ammyyadmin | 6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb

Analysis

max time kernel
224s
max time network
300s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
07-09-2023 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
Size

833KB
MD5

17688f03f125bb494dc7f304b8936221
SHA1

7fadc66ba11a5b3c4582f4d9b5b245801ccf918a
SHA256

6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb
SHA512

1636d32e5a59c5c3577d0dc5ecf7dbccc22cc0ce2087889974903257d500e694d2cee4218c17ddba747c4b59ea4f811889837883b40cd009c1463cdc21f65a06
SSDEEP

12288:Ib/bL1cEYZpFQOT4KpMT+msoH985+3wAFn6DQnbu7L3SpiQXYIOnUfvDrD8FEsim:WzLmQsI85mn6DQDYpmv8FEyuOGLU

Score

10^/10

ammyyadmin flawedammyy phobos rhadamanthys smokeloader backdoor bootkit collection evasion persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://serverxlogs21.xyz/statweb255/

http://servxblog79.xyz/statweb255/

http://demblog289.xyz/statweb255/

http://admlogs77x.online/statweb255/

http://blogxstat38.xyz/statweb255/

http://blogxstat25.xyz/statweb255/

rc4.i32

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>cartilage</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #C6B5C4; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #B5CC8E; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #e6ecf2; border-left: 10px solid #B58CB2; } .alert { background: #FFE4E4; border-left: 10px solid #FFA07A; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC.</div> <div class='bold'>If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Or write us to the Tox: <span class='mark'>78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>C21B59F2-3483</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\11F.tmp\svchost.exe	family_ammyyadmin
C:\Users\Admin\AppData\Local\Temp\11F.tmp\svchost.exe	family_ammyyadmin

Detect rhadamanthys stealer shellcode 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3328-14-0x00000000031D0000-0x00000000035D0000-memory.dmp	family_rhadamanthys
behavioral2/memory/3328-16-0x00000000031D0000-0x00000000035D0000-memory.dmp	family_rhadamanthys
behavioral2/memory/3328-15-0x00000000031D0000-0x00000000035D0000-memory.dmp	family_rhadamanthys
behavioral2/memory/3328-17-0x00000000031D0000-0x00000000035D0000-memory.dmp	family_rhadamanthys
behavioral2/memory/3328-29-0x00000000031D0000-0x00000000035D0000-memory.dmp	family_rhadamanthys
behavioral2/memory/3328-31-0x00000000031D0000-0x00000000035D0000-memory.dmp	family_rhadamanthys

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs

Processes:

6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exeA9CB.exe

description	pid	process	target process
PID 3328 created 3272	3328	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	Explorer.EXE
PID 5040 created 3272	5040	A9CB.exe	Explorer.EXE
PID 5040 created 3272	5040	A9CB.exe	Explorer.EXE
PID 5040 created 3272	5040	A9CB.exe	Explorer.EXE
PID 5040 created 3272	5040	A9CB.exe	Explorer.EXE
PID 5040 created 3272	5040	A9CB.exe	Explorer.EXE
PID 5040 created 3272	5040	A9CB.exe	Explorer.EXE

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

3780 bcdedit.exe
1044 bcdedit.exe
5604 bcdedit.exe
5824 bcdedit.exe
Renames multiple (457) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

4208 wbadmin.exe
5352 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

4128 netsh.exe
3064 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

pid	process
3780	bcdedit.exe
1044	bcdedit.exe
5604	bcdedit.exe
5824	bcdedit.exe

pid	process
4208	wbadmin.exe
5352	wbadmin.exe

pid	process
4128	netsh.exe
3064	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Control Panel\International\Geo\Nation	svchost.exe

Deletes itself 1 IoCs

Processes:

certreq.exe

pid process

4428 certreq.exe

pid	process
4428	certreq.exe

Drops startup file 3 IoCs

Processes:

p3nDL6L7.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\p3nDL6L7.exe	p3nDL6L7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	p3nDL6L7.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[C21B59F2-3483].[[email protected]].8base	p3nDL6L7.exe

Executes dropped EXE 17 IoCs

Processes:

p3nDL6L7.exen6NB.exep3nDL6L7.exep3nDL6L7.exep3nDL6L7.exen6NB.exep3nDL6L7.exe7C01.exe7C01.exe82F7.exe8EDF.exeA9CB.exe82F7.exe82F7.exe82F7.exesvchost.exe82F7.exe

pid	process
3440	p3nDL6L7.exe
2724	n6NB.exe
1392	p3nDL6L7.exe
4896	p3nDL6L7.exe
5108	p3nDL6L7.exe
4700	n6NB.exe
4652	p3nDL6L7.exe
1184	7C01.exe
4052	7C01.exe
3660	82F7.exe
4632	8EDF.exe
5040	A9CB.exe
4320	82F7.exe
4992	82F7.exe
4924	82F7.exe
2544	svchost.exe
4716	82F7.exe

Loads dropped DLL 1 IoCs

Processes:

8EDF.exe

pid process

4632 8EDF.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4632	8EDF.exe

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

Processes:

certreq.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

p3nDL6L7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\p3nDL6L7 = "C:\\Users\\Admin\\AppData\\Local\\p3nDL6L7.exe"	p3nDL6L7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Windows\CurrentVersion\Run\p3nDL6L7 = "C:\\Users\\Admin\\AppData\\Local\\p3nDL6L7.exe"	p3nDL6L7.exe

Drops desktop.ini file(s) 41 IoCs

Processes:

p3nDL6L7.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	p3nDL6L7.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	p3nDL6L7.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Program Files\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	p3nDL6L7.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	p3nDL6L7.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	p3nDL6L7.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1148472871-1113856141-1322182616-1000\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	p3nDL6L7.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	p3nDL6L7.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1148472871-1113856141-1322182616-1000\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	p3nDL6L7.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	p3nDL6L7.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

svchost.exe

description ioc process

File opened for modification \??\PhysicalDrive0 svchost.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exep3nDL6L7.exen6NB.exep3nDL6L7.exe7C01.exeA9CB.exe82F7.exe

description	pid	process	target process
PID 392 set thread context of 3328	392	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
PID 3440 set thread context of 4896	3440	p3nDL6L7.exe	p3nDL6L7.exe
PID 2724 set thread context of 4700	2724	n6NB.exe	n6NB.exe
PID 5108 set thread context of 4652	5108	p3nDL6L7.exe	p3nDL6L7.exe
PID 1184 set thread context of 4052	1184	7C01.exe	7C01.exe
PID 5040 set thread context of 2304	5040	A9CB.exe	dialer.exe
PID 3660 set thread context of 4716	3660	82F7.exe	82F7.exe

Drops file in Program Files directory 64 IoCs

Processes:

