0cfa9abead94dfe090268fd9e07314cb292a9ade5f6b7a37e7bfeea15c1b740c5bccdbdcf
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~it-IT~10.0.15063.0.mum
Filesize1KB
MD5b62ccf58661ccf5f36e5150711bbfe1b
SHA1ba057cf26ebcc7b3951ac44b58637ea3d9d2e516
SHA256d8be26c66596f9f4a4ce5776d22d686dd31abd1bb5c659cb2d75faeb7e3e14d1
SHA5123b10394f954621bf7c5add004fd3bef18c9ebba5765122358bf9015788f31cba1f334efcdfcd913d7351fa03d4e8f89f11ccb93dbd1ac9bc7bbfadaa654a9dd8
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~ja-JP~10.0.15063.0.cat
Filesize8KB
MD5d93ac1e6d7078f07ab83a2c96dfc71d9
SHA15326a1b1b3c9b950134b3d05a755355b07881a2b
SHA2560e44999d33b50a526870b2d7210e7abd46696dc469a698fc52372104169098f6
SHA512cab43acf474ec02753d0fd062791bad49b46bb63e1968b00eed566b7fc9cd73f089a84817f741ece99a895ea59206041904e68bc8a68ad6ff6287d5687c786fd
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~ja-JP~10.0.15063.0.mum
Filesize1KB
MD547ddc67f27f9e7d00e60b68be2ef1fd8
SHA16b804bbe0bfd5b15c86c7f2b01a3bd72c1d3e63e
SHA256ae7030129ca67d8b57025cd91cf9978b9dbf7d4446420a846bee00c1ac6da75b
SHA512dc9616d7f532d58de72375e913de1aac3dd2c953728288fedb95f491b8f04bd25b7c22c0fe28c87e0ff9465b7f1acf77ae64cb3f0dda87dc642b04ea8328f309
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat
Filesize10KB
MD5241be6be4b06da4a85f1e110c01427c6
SHA142ee3232b1c182159696f66c15800a9878177bfb
SHA2561ee08c4f17b4c7bebf42a09f6c5d8cf09257218b30bede48db3045fc8c07bb8f
SHA51271df8d3d84393abd418b9c498960b3faf90d85caf60905961482b3c22c200782f55b6f69e23552c3938fe241baba6ad5d012038890f4ee882a0b824f4e091664
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~~10.0.15063.0.mum
Filesize843B
MD5c0ba2a5e38998a8241042491e1b48588
SHA139f7ab5e1fee3052a82e651070d5a8ed7de43685
SHA2562d1336891463292c98d11cb42dd72d8c4335a311fc0b37bccc2161fdd55ff726
SHA51201b46c0d2aed24b3f5c6ea9e50e2960c4855129e48207cff969843f4ae72ed15dacf531875d92ebbead031f82f70317446608d012d1be8f776c017a9f28c3d2d
-
C:\Users\Admin\AppData\Local\Temp\AF32\C\Windows\servicing\Packages\Microsoft-OneCore-WalletService-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.cat
Filesize9KB
MD57defe9e392b71ddb561f14c55db5e0c7
SHA1c9474a81bdd48067ef8862a0326896921ce50104
SHA256441bccb6966c27b25627a4941fe4889b6962cc94db091593fc776b6be01219e8
SHA512ff19c0a82b829f1eb65f861a539b2e92891f72bc6f5d6645c2b136ef5c1c237064efbe70c51bfd864c80af1f0655f9e34756ce44eac884bd0a37ae27ffd30dc4
-
Filesize
798KB
MD590aadf2247149996ae443e2c82af3730
SHA1050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
-
Filesize
798KB
MD590aadf2247149996ae443e2c82af3730
SHA1050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\cookies.sqlite.id[ED282BD9-3483].[[email protected]].8base
Filesize96KB
MD5f56e2eac0f36a3a268a740eb51516861
SHA10277f5a43a59a12fe90533f09d5efd1a659084fb
SHA25623b9e5cb17883dee981b85fd65dabf2dd8df891f4192a90dd1be7f2af895c0d1
SHA512d7752ac1a381d0bc3eb784da09b7245a2a3e4b0866d996b4e2850d4dc27a69aca86ff6028cc8950fa902b44d7ecf784e2b39ca3936be816110b9928dc22db8df
-
Filesize
5KB
MD541770d7a7fa0d7643667c8b02420dee2
SHA1d1ae187b5f48491379daa4cee019295f56149512
SHA25632322fb10ae15ba30764f1b84fc573b891ec181cc741074be58aa91ee080dff6
SHA5128203cf0a592022b909f93413707eabbf2b3b8201a1d74f9e4b0572dd099d02b1fc576ee6dc14b729445cb2f231a5adeb6cb50bb692d88b982e5ddb638c02dfee