Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
28/09/2023, 19:28
Static task
static1
Behavioral task
behavioral1
Sample
65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe
-
Size
1.9MB
-
MD5
1b87684768db892932be3f0661c54251
-
SHA1
e5acdb93f6eb75656c9a8242e21b01bf978dc7cf
-
SHA256
65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636
-
SHA512
0fc3cc6ed99e45a3d1ca7cd2dd4d7bfc2f5f11ee7cf0e3d58bfbb4db26f16599cae45b96fc032cd6a050c1ea70bfd02291537088168dd149eee85b38d2527a82
-
SSDEEP
24576:jx4Ul0rrIOGz9I6U7AeyGvHynlLghECQl4L529dktxtPCv1ri+J/ac//zWOYopmB:mUl0/2kHW8ECQl4wi+snopp2vQ
Malware Config
Extracted
smokeloader
2022
http://servermlogs27.xyz/statweb255/
http://servmblog45.xyz/statweb255/
http://demblog575.xyz/statweb255/
http://admlogs85x.xyz/statweb255/
http://blogmstat389.xyz/statweb255/
http://blogmstat255.xyz/statweb255/
Extracted
C:\info.hta
class='mark'>[email protected]</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Extracted
F:\info.hta
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 2 IoCs
resource yara_rule behavioral2/files/0x000400000002133f-6442.dat family_ammyyadmin behavioral2/files/0x000400000002133f-6446.dat family_ammyyadmin -
Detect rhadamanthys stealer shellcode 6 IoCs
resource yara_rule behavioral2/memory/3940-14-0x0000000002870000-0x0000000002C70000-memory.dmp family_rhadamanthys behavioral2/memory/3940-15-0x0000000002870000-0x0000000002C70000-memory.dmp family_rhadamanthys behavioral2/memory/3940-16-0x0000000002870000-0x0000000002C70000-memory.dmp family_rhadamanthys behavioral2/memory/3940-17-0x0000000002870000-0x0000000002C70000-memory.dmp family_rhadamanthys behavioral2/memory/3940-27-0x0000000002870000-0x0000000002C70000-memory.dmp family_rhadamanthys behavioral2/memory/3940-29-0x0000000002870000-0x0000000002C70000-memory.dmp family_rhadamanthys -
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3940 created 2564 3940 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe 40 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 4968 bcdedit.exe 756 bcdedit.exe 872 bcdedit.exe 1428 bcdedit.exe -
Renames multiple (469) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 97 4924 rundll32.exe -
pid Process 2136 wbadmin.exe 4768 wbadmin.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 4224 netsh.exe 4172 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation (yw3t.exe -
Drops startup file 3 IoCs
description ioc Process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\(yw3t.exe (yw3t.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini (yw3t.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[1708EF3E-3483].[[email protected]].8base (yw3t.exe -
Executes dropped EXE 11 IoCs
pid Process 4744 (yw3t.exe 3408 Csb.exe 4524 (yw3t.exe 992 Csb.exe 3912 (yw3t.exe 3712 (yw3t.exe 288 6E94.exe 4620 7328.exe 2096 6E94.exe 4724 svchost.exe 2360 7328.exe -
Loads dropped DLL 1 IoCs
pid Process 4924 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\(yw3t = "C:\\Users\\Admin\\AppData\\Local\\(yw3t.exe" (yw3t.exe Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\(yw3t = "C:\\Users\\Admin\\AppData\\Local\\(yw3t.exe" (yw3t.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\Saved Games\desktop.ini (yw3t.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini (yw3t.exe File opened for modification C:\Users\Public\Libraries\desktop.ini (yw3t.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini (yw3t.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini (yw3t.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini (yw3t.exe File opened for modification C:\Program Files (x86)\desktop.ini (yw3t.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini (yw3t.exe File opened for modification C:\Users\Public\Pictures\desktop.ini (yw3t.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini (yw3t.exe File opened for modification C:\Users\Public\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\Documents\desktop.ini (yw3t.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini (yw3t.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini (yw3t.exe File opened for modification C:\Users\Public\Downloads\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\Searches\desktop.ini (yw3t.exe File opened for modification C:\Users\Public\Videos\desktop.ini (yw3t.exe File opened for modification C:\Users\Public\Music\desktop.ini (yw3t.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini (yw3t.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini (yw3t.exe File opened for modification C:\Program Files\desktop.ini (yw3t.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\Links\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini (yw3t.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini (yw3t.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\Music\desktop.ini (yw3t.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini (yw3t.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini (yw3t.