p3nDL6L7.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png.id[C21B59F2-3483].[[email protected]].8base	p3nDL6L7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\beach_12s.png	p3nDL6L7.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml.id[C21B59F2-3483].[[email protected]].8base	p3nDL6L7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms	p3nDL6L7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\POWERMAPCLASSIFICATION.DLL.id[C21B59F2-3483].[[email protected]].8base	p3nDL6L7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-white_scale-200.png	p3nDL6L7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Gamerpics.dll	p3nDL6L7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\core_icons.png	p3nDL6L7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pt-br\ui-strings.js	p3nDL6L7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\System\msvcp140_1.dll	p3nDL6L7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\il_60x42.png	p3nDL6L7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-72.png	p3nDL6L7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\BadgeLogo\PaintApplist.scale-150.png	p3nDL6L7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\LargeTile.scale-100.png	p3nDL6L7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\System\msvcr110.dll	p3nDL6L7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libtwolame_plugin.dll	p3nDL6L7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms.id[C21B59F2-3483].[[email protected]].8base	p3nDL6L7.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-125.png	p3nDL6L7.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll	p3nDL6L7.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml.id[C21B59F2-3483].[[email protected]].8base	p3nDL6L7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libnsv_plugin.dll	p3nDL6L7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\Popup\FUE4_Image.png	p3nDL6L7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-left.png	p3nDL6L7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\HLSL\ConstantsPerObject.fx	p3nDL6L7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Premium_badge_compact.png	p3nDL6L7.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx.id[C21B59F2-3483].[[email protected]].8base	p3nDL6L7.exe
File created	C:\Program Files\RegisterConvertTo.cab.id[C21B59F2-3483].[[email protected]].8base	p3nDL6L7.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\wmpnetwk.exe.mui	p3nDL6L7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar	p3nDL6L7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME.txt	p3nDL6L7.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll	p3nDL6L7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ru-ru\ui-strings.js.id[C21B59F2-3483].[[email protected]].8base	p3nDL6L7.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\security\local_policy.jar.id[C21B59F2-3483].[[email protected]].8base	p3nDL6L7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\fo_60x42.png	p3nDL6L7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\Density_Hollow.png	p3nDL6L7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll	p3nDL6L7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MINSBPROXY.DLL.id[C21B59F2-3483].[[email protected]].8base	p3nDL6L7.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll.id[C21B59F2-3483].[[email protected]].8base	p3nDL6L7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_imem_plugin.dll	p3nDL6L7.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui	p3nDL6L7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.winmd	p3nDL6L7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-ae\ui-strings.js	p3nDL6L7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml	p3nDL6L7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.id[C21B59F2-3483].[[email protected]].8base	p3nDL6L7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7en.dll.id[C21B59F2-3483].[[email protected]].8base	p3nDL6L7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_Welcome.mp4	p3nDL6L7.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_hevc_plugin.dll.id[C21B59F2-3483].[[email protected]].8base	p3nDL6L7.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	p3nDL6L7.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es.pak.id[C21B59F2-3483].[[email protected]].8base	p3nDL6L7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hu-hu\ui-strings.js.id[C21B59F2-3483].[[email protected]].8base	p3nDL6L7.exe
File created	C:\Program Files\Mozilla Firefox\plugin-container.exe.id[C21B59F2-3483].[[email protected]].8base	p3nDL6L7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\vlc.mo	p3nDL6L7.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe.id[C21B59F2-3483].[[email protected]].8base	p3nDL6L7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\main-selector.css.id[C21B59F2-3483].[[email protected]].8base	p3nDL6L7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\klondike\Blizzard-of_Bliss_.png	p3nDL6L7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sl-si\ui-strings.js.id[C21B59F2-3483].[[email protected]].8base	p3nDL6L7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Core.dll.id[C21B59F2-3483].[[email protected]].8base	p3nDL6L7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL106.XML	p3nDL6L7.exe
File created	C:\Program Files\SelectDeny.iso.id[C21B59F2-3483].[[email protected]].8base	p3nDL6L7.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\offsym.ttf	p3nDL6L7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\ui-strings.js.id[C21B59F2-3483].[[email protected]].8base	p3nDL6L7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCalls.h	p3nDL6L7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-180.png.id[C21B59F2-3483].[[email protected]].8base	p3nDL6L7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-180.png	p3nDL6L7.exe

Drops file in Windows directory 1 IoCs

Processes:

Explorer.EXE

description ioc process

File created C:\Windows\rescache\_merged\2717123927\3950266016.pri Explorer.EXE
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

4568 sc.exe
2976 sc.exe
4588 sc.exe
1900 sc.exe
3152 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

344 1012 WerFault.exe dwm.exe
4628 4200 WerFault.exe DllHost.exe
380 3128 WerFault.exe DllHost.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\2717123927\3950266016.pri	Explorer.EXE

pid	process
4568	sc.exe
2976	sc.exe
4588	sc.exe
1900	sc.exe
3152	sc.exe

pid	pid_target	process	target process
344	1012	WerFault.exe	dwm.exe
4628	4200	WerFault.exe	DllHost.exe
380	3128	WerFault.exe	DllHost.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8EDF.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\8EDF.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\8EDF.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\8EDF.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 11 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dwm.exen6NB.exevds.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	n6NB.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	n6NB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	n6NB.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1596 vssadmin.exe
5496 vssadmin.exe

pid	process
1596	vssadmin.exe
5496	vssadmin.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

OfficeClickToRun.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.execertreq.exep3nDL6L7.exen6NB.exep3nDL6L7.exen6NB.exep3nDL6L7.exeExplorer.EXE

pid	process
392	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
3328	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
3328	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
3328	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
3328	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
4428	certreq.exe
4428	certreq.exe
4428	certreq.exe
4428	certreq.exe
3440	p3nDL6L7.exe
3440	p3nDL6L7.exe
3440	p3nDL6L7.exe
2724	n6NB.exe
5108	p3nDL6L7.exe
4700	n6NB.exe
4700	n6NB.exe
4896	p3nDL6L7.exe
4896	p3nDL6L7.exe
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
4896	p3nDL6L7.exe
4896	p3nDL6L7.exe
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
4896	p3nDL6L7.exe
4896	p3nDL6L7.exe
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
4896	p3nDL6L7.exe
4896	p3nDL6L7.exe
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
4896	p3nDL6L7.exe
4896	p3nDL6L7.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3272 Explorer.EXE

pid	process
3272	Explorer.EXE

Suspicious behavior: MapViewOfSection 33 IoCs

Processes:

n6NB.exeExplorer.EXEexplorer.exe

pid	process
4700	n6NB.exe
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
1020	explorer.exe
1020	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exep3nDL6L7.exen6NB.exep3nDL6L7.exep3nDL6L7.exevssvc.exeWMIC.exeExplorer.EXEwbengine.exe7C01.exe82F7.exe

description	pid	process
Token: SeDebugPrivilege	392	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
Token: SeDebugPrivilege	3440	p3nDL6L7.exe
Token: SeDebugPrivilege	2724	n6NB.exe
Token: SeDebugPrivilege	5108	p3nDL6L7.exe
Token: SeDebugPrivilege	4896	p3nDL6L7.exe
Token: SeBackupPrivilege	2284	vssvc.exe
Token: SeRestorePrivilege	2284	vssvc.exe
Token: SeAuditPrivilege	2284	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1172	WMIC.exe
Token: SeSecurityPrivilege	1172	WMIC.exe
Token: SeTakeOwnershipPrivilege	1172	WMIC.exe
Token: SeLoadDriverPrivilege	1172	WMIC.exe
Token: SeSystemProfilePrivilege	1172	WMIC.exe
Token: SeSystemtimePrivilege	1172	WMIC.exe
Token: SeProfSingleProcessPrivilege	1172	WMIC.exe
Token: SeIncBasePriorityPrivilege	1172	WMIC.exe
Token: SeCreatePagefilePrivilege	1172	WMIC.exe
Token: SeBackupPrivilege	1172	WMIC.exe
Token: SeRestorePrivilege	1172	WMIC.exe
Token: SeShutdownPrivilege	1172	WMIC.exe
Token: SeDebugPrivilege	1172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1172	WMIC.exe
Token: SeRemoteShutdownPrivilege	1172	WMIC.exe
Token: SeUndockPrivilege	1172	WMIC.exe
Token: SeManageVolumePrivilege	1172	WMIC.exe
Token: 33	1172	WMIC.exe
Token: 34	1172	WMIC.exe
Token: 35	1172	WMIC.exe
Token: 36	1172	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1172	WMIC.exe
Token: SeSecurityPrivilege	1172	WMIC.exe
Token: SeTakeOwnershipPrivilege	1172	WMIC.exe
Token: SeLoadDriverPrivilege	1172	WMIC.exe
Token: SeSystemProfilePrivilege	1172	WMIC.exe
Token: SeSystemtimePrivilege	1172	WMIC.exe
Token: SeProfSingleProcessPrivilege	1172	WMIC.exe
Token: SeIncBasePriorityPrivilege	1172	WMIC.exe
Token: SeCreatePagefilePrivilege	1172	WMIC.exe
Token: SeBackupPrivilege	1172	WMIC.exe
Token: SeRestorePrivilege	1172	WMIC.exe
Token: SeShutdownPrivilege	1172	WMIC.exe
Token: SeDebugPrivilege	1172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1172	WMIC.exe
Token: SeRemoteShutdownPrivilege	1172	WMIC.exe
Token: SeUndockPrivilege	1172	WMIC.exe
Token: SeManageVolumePrivilege	1172	WMIC.exe
Token: 33	1172	WMIC.exe
Token: 34	1172	WMIC.exe
Token: 35	1172	WMIC.exe
Token: 36	1172	WMIC.exe
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeBackupPrivilege	2312	wbengine.exe
Token: SeRestorePrivilege	2312	wbengine.exe
Token: SeSecurityPrivilege	2312	wbengine.exe
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeDebugPrivilege	1184	7C01.exe
Token: SeDebugPrivilege	3660	82F7.exe
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE

Suspicious use of FindShellTrayWindow 23 IoCs

Processes:

svchost.exeExplorer.EXEdwm.exe

pid	process
2544	svchost.exe
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
276	dwm.exe
276	dwm.exe
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
276	dwm.exe
276	dwm.exe
276	dwm.exe
276	dwm.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

3272 Explorer.EXE
3272 Explorer.EXE

pid	process
3272	Explorer.EXE
3272	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exep3nDL6L7.exen6NB.exep3nDL6L7.exep3nDL6L7.execmd.execmd.exeExplorer.EXE7C01.exe

description	pid	process	target process
PID 392 wrote to memory of 3328	392	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
PID 392 wrote to memory of 3328	392	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
PID 392 wrote to memory of 3328	392	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
PID 392 wrote to memory of 3328	392	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
PID 392 wrote to memory of 3328	392	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
PID 392 wrote to memory of 3328	392	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
PID 392 wrote to memory of 3328	392	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
PID 392 wrote to memory of 3328	392	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
PID 3328 wrote to memory of 4428	3328	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	certreq.exe
PID 3328 wrote to memory of 4428	3328	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	certreq.exe
PID 3328 wrote to memory of 4428	3328	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	certreq.exe
PID 3328 wrote to memory of 4428	3328	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	certreq.exe
PID 3440 wrote to memory of 1392	3440	p3nDL6L7.exe	p3nDL6L7.exe
PID 3440 wrote to memory of 1392	3440	p3nDL6L7.exe	p3nDL6L7.exe
PID 3440 wrote to memory of 1392	3440	p3nDL6L7.exe	p3nDL6L7.exe
PID 3440 wrote to memory of 4896	3440	p3nDL6L7.exe	p3nDL6L7.exe
PID 3440 wrote to memory of 4896	3440	p3nDL6L7.exe	p3nDL6L7.exe
PID 3440 wrote to memory of 4896	3440	p3nDL6L7.exe	p3nDL6L7.exe
PID 3440 wrote to memory of 4896	3440	p3nDL6L7.exe	p3nDL6L7.exe
PID 3440 wrote to memory of 4896	3440	p3nDL6L7.exe	p3nDL6L7.exe
PID 3440 wrote to memory of 4896	3440	p3nDL6L7.exe	p3nDL6L7.exe
PID 3440 wrote to memory of 4896	3440	p3nDL6L7.exe	p3nDL6L7.exe
PID 3440 wrote to memory of 4896	3440	p3nDL6L7.exe	p3nDL6L7.exe
PID 3440 wrote to memory of 4896	3440	p3nDL6L7.exe	p3nDL6L7.exe
PID 3440 wrote to memory of 4896	3440	p3nDL6L7.exe	p3nDL6L7.exe
PID 2724 wrote to memory of 4700	2724	n6NB.exe	n6NB.exe
PID 2724 wrote to memory of 4700	2724	n6NB.exe	n6NB.exe
PID 2724 wrote to memory of 4700	2724	n6NB.exe	n6NB.exe
PID 2724 wrote to memory of 4700	2724	n6NB.exe	n6NB.exe
PID 2724 wrote to memory of 4700	2724	n6NB.exe	n6NB.exe
PID 2724 wrote to memory of 4700	2724	n6NB.exe	n6NB.exe
PID 5108 wrote to memory of 4652	5108	p3nDL6L7.exe	p3nDL6L7.exe
PID 5108 wrote to memory of 4652	5108	p3nDL6L7.exe	p3nDL6L7.exe
PID 5108 wrote to memory of 4652	5108	p3nDL6L7.exe	p3nDL6L7.exe
PID 5108 wrote to memory of 4652	5108	p3nDL6L7.exe	p3nDL6L7.exe
PID 5108 wrote to memory of 4652	5108	p3nDL6L7.exe	p3nDL6L7.exe
PID 5108 wrote to memory of 4652	5108	p3nDL6L7.exe	p3nDL6L7.exe
PID 5108 wrote to memory of 4652	5108	p3nDL6L7.exe	p3nDL6L7.exe
PID 5108 wrote to memory of 4652	5108	p3nDL6L7.exe	p3nDL6L7.exe
PID 5108 wrote to memory of 4652	5108	p3nDL6L7.exe	p3nDL6L7.exe
PID 5108 wrote to memory of 4652	5108	p3nDL6L7.exe	p3nDL6L7.exe
PID 4896 wrote to memory of 840	4896	p3nDL6L7.exe	cmd.exe
PID 4896 wrote to memory of 840	4896	p3nDL6L7.exe	cmd.exe
PID 4896 wrote to memory of 4604	4896	p3nDL6L7.exe	cmd.exe
PID 4896 wrote to memory of 4604	4896	p3nDL6L7.exe	cmd.exe
PID 4604 wrote to memory of 4128	4604	cmd.exe	netsh.exe
PID 4604 wrote to memory of 4128	4604	cmd.exe	netsh.exe
PID 840 wrote to memory of 1596	840	cmd.exe	vssadmin.exe
PID 840 wrote to memory of 1596	840	cmd.exe	vssadmin.exe
PID 840 wrote to memory of 1172	840	cmd.exe	WMIC.exe
PID 840 wrote to memory of 1172	840	cmd.exe	WMIC.exe
PID 840 wrote to memory of 3780	840	cmd.exe	bcdedit.exe
PID 840 wrote to memory of 3780	840	cmd.exe	bcdedit.exe
PID 840 wrote to memory of 1044	840	cmd.exe	bcdedit.exe
PID 840 wrote to memory of 1044	840	cmd.exe	bcdedit.exe
PID 4604 wrote to memory of 3064	4604	cmd.exe	netsh.exe
PID 4604 wrote to memory of 3064	4604	cmd.exe	netsh.exe
PID 840 wrote to memory of 4208	840	cmd.exe	wbadmin.exe
PID 840 wrote to memory of 4208	840	cmd.exe	wbadmin.exe
PID 3272 wrote to memory of 1184	3272	Explorer.EXE	7C01.exe
PID 3272 wrote to memory of 1184	3272	Explorer.EXE	7C01.exe
PID 3272 wrote to memory of 1184	3272	Explorer.EXE	7C01.exe
PID 1184 wrote to memory of 4052	1184	7C01.exe	7C01.exe
PID 1184 wrote to memory of 4052	1184	7C01.exe	7C01.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:556

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:1012

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1012 -s 2492
3⤵
- Program crash
PID:344

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
PID:276

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:648

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:752

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:916

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:352

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:348

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:868

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
- Drops file in System32 directory
PID:1112

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1096

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:3140

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1192

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1240

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1248

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1256

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1432

c:\windows\system32\sihost.exe
sihost.exe
2⤵
PID:3016

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1472

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1488

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1548

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1604

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1664

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1800

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1872

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1948

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1300

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:2088

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2232

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2276

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2296

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2420

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2428

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2472

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2504

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2512

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2520

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2528

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2920

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:3044

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3272

C:\Users\Admin\AppData\Local\Temp\6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
"C:\Users\Admin\AppData\Local\Temp\6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392

C:\Users\Admin\AppData\Local\Temp\6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
C:\Users\Admin\AppData\Local\Temp\6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Deletes itself
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4428

C:\Users\Admin\AppData\Local\Temp\7C01.exe
C:\Users\Admin\AppData\Local\Temp\7C01.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Local\Temp\7C01.exe
C:\Users\Admin\AppData\Local\Temp\7C01.exe
3⤵
- Executes dropped EXE
PID:4052

C:\Users\Admin\AppData\Local\Temp\82F7.exe
C:\Users\Admin\AppData\Local\Temp\82F7.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Users\Admin\AppData\Local\Temp\82F7.exe
"C:\Users\Admin\AppData\Local\Temp\82F7.exe"
3⤵
- Executes dropped EXE
PID:4320