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2890696111-2332180956-3312704074-1000\desktop.ini (yw3t.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini (yw3t.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini (yw3t.exe File opened for modification C:\Users\Public\Documents\desktop.ini (yw3t.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI (yw3t.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini (yw3t.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini (yw3t.exe File opened for modification C:\Users\Admin\Videos\desktop.ini (yw3t.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini (yw3t.exe File opened for modification C:\Users\Public\Desktop\desktop.ini (yw3t.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 svchost.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 1904 set thread context of 3940 1904 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe 89 PID 4744 set thread context of 4524 4744 (yw3t.exe 105 PID 3408 set thread context of 992 3408 Csb.exe 108 PID 3912 set thread context of 3712 3912 (yw3t.exe 109 PID 288 set thread context of 2096 288 6E94.exe 129 PID 4620 set thread context of 2360 4620 7328.exe 136 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\vlc.mo (yw3t.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\iw_get.svg (yw3t.exe File created C:\Program Files\Java\jre1.8.0_66\bin\j2pcsc.dll.id[1708EF3E-3483].[[email protected]].8base (yw3t.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-BOLD.TTF (yw3t.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\load-typekit.js (yw3t.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms (yw3t.exe File created C:\Program Files\VideoLAN\VLC\lua\playlist\koreus.luac.id[1708EF3E-3483].[[email protected]].8base (yw3t.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\libeay32.dll.id[1708EF3E-3483].[[email protected]].8base (yw3t.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\az_get.svg (yw3t.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ppd.xrm-ms (yw3t.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_Safety_Objects.jpg (yw3t.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\fr.pak.DATA (yw3t.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\Cryptomining (yw3t.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_zh_4.4.0.v20140623020002.jar (yw3t.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-256_altform-unplated_contrast-white.png (yw3t.exe File opened for modification C:\Program Files\Windows Media Player\en-US\wmplayer.exe.mui (yw3t.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\Added.txt.id[1708EF3E-3483].[[email protected]].8base (yw3t.exe File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui (yw3t.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\MSFT_PackageManagementSource.strings.psd1 (yw3t.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\back-icon.png (yw3t.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.properties (yw3t.exe File created C:\Program Files\Mozilla Firefox\updater.exe.id[1708EF3E-3483].[[email protected]].8base (yw3t.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libmmdevice_plugin.dll (yw3t.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf.id[1708EF3E-3483].[[email protected]].8base (yw3t.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT.id[1708EF3E-3483].[[email protected]].8base (yw3t.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\beta.identity_helper.exe.manifest (yw3t.exe File created C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkServerCP.bat.id[1708EF3E-3483].[[email protected]].8base (yw3t.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\dt_shmem.dll.id[1708EF3E-3483].[[email protected]].8base (yw3t.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-256_altform-unplated.png (yw3t.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-32_altform-unplated.png (yw3t.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms.id[1708EF3E-3483].[[email protected]].8base (yw3t.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\ECLIPSE.ELM.id[1708EF3E-3483].[[email protected]].8base (yw3t.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp3.scale-125.png (yw3t.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_hover_18.svg.id[1708EF3E-3483].[[email protected]].8base (yw3t.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\cs-cz\PlayStore_icon.svg (yw3t.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt (yw3t.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\vlc.mo (yw3t.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36.png (yw3t.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api (yw3t.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\sample-thumb.png.id[1708EF3E-3483].[[email protected]].8base (yw3t.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\icons.png (yw3t.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green.xml.id[1708EF3E-3483].[[email protected]].8base (yw3t.