C:\Users\Admin\AppData\Local\Temp\82F7.exe
"C:\Users\Admin\AppData\Local\Temp\82F7.exe"
3⤵
- Executes dropped EXE
PID:4992

C:\Users\Admin\AppData\Local\Temp\82F7.exe
"C:\Users\Admin\AppData\Local\Temp\82F7.exe"
3⤵
- Executes dropped EXE
PID:4924

C:\Users\Admin\AppData\Local\Temp\82F7.exe
"C:\Users\Admin\AppData\Local\Temp\82F7.exe"
3⤵
- Executes dropped EXE
PID:4716

C:\Users\Admin\AppData\Local\Temp\8EDF.exe
C:\Users\Admin\AppData\Local\Temp\8EDF.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4632

C:\Users\Admin\AppData\Local\Temp\A9CB.exe
C:\Users\Admin\AppData\Local\Temp\A9CB.exe
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5040

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3964

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2980

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2556

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2820

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1028

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:5092

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4468

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:504

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4128

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4660

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2212

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:2248

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4476

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1808

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Suspicious behavior: MapViewOfSection
PID:1020

C:\Users\Admin\AppData\Local\Temp\11F.tmp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\11F.tmp\svchost.exe -debug
3⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
PID:2544

C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
4⤵
PID:212

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:1052

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:3152

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:4568

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:2976

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:4588

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1900

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:3624

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:4460

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:1640

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:5084

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:1532

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:2304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#sqltdrz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
PID:1516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4048

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
2⤵
PID:4540

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3828

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3128

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3128 -s 980
2⤵
- Program crash
PID:380

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:4596

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:1264

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:2076

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4200

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4200 -s 760
2⤵
- Program crash
PID:4628

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:4572

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:3804

C:\Users\Admin\AppData\Local\Microsoft\p3nDL6L7.exe
"C:\Users\Admin\AppData\Local\Microsoft\p3nDL6L7.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3440

C:\Users\Admin\AppData\Local\Microsoft\p3nDL6L7.exe
C:\Users\Admin\AppData\Local\Microsoft\p3nDL6L7.exe
2⤵
- Executes dropped EXE
PID:1392

C:\Users\Admin\AppData\Local\Microsoft\p3nDL6L7.exe
C:\Users\Admin\AppData\Local\Microsoft\p3nDL6L7.exe
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1596

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:3780

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:1044

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:4208

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
- Modifies Windows Firewall
PID:4128

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
4⤵
- Modifies Windows Firewall
PID:3064

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
PID:1940

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
PID:2468

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
PID:4320

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
PID:704

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:5332

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:5496

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
PID:5280

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:5604

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:5824

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:5352

C:\Users\Admin\AppData\Local\Microsoft\n6NB.exe
"C:\Users\Admin\AppData\Local\Microsoft\n6NB.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\Microsoft\n6NB.exe
C:\Users\Admin\AppData\Local\Microsoft\n6NB.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4700

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:4400

C:\Users\Admin\AppData\Local\Microsoft\p3nDL6L7.exe
"C:\Users\Admin\AppData\Local\Microsoft\p3nDL6L7.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108

C:\Users\Admin\AppData\Local\Microsoft\p3nDL6L7.exe
C:\Users\Admin\AppData\Local\Microsoft\p3nDL6L7.exe
2⤵
- Executes dropped EXE
PID:4652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
PID:4624

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4652

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4420

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s W32Time
1⤵
PID:4264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:2252

C:\Windows\system32\WerFault.exe
"C:\Windows\system32\WerFault.exe" -k -lc PoW32kWatchdog PoW32kWatchdog-20230703-1110.dm
2⤵
PID:2720

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1596

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[C21B59F2-3483].[[email protected]].8base

Filesize
3.2MB

MD5
8397b3ef7a4b1ee627dca3b051cd0519

SHA1
dba1e2a9b6acf059eb5aa38117c5e0a3bf08e79f

SHA256
bf3cc44dfeac2931b801f63b0214a54b35cff991e40032ba128985feb1547d9a

SHA512
8c41f158e89e1415fe57920ee6fb00ebb4021ea01e7c40f2032bc823ec8659a3de910f4525a8448cb7a8b523f7d71d17092a0a751e42818aa6e7e8e740ed3ffe

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC6A.tmp.txt

Filesize
12KB

MD5
d029050f44c8bb0e58687a6db6dbb8c7

SHA1
0e86ed822f00ccf866456fc770b323f5b733f03e

SHA256
90a4a8d03b40b4805c3b3b3704353bc68bbbbaf4ec2fa5152848b67abd7f2dc1

SHA512
0bf5e48c59f4a926c6f09a08fb1296bd657beeae7f20fe7ccd0e12597857807ed8ac3360f8a1d09f6e4df91d69a5675fae14920dcd8ee52e646bbffa7b4cb373

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC8A.tmp.csv

Filesize
40KB

MD5
fdb2fd8705b54a85b8d1d86aa7442fcd

SHA1
ba62a23e7030947af04b49b00e98c00ce7cdc535

SHA256
55733cc48462c16ec0109cf68895d2c191910ae539b81be0225eeade2cb1b92a

SHA512
4c70d972f5764c74f8532d32c12dc7335cfa98916fca627e0f6a6ab57038a2a27720e76a9e915802e4101067e4d87eb4a83216414475ba91c6453158f0568827

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD66.tmp.txt

Filesize
12KB

MD5
ba09878850323202fed2e6171fa5d433

SHA1
9e0a930378bf0afad7f0d482b5e9659d85fd028e

SHA256
98e17cc4598775d5d9d606e31c72a72e02aac2a02556a165e1c1110968f3a225

SHA512
e5932e91fb36c9842f1b6e9a6b3b1a854a81cd3918434d4523cb6cfbfbe49dca79283f90c49e076892992cc8431045a9f2ddfa306b4c6763411f20e0a22ef0ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe.log

Filesize
927B

MD5
ffe7bf10728fcdc9cfc28d6c2320a6f8

SHA1
af407275e9830d40889da2e672d2e6af118c8cb8

SHA256
72653cc5191f40cf26bcabcb5e0e41e53f23463f725007f74da78e36f9ec1522

SHA512
766753516d36ef1065d29dd982e0b6ee4e84c0c17eb2b0a6ca056f6c8e2a908e53c169bbcb01ab8b9ba1be1463fdd4007398d964aed59de761c1a6213842776c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7C01.exe.log

Filesize
927B

MD5
ffe7bf10728fcdc9cfc28d6c2320a6f8

SHA1
af407275e9830d40889da2e672d2e6af118c8cb8

SHA256
72653cc5191f40cf26bcabcb5e0e41e53f23463f725007f74da78e36f9ec1522

SHA512
766753516d36ef1065d29dd982e0b6ee4e84c0c17eb2b0a6ca056f6c8e2a908e53c169bbcb01ab8b9ba1be1463fdd4007398d964aed59de761c1a6213842776c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\82F7.exe.log

Filesize
1KB

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\n6NB.exe.log

Filesize
927B

MD5
ffe7bf10728fcdc9cfc28d6c2320a6f8

SHA1
af407275e9830d40889da2e672d2e6af118c8cb8

SHA256
72653cc5191f40cf26bcabcb5e0e41e53f23463f725007f74da78e36f9ec1522

SHA512
766753516d36ef1065d29dd982e0b6ee4e84c0c17eb2b0a6ca056f6c8e2a908e53c169bbcb01ab8b9ba1be1463fdd4007398d964aed59de761c1a6213842776c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\p3nDL6L7.exe.log

Filesize
927B

MD5
ffe7bf10728fcdc9cfc28d6c2320a6f8

SHA1
af407275e9830d40889da2e672d2e6af118c8cb8

SHA256
72653cc5191f40cf26bcabcb5e0e41e53f23463f725007f74da78e36f9ec1522

SHA512
766753516d36ef1065d29dd982e0b6ee4e84c0c17eb2b0a6ca056f6c8e2a908e53c169bbcb01ab8b9ba1be1463fdd4007398d964aed59de761c1a6213842776c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Filesize
984B

MD5
c8dc08b8f4028207e087767ed4d8c843

SHA1
4af1d8948f9a60b1d22cc6c3629d77698ef02f68

SHA256
71f9ce867b59fbb1c05e242939e2c20251fc9ae390d480d4e7d09e5f690431a4

SHA512
b4feb1b0c5b23af2426c5eb2448df5492defa264891925f4c9bbe58e2bef45fa7f8b6f57d8c448a271fa60689586e8fb5cda857fd25fb53c4651f42f8f943c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

Filesize
24B

MD5
419a089e66b9e18ada06c459b000cb4d

SHA1
ed2108a58ba73ac18c3d2bf0d8c1890c2632b05a

SHA256
c48e42e9ab4e25b92c43a7b0416d463b9ff7c69541e4623a39513bc98085f424

SHA512
bbd57bea7159748e1b13b3e459e2c8691a46bdc9323afdb9dbf9d8f09511750d46a1d98c717c7adca07d79edc859e925476dd03231507f37f45775c0a79a593c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db

Filesize
24B

MD5
ae6fbded57f9f7d048b95468ddee47ca

SHA1
c4473ea845be2fb5d28a61efd72f19d74d5fc82e

SHA256
d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

SHA512
f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
7KB

MD5
0f9db372d7d36e070e49f5c3c4d6bbd5

SHA1
f67937bd63da0eea2fbe710be3f006935d5aa6d7

SHA256
e45e1fe9e967c69d49180ea95ba2711a46ccffff289ba5a9b8f5b0115e4d5cff

SHA512
00d01ff4e4931ca70df3177834d85d4d4b0f54e812f7a14c0b8551006fb88320e367b89a276db955a4aad4a3f169051a6250bbe4721371875770ab8af3136f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
47KB

MD5
3466ed81b7f164793d7ab8a1a7b52e09

SHA1
780fa808ad16e3dedb24b144807b640aa65ff38f

SHA256
ab4874b64aa122f795abb4c95f4208bb36d86c3d46287824698d6767a0f922c5

SHA512
a11144b710b40833bf1140b5e69921870ae0f77383d5777407e55f3104735082d0f80c10fa3341076591870c50ee01eb0569837c212f62160d8473b802f9088c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
83288296a657f97f500c5d72c7e9813d

SHA1
8b8fc6dd92a862d9ee0ea5b53277d4baa94e0eec

SHA256
ac86aded9bf43273c56406d36b4d1d06b7764cb2c1fdadbd79163f3ee4029494

SHA512
c0bbf852304a774d93ae04be705b220e53e4efba5e37d8d843db017ebd73c47598c0ad53244cb08dffd4059caf471ec8b6d539a6d82f458ac585c3450ce13a98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
25db2e6f89201fbc67cac4752e95f43d

SHA1
1d8ce2ecd32e68a15cb58d38c25950d8e7f4992a

SHA256
89181cd497d1f077437e6f682a863db775c42bdf20371dc16a16a9cf9c09b110

SHA512
17975a806f22fd8573e15f1fae2de5903c97d502fcc0c2409204924720a07e1635d8001338a1c9e111debd96d4beefefe805c12d38b1659b27c9b6112c62b562

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\n6NB.exe

Filesize
618KB

MD5
3f6d5376b6d40c82644287c7621dfc5b

SHA1
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f

SHA256
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e

SHA512
3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\n6NB.exe

Filesize
618KB

MD5
3f6d5376b6d40c82644287c7621dfc5b

SHA1
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f

SHA256
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e

SHA512
3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\n6NB.exe

Filesize
618KB

MD5
3f6d5376b6d40c82644287c7621dfc5b

SHA1
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f

SHA256
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e

SHA512
3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\p3nDL6L7.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\p3nDL6L7.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\p3nDL6L7.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\p3nDL6L7.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\p3nDL6L7.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\p3nDL6L7.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\11F.tmp\hr3

Filesize
68B

MD5
a95c925abda8944479ed3b1b5f78d274

SHA1
536839a96464f56cf2bf50422bf59f651fdc784b

SHA256
9260597e660325da9062a2172426d36cfc4c07ff13aaa969a8c06ee50811931a

SHA512
4d558e64a49a400e4367b7c33beb0dfb4cd414ffb677bd6c94654b0a8fead6cc116c3c6bf0650fbea3682bd6dd8412d80641a20c0b5fe1c0115e0074f7ae9d2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\11F.tmp\settings3.bin

Filesize
327B

MD5
4d64e1215491afe7be6f021b76441c9a

SHA1
de9f0bd4be7d0842410d7b8f45d4a4c36d1c29c3

SHA256
12720d938edb55c29804a2ba571f5a4ca3c36cd80d0544b90ed51546d862470d

SHA512
3c1b1044409289697e7322d42996c6237a99a2e17abc80b18f010eeca237928f74548da800921967418d9479e26f7908c453ee2f93565f55ae4883332ee91340

Download Submit
C:\Users\Admin\AppData\Local\Temp\11F.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\11F.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C01.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C01.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C01.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C01.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\82F7.exe

Filesize
576KB

MD5
8be029b88548450edb5e6b65a60cbfc9

SHA1
59d11404e51389f8bbadbd32cfdc574834fa1be4

SHA256
8f703dbe94ad3c9bfee41a6b920cd7765f0a948cae9bdf196b080253411a5d23

SHA512
7fadf75177261266ba0e5a24564bbbb0edbe5daaecd45ba022f9dbf11a7b86564b48782ba0a62a5462fccd1b5f7c084133f371a3480f55611a91740483977fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\82F7.exe

Filesize
576KB

MD5
8be029b88548450edb5e6b65a60cbfc9

SHA1
59d11404e51389f8bbadbd32cfdc574834fa1be4

SHA256
8f703dbe94ad3c9bfee41a6b920cd7765f0a948cae9bdf196b080253411a5d23

SHA512
7fadf75177261266ba0e5a24564bbbb0edbe5daaecd45ba022f9dbf11a7b86564b48782ba0a62a5462fccd1b5f7c084133f371a3480f55611a91740483977fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\82F7.exe

Filesize
576KB

MD5
8be029b88548450edb5e6b65a60cbfc9

SHA1
59d11404e51389f8bbadbd32cfdc574834fa1be4

SHA256
8f703dbe94ad3c9bfee41a6b920cd7765f0a948cae9bdf196b080253411a5d23

SHA512
7fadf75177261266ba0e5a24564bbbb0edbe5daaecd45ba022f9dbf11a7b86564b48782ba0a62a5462fccd1b5f7c084133f371a3480f55611a91740483977fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\82F7.exe

Filesize
576KB

MD5
8be029b88548450edb5e6b65a60cbfc9

SHA1
59d11404e51389f8bbadbd32cfdc574834fa1be4

SHA256
8f703dbe94ad3c9bfee41a6b920cd7765f0a948cae9bdf196b080253411a5d23

SHA512
7fadf75177261266ba0e5a24564bbbb0edbe5daaecd45ba022f9dbf11a7b86564b48782ba0a62a5462fccd1b5f7c084133f371a3480f55611a91740483977fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\82F7.exe

Filesize
576KB

MD5
8be029b88548450edb5e6b65a60cbfc9

SHA1
59d11404e51389f8bbadbd32cfdc574834fa1be4

SHA256
8f703dbe94ad3c9bfee41a6b920cd7765f0a948cae9bdf196b080253411a5d23

SHA512
7fadf75177261266ba0e5a24564bbbb0edbe5daaecd45ba022f9dbf11a7b86564b48782ba0a62a5462fccd1b5f7c084133f371a3480f55611a91740483977fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\82F7.exe

Filesize
576KB

MD5
8be029b88548450edb5e6b65a60cbfc9

SHA1
59d11404e51389f8bbadbd32cfdc574834fa1be4

SHA256
8f703dbe94ad3c9bfee41a6b920cd7765f0a948cae9bdf196b080253411a5d23

SHA512
7fadf75177261266ba0e5a24564bbbb0edbe5daaecd45ba022f9dbf11a7b86564b48782ba0a62a5462fccd1b5f7c084133f371a3480f55611a91740483977fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EDF.exe

Filesize
298KB

MD5
966f6925f2e2ea12f260ad305d5bfc69

SHA1
baeadfda934497ddc676a78e886935e4a70ce214

SHA256
0bae6a5e4eb4347a99a45dcc9bec3d11da7f3f3e1743e3533c83cf9154b5d635

SHA512
9fadab42dabc13b3e65ef99e4a5feaa8af18c09fec710409091a8aeb48d3f1e8462c31cdca553eb584f1a1475506645cf52f510bd624197a5a9e742afab0ce74

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EDF.exe

Filesize
298KB

MD5
966f6925f2e2ea12f260ad305d5bfc69

SHA1
baeadfda934497ddc676a78e886935e4a70ce214

SHA256
0bae6a5e4eb4347a99a45dcc9bec3d11da7f3f3e1743e3533c83cf9154b5d635

SHA512
9fadab42dabc13b3e65ef99e4a5feaa8af18c09fec710409091a8aeb48d3f1e8462c31cdca553eb584f1a1475506645cf52f510bd624197a5a9e742afab0ce74

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9CB.exe

Filesize
9.9MB

MD5
4c328b215a84c1b2c982a3268b4a0cea

SHA1
addaaa78ce3f457d008a4958b2c1a404dcc62eaa

SHA256
3761032e760a2bcc61854a0c7cf22e8e991af0ed60fac92b981853eadda00d1a

SHA512
bd1a0bb98487781d8a6a5145e30544112d511c4510eda59150f23ff605db4ded5f42869a5be9ff0ff7fc570ab2d9f05c13223f3a420a7fa3b3ad7258f2084598

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9CB.exe

Filesize
9.9MB

MD5
4c328b215a84c1b2c982a3268b4a0cea

SHA1
addaaa78ce3f457d008a4958b2c1a404dcc62eaa

SHA256
3761032e760a2bcc61854a0c7cf22e8e991af0ed60fac92b981853eadda00d1a

SHA512
bd1a0bb98487781d8a6a5145e30544112d511c4510eda59150f23ff605db4ded5f42869a5be9ff0ff7fc570ab2d9f05c13223f3a420a7fa3b3ad7258f2084598

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE82\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.Background.winmd

Filesize
7KB

MD5
64d3f93322e5e6932ad162365441301d

SHA1
832e1b6e6560f8dae2b8282b72a1d80545ea5891

SHA256
df52db081c34a78391d85832bcb2190a9417fb34e468d5f15e84ac1916a085cc

SHA512
86b8e1f699321c6eb187b597a08bdfdd4b47686681e495783b981ca82cfaaa8be22d1775143cfd0a6d3c7b381b419930609c8370e67a906eba9e1b6a5024eb20

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE82\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll

Filesize
349KB

MD5
49ba729dd7ad347eb8ad44dcc3f20de4

SHA1
36bfc3b216daa23e7c3a1e89df88ca533ad878d1

SHA256
88fd9d7794d1e0549facf9534da6abcb3db4be57e2fd045f678b621f7f5a6f3d

SHA512
c7a6750d34e85534fdf3be543a12340de9623ed7c094b9f8f8dd8e7f7308406e5ee90fe7b3c147b170ed67948bb875f72ad5035ecde3f608843fa74d19f9bf0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE82\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe

Filesize
15KB

MD5
a4bd1ce8b5026e59037a3903cd6e4e3a

SHA1
352243b758a585cf869cd9f9354cd302463f4d9d

SHA256
39d69cd43e452c4899dbf1aa5b847c2a2d251fb8e13df9232ebdb5f0fdc3594c

SHA512
c86901a1bdcebc5721743fca6ac7f1909b64518e046752f3b412183db940563c088e0ec12613ad0b763c814bc3b6bf99dd3b6f8a6bce54add30a10d29e38400c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE82\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletLockScreenLogo.scale-200.png

Filesize
268B

MD5
541abea8b402b4ddd7463b2cd1bf54ec

SHA1
e0bfa993adcc35d6cc955be49c2f952529660ad5

SHA256
d436906bb661ba5d0ae3ad2d949b709f92bf50eb79a9faedd7f66d5598e07f16

SHA512
b22478881f719ac94392ef43dbf553c4644e2b3676191cb35c7bd212f496978e5b4e15869d254b96a393314a30e2ce397a6d6bf44cac45a2eff38d997b40c7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE82\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSplashScreen.png

Filesize
1KB

MD5
52bf805c4241200c576401a59f9e211a

SHA1
a10074a87d7c244fcee9b8d45005673aa48140a1

SHA256
adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c

SHA512
9142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE82\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare150x150Logo.scale-200.png

Filesize
946B

MD5
0262d1daca4c1c1e22dec63b012e3641

SHA1
609258b00f17f2a9dd586fe5a7e485573ef477c9

SHA256
8b0ccafcace92ee624e057fa91550d306efd5dc21bb0c850c174ef38d79754fc

SHA512
a1ad7e32bfabfa4ecf32be9ab96db5c84ecf48a8b8a6e267cb106281e119669fed0fb12eaea024e21aa2f13de8f14fa0b805f869b53ec85524b60dc1db7743d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE82\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.scale-200.png

Filesize
14KB

MD5
1572efa3e47162a7b2198893a362b803

SHA1
a291f6f1cae15d03d5ef0f748b83bee024aa2fca

SHA256
d39fb03894ed83d57acf16976ae256c9912bd7e9feb63cb5c85709e1617e90dc

SHA512
4267d64626b808e9b338d973335794a5b3c3586c26fb0d11c96b07c2ad551486150449d83d5ae2756451c32365a8877a0c59592e5b173a27142464787de7ff45

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE82\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.targetsize-24_altform-unplated.png

Filesize
169B

MD5
2bb84fb822fe6ed44bf10bbf31122308

SHA1
e9049ca6522a736d75fc85b3b16a0ad0dc271334

SHA256
afb6768acc7e2229c7566d68dabf863bafdb8d59e2cca45f39370fc7261965dc

SHA512
1f24ca0e934881760a94c1f90d31ef6ccbab165d39c0155fb83b31e92abe4e5e3b70f49189f75d8cdd859796a55312f27c71fda0b8296e8cf30167a02d7391f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE82\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletStoreLogo.png

Filesize
174B

MD5
08de9d6a366fb174872e8043e2384099

SHA1
955114d06eefae5e498797f361493ee607676d95

SHA256
0289105cf9484cf5427630866c0525b60f6193dea0afacd0224f997ce8103861

SHA512
59004a4920d5e3b80b642c285ff649a2ee5c52df25b6209be46d2f927a9c2ab170534ea0819c7c70292534ee08eb90e36630d11da18edba502776fac42872ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE82\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletWide310x150Logo.scale-200.png

Filesize
1KB

MD5
52bf805c4241200c576401a59f9e211a

SHA1
a10074a87d7c244fcee9b8d45005673aa48140a1

SHA256
adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c

SHA512
9142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE82\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
1KB

MD5
5b333e85c957925ec5f7ae9c47872020

SHA1
97431745824321574e6e6c9666e79147b5a6ea67

SHA256
c2c28b18a9bbe65c7f29640ec18d5836fa51ce720b336dc6e44d49ff2d807d08

SHA512
377b42d7a432c597cbf41c5c9f4303592f88a3fef368e53532ec1474529d5d915f264ca1f099c269a4d4bc35fea22d35140d45c099f4fdb66be8cb109b533f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE82\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe.xml

Filesize
4KB

MD5
44628eb64853341f7678ec488959efe2

SHA1
60e37cb04f7941b6070d3ce035af3d434c78fbfd

SHA256
f44e196695dffbc9442ab694343447097b8362fccaf4269057890f39da50df2e

SHA512
0134c598e3ada0a5ae47c9803b1c0f248d88a92c5fd79dd2baea7dea82322ff52f8b218be41bd3b72f270fe170ad36df5106d2f21ca51be5f8f3c6791da9d86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE82\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
1KB

MD5
5b333e85c957925ec5f7ae9c47872020

SHA1
97431745824321574e6e6c9666e79147b5a6ea67

SHA256
c2c28b18a9bbe65c7f29640ec18d5836fa51ce720b336dc6e44d49ff2d807d08

SHA512
377b42d7a432c597cbf41c5c9f4303592f88a3fef368e53532ec1474529d5d915f264ca1f099c269a4d4bc35fea22d35140d45c099f4fdb66be8cb109b533f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE82\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe.xml

Filesize
4KB

MD5
44628eb64853341f7678ec488959efe2

SHA1
60e37cb04f7941b6070d3ce035af3d434c78fbfd

SHA256
f44e196695dffbc9442ab694343447097b8362fccaf4269057890f39da50df2e

SHA512
0134c598e3ada0a5ae47c9803b1c0f248d88a92c5fd79dd2baea7dea82322ff52f8b218be41bd3b72f270fe170ad36df5106d2f21ca51be5f8f3c6791da9d86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE82\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.Background.winmd

Filesize
7KB

MD5
64d3f93322e5e6932ad162365441301d

SHA1
832e1b6e6560f8dae2b8282b72a1d80545ea5891

SHA256
df52db081c34a78391d85832bcb2190a9417fb34e468d5f15e84ac1916a085cc

SHA512
86b8e1f699321c6eb187b597a08bdfdd4b47686681e495783b981ca82cfaaa8be22d1775143cfd0a6d3c7b381b419930609c8370e67a906eba9e1b6a5024eb20

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE82\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletLockScreenLogo.scale-200.png

Filesize
268B

MD5
541abea8b402b4ddd7463b2cd1bf54ec

SHA1
e0bfa993adcc35d6cc955be49c2f952529660ad5

SHA256
d436906bb661ba5d0ae3ad2d949b709f92bf50eb79a9faedd7f66d5598e07f16

SHA512
b22478881f719ac94392ef43dbf553c4644e2b3676191cb35c7bd212f496978e5b4e15869d254b96a393314a30e2ce397a6d6bf44cac45a2eff38d997b40c7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE82\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSplashScreen.png

Filesize
1KB

MD5
52bf805c4241200c576401a59f9e211a

SHA1
a10074a87d7c244fcee9b8d45005673aa48140a1

SHA256
adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c

SHA512
9142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE82\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare150x150Logo.scale-200.png

Filesize
946B

MD5
0262d1daca4c1c1e22dec63b012e3641

SHA1
609258b00f17f2a9dd586fe5a7e485573ef477c9

SHA256
8b0ccafcace92ee624e057fa91550d306efd5dc21bb0c850c174ef38d79754fc

SHA512
a1ad7e32bfabfa4ecf32be9ab96db5c84ecf48a8b8a6e267cb106281e119669fed0fb12eaea024e21aa2f13de8f14fa0b805f869b53ec85524b60dc1db7743d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE82\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.scale-200.png

Filesize
14KB

MD5
1572efa3e47162a7b2198893a362b803

SHA1
a291f6f1cae15d03d5ef0f748b83bee024aa2fca

SHA256
d39fb03894ed83d57acf16976ae256c9912bd7e9feb63cb5c85709e1617e90dc

SHA512
4267d64626b808e9b338d973335794a5b3c3586c26fb0d11c96b07c2ad551486150449d83d5ae2756451c32365a8877a0c59592e5b173a27142464787de7ff45

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE82\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.targetsize-24_altform-unplated.png

Filesize
169B

MD5
2bb84fb822fe6ed44bf10bbf31122308

SHA1
e9049ca6522a736d75fc85b3b16a0ad0dc271334

SHA256
afb6768acc7e2229c7566d68dabf863bafdb8d59e2cca45f39370fc7261965dc

SHA512
1f24ca0e934881760a94c1f90d31ef6ccbab165d39c0155fb83b31e92abe4e5e3b70f49189f75d8cdd859796a55312f27c71fda0b8296e8cf30167a02d7391f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE82\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletStoreLogo.png

Filesize
174B

MD5
08de9d6a366fb174872e8043e2384099

SHA1
955114d06eefae5e498797f361493ee607676d95

SHA256
0289105cf9484cf5427630866c0525b60f6193dea0afacd0224f997ce8103861

SHA512
59004a4920d5e3b80b642c285ff649a2ee5c52df25b6209be46d2f927a9c2ab170534ea0819c7c70292534ee08eb90e36630d11da18edba502776fac42872ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE82\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletWide310x150Logo.scale-200.png

Filesize
1KB

MD5
52bf805c4241200c576401a59f9e211a

SHA1
a10074a87d7c244fcee9b8d45005673aa48140a1

SHA256
adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c

SHA512
9142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE82\C\Windows\WinSxS\wow64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.15063.0_none_5f8e4354b974f702\WalletBackgroundServiceProxy.dll

Filesize
10KB

MD5
d3c040e9217f31648250f4ef718fa13d

SHA1
72e1174edd4ee04b9c72e6d233af0b83fbfc17dc

SHA256
52e4a039e563ee5b63bbf86bdaf28c2e91c87947f4edeebb42691502cb07cbd7

SHA512
e875f1ff68a425567024800c6000a861275c5b882f671178ca97d0dbf0dda2bdd832f38f02138a16817871aa2ddb154998987efc4a9b49ccaac6a22a9713a3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE82\C\Windows\WinSxS\wow64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.15063.0_none_c4bc07330185781a\WalletProxy.dll

Filesize
36KB

MD5
590c906654ff918bbe91a14daac58627

SHA1
f598edc38b61654f12f57ab1ddad0f576fe74d0d

SHA256
5d37fbfe7320aa0e215be9d8b05d77a0f5ace2deec010606b512572af2bb4dfc

SHA512
98a50429b039f98dd9adda775e7d2a0d51bb2beea2452247a2041e1f20b3f13b505bcdeecd833030bbecb58f74a82721cc577932dec086fff64ecef5432e8f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE82\C\Windows\WinSxS\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.15063.0_none_e6c3164a2494c88b\Windows.ApplicationModel.Wallet.dll

Filesize
405KB

MD5
6161c69d5d0ea175d6c88d7921e41385

SHA1
088b440405ddba778df1736b71459527aca63363

SHA256
8128dff83791b26a01ce2146302f1d8b1159f4943844ab325522cf0fc1e2597e

SHA512
cba6e3d1fcb3147193adde3b0f4a95848996999180b59e7bdf16e834e055261cf53548c3972e84d81f840d862c5af53d44945cf4319f24705aecc7d47d1cda07

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iki20pf5.jaq.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk8FC9.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bbvefu0b.default-release\cookies.sqlite.id[C21B59F2-3483].[[email protected]].8base

Filesize
96KB

MD5
26ebbba9be1806174eab4ff846f6f43a

SHA1
82d82c5ef1c7b75332573c7a40832ccddfbaeb86

SHA256
30212b55e09b6211910e326625675cd6ed1e027479eefbe40319cda9b29cc063

SHA512
ded95672ad99f8b474d2999fbffb0070b5aa64e462b4ea520a2a38dbccb50f323333e390f36ad22b76626f65c1bde807f67604416bec602e5a13b47d8cbb26b7

Download Submit
C:\info.hta

Filesize
5KB

MD5
4430b399025df384c1444e94c5f99b18

SHA1
2c700d8f036c1889876c75756ec3933368b5977e

SHA256
0a5a3c7e1f94dc01770718b9775bf72374d4fd81ded1138f514deef6b5be2f58

SHA512
4d542bbe314bc501f32416f13265ffeb7ceade61174cd3ad799f2d50e8109cc34b74946a2faf3057e22a130fe27ddb866b00672e99b0bc20e7801b384486fd16

Download Submit
\Users\Admin\AppData\Local\Temp\nsk8FC9.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
memory/392-6-0x00000000059A0000-0x0000000005E9E000-memory.dmp

Filesize
5.0MB

Download
memory/392-10-0x0000000073EF0000-0x00000000745DE000-memory.dmp

Filesize
6.9MB

Download
memory/392-1-0x0000000073EF0000-0x00000000745DE000-memory.dmp

Filesize
6.9MB

Download
memory/392-2-0x00000000051C0000-0x0000000005238000-memory.dmp

Filesize
480KB

Download
memory/392-3-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/392-4-0x00000000053D0000-0x0000000005438000-memory.dmp

Filesize
416KB

Download
memory/392-0-0x0000000000830000-0x0000000000906000-memory.dmp

Filesize
856KB

Download
memory/392-5-0x0000000005440000-0x000000000548C000-memory.dmp

Filesize
304KB

Download
memory/1184-4143-0x0000000073D50000-0x000000007443E000-memory.dmp

Filesize
6.9MB

Download
memory/1184-4146-0x00000000059C0000-0x00000000059D0000-memory.dmp

Filesize
64KB

Download
memory/1184-4222-0x0000000073D50000-0x000000007443E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-76-0x0000000005110000-0x0000000005152000-memory.dmp

Filesize
264KB

Download
memory/2724-88-0x0000000073EF0000-0x00000000745DE000-memory.dmp

Filesize
6.9MB

Download
memory/2724-78-0x0000000005190000-0x00000000051C2000-memory.dmp

Filesize
200KB

Download
memory/2724-77-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/2724-75-0x0000000073EF0000-0x00000000745DE000-memory.dmp

Filesize
6.9MB

Download
memory/2724-72-0x00000000007C0000-0x0000000000860000-memory.dmp

Filesize
640KB

Download
memory/2980-5108-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2980-5086-0x0000000000590000-0x0000000000597000-memory.dmp

Filesize
28KB

Download
memory/3272-112-0x0000000000D20000-0x0000000000D36000-memory.dmp

Filesize
88KB

Download
memory/3328-27-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3328-29-0x00000000031D0000-0x00000000035D0000-memory.dmp

Filesize
4.0MB

Download
memory/3328-16-0x00000000031D0000-0x00000000035D0000-memory.dmp

Filesize
4.0MB

Download
memory/3328-15-0x00000000031D0000-0x00000000035D0000-memory.dmp

Filesize
4.0MB

Download
memory/3328-17-0x00000000031D0000-0x00000000035D0000-memory.dmp

Filesize
4.0MB

Download
memory/3328-13-0x0000000003140000-0x0000000003147000-memory.dmp

Filesize
28KB

Download
memory/3328-11-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3328-7-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3328-14-0x00000000031D0000-0x00000000035D0000-memory.dmp

Filesize
4.0MB

Download
memory/3328-21-0x0000000004010000-0x0000000004046000-memory.dmp

Filesize
216KB

Download
memory/3328-28-0x0000000004010000-0x0000000004046000-memory.dmp

Filesize
216KB

Download
memory/3328-30-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3328-12-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3328-31-0x00000000031D0000-0x00000000035D0000-memory.dmp

Filesize
4.0MB

Download
memory/3440-60-0x0000000073EF0000-0x00000000745DE000-memory.dmp

Filesize
6.9MB

Download
memory/3440-74-0x0000000073EF0000-0x00000000745DE000-memory.dmp

Filesize
6.9MB

Download
memory/3440-63-0x00000000053E0000-0x0000000005414000-memory.dmp

Filesize
208KB

Download
memory/3440-64-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/3440-61-0x0000000005360000-0x00000000053A6000-memory.dmp

Filesize
280KB

Download
memory/3440-58-0x0000000000A00000-0x0000000000AA4000-memory.dmp

Filesize
656KB

Download
memory/3660-4291-0x0000000004E70000-0x0000000004E7A000-memory.dmp

Filesize
40KB

Download
memory/3660-4236-0x0000000001060000-0x00000000010F6000-memory.dmp

Filesize
600KB

Download
memory/3660-4714-0x0000000073D50000-0x000000007443E000-memory.dmp

Filesize
6.9MB

Download
memory/3660-4944-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/3660-4715-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/3660-4810-0x0000000007030000-0x0000000007036000-memory.dmp

Filesize
24KB

Download
memory/3660-4776-0x00000000070B0000-0x00000000070CA000-memory.dmp

Filesize
104KB

Download
memory/3660-4272-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/3660-4251-0x0000000005050000-0x00000000050E2000-memory.dmp

Filesize
584KB

Download
memory/3660-4303-0x00000000050F0000-0x000000000518C000-memory.dmp

Filesize
624KB

Download
memory/3660-4232-0x0000000073D50000-0x000000007443E000-memory.dmp

Filesize
6.9MB

Download
memory/3660-4777-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/3660-4329-0x0000000005CA0000-0x0000000005CE2000-memory.dmp

Filesize
264KB

Download
memory/3964-5068-0x0000000002F30000-0x0000000002F9B000-memory.dmp

Filesize
428KB

Download
memory/3964-4940-0x0000000002F30000-0x0000000002F9B000-memory.dmp

Filesize
428KB

Download
memory/3964-4925-0x0000000003200000-0x0000000003275000-memory.dmp

Filesize
468KB

Download
memory/4052-4223-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4428-53-0x00007FF6D20A0000-0x00007FF6D21CF000-memory.dmp

Filesize
1.2MB

Download
memory/4428-41-0x00007FF6D20A0000-0x00007FF6D21CF000-memory.dmp

Filesize
1.2MB

Download
memory/4428-59-0x00007FFFF4AC0000-0x00007FFFF4C9B000-memory.dmp

Filesize
1.9MB

Download
memory/4428-18-0x000001AF0BEA0000-0x000001AF0BEA3000-memory.dmp

Filesize
12KB

Download
memory/4428-33-0x000001AF0BEA0000-0x000001AF0BEA3000-memory.dmp

Filesize
12KB

Download
memory/4428-36-0x000001AF0DF40000-0x000001AF0DF47000-memory.dmp

Filesize
28KB

Download
memory/4428-38-0x00007FF6D20A0000-0x00007FF6D21CF000-memory.dmp

Filesize
1.2MB

Download
memory/4428-37-0x00007FF6D20A0000-0x00007FF6D21CF000-memory.dmp

Filesize
1.2MB

Download
memory/4428-96-0x00007FFFF4AC0000-0x00007FFFF4C9B000-memory.dmp

Filesize
1.9MB

Download
memory/4428-95-0x000001AF0DF40000-0x000001AF0DF45000-memory.dmp

Filesize
20KB

Download
memory/4428-52-0x00007FF6D20A0000-0x00007FF6D21CF000-memory.dmp

Filesize
1.2MB

Download
memory/4428-39-0x00007FF6D20A0000-0x00007FF6D21CF000-memory.dmp

Filesize
1.2MB

Download
memory/4428-40-0x00007FF6D20A0000-0x00007FF6D21CF000-memory.dmp

Filesize
1.2MB

Download
memory/4428-54-0x00007FF6D20A0000-0x00007FF6D21CF000-memory.dmp

Filesize
1.2MB

Download
memory/4428-51-0x00007FF6D20A0000-0x00007FF6D21CF000-memory.dmp

Filesize
1.2MB

Download
memory/4428-44-0x00007FF6D20A0000-0x00007FF6D21CF000-memory.dmp

Filesize
1.2MB

Download
memory/4428-50-0x00007FF6D20A0000-0x00007FF6D21CF000-memory.dmp

Filesize
1.2MB

Download
memory/4428-46-0x00007FF6D20A0000-0x00007FF6D21CF000-memory.dmp

Filesize
1.2MB

Download
memory/4428-47-0x00007FF6D20A0000-0x00007FF6D21CF000-memory.dmp

Filesize
1.2MB

Download
memory/4428-48-0x00007FF6D20A0000-0x00007FF6D21CF000-memory.dmp

Filesize
1.2MB

Download
memory/4428-49-0x00007FFFF4AC0000-0x00007FFFF4C9B000-memory.dmp

Filesize
1.9MB

Download
memory/4652-94-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4700-81-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4700-86-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4700-158-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4896-114-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4896-106-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4896-290-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4896-110-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4896-254-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4896-173-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4896-68-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4896-73-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4896-79-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4896-156-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4896-253-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4896-122-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4896-113-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4896-579-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4896-108-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5108-93-0x0000000073EF0000-0x00000000745DE000-memory.dmp

Filesize
6.9MB

Download
memory/5108-87-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/5108-83-0x0000000073EF0000-0x00000000745DE000-memory.dmp

Filesize
6.9MB

Download