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-pl.xrm-ms.id[1708EF3E-3483].[[email protected]].8base (yw3t.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx.id[1708EF3E-3483].[[email protected]].8base (yw3t.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\msgfilt.dll.id[1708EF3E-3483].[[email protected]].8base (yw3t.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\vcruntime140.dll (yw3t.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-16_altform-unplated_contrast-white.png (yw3t.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\sv-se\ui-strings.js.id[1708EF3E-3483].[[email protected]].8base (yw3t.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24_altform-lightunplated.png (yw3t.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcolorthres_plugin.dll.id[1708EF3E-3483].[[email protected]].8base (yw3t.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-36_altform-unplated.png (yw3t.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.winmd (yw3t.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.scale-125_contrast-black.png (yw3t.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-400.png (yw3t.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sk-sk\ui-strings.js (yw3t.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\ui-strings.js.id[1708EF3E-3483].[[email protected]].8base (yw3t.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\en-US\msaddsr.dll.mui (yw3t.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-200_contrast-white.png (yw3t.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-125.png (yw3t.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\help.svg.id[1708EF3E-3483].[[email protected]].8base (yw3t.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\de-de\ui-strings.js (yw3t.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\msedge_7z.data (yw3t.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\jfluid-server-15.jar.id[1708EF3E-3483].[[email protected]].8base (yw3t.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe (yw3t.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Csb.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Csb.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Csb.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 certreq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString certreq.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3744 vssadmin.exe 4964 vssadmin.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings (yw3t.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1904 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe 3940 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe 3940 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe 3940 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe 3940 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe 1872 certreq.exe 1872 certreq.exe 1872 certreq.exe 1872 certreq.exe 992 Csb.exe 992 Csb.exe 2564 Explorer.EXE 2564 Explorer.EXE 4524 (yw3t.exe 4524 (yw3t.exe 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 4524 (yw3t.exe 4524 (yw3t.exe 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 4524 (yw3t.exe 4524 (yw3t.exe 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 4524 (yw3t.exe 4524 (yw3t.exe 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 4524 (yw3t.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2564 Explorer.EXE -
Suspicious behavior: MapViewOfSection 33 IoCs
pid Process 992 Csb.exe 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 1108 explorer.exe 1108 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1904 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe Token: SeDebugPrivilege 4744 (yw3t.exe Token: SeDebugPrivilege 3408 Csb.exe Token: SeDebugPrivilege 3912 (yw3t.exe Token: SeDebugPrivilege 4524 (yw3t.exe Token: SeBackupPrivilege 216 vssvc.exe Token: SeRestorePrivilege 216 vssvc.exe Token: SeAuditPrivilege 216 vssvc.exe Token: SeIncreaseQuotaPrivilege 1664 WMIC.exe Token: SeSecurityPrivilege 1664 WMIC.exe Token: SeTakeOwnershipPrivilege 1664 WMIC.exe Token: SeLoadDriverPrivilege 1664 WMIC.exe Token: SeSystemProfilePrivilege 1664 WMIC.exe Token: SeSystemtimePrivilege 1664 WMIC.exe Token: SeProfSingleProcessPrivilege 1664 WMIC.exe Token: SeIncBasePriorityPrivilege 1664 WMIC.exe Token: SeCreatePagefilePrivilege 1664 WMIC.exe Token: SeBackupPrivilege 1664 WMIC.exe Token: SeRestorePrivilege 1664 WMIC.exe Token: SeShutdownPrivilege 1664 WMIC.exe Token: SeDebugPrivilege 1664 WMIC.exe Token: SeSystemEnvironmentPrivilege 1664 WMIC.exe Token: SeRemoteShutdownPrivilege 1664 WMIC.exe Token: SeUndockPrivilege 1664 WMIC.exe Token: SeManageVolumePrivilege 1664 WMIC.exe Token: 33 1664 WMIC.exe Token: 34 1664 WMIC.exe Token: 35 1664 WMIC.exe Token: 36 1664 WMIC.exe Token: SeIncreaseQuotaPrivilege 1664 WMIC.exe Token: SeSecurityPrivilege 1664 WMIC.exe Token: SeTakeOwnershipPrivilege 1664 WMIC.exe Token: SeLoadDriverPrivilege 1664 WMIC.exe Token: SeSystemProfilePrivilege 1664 WMIC.exe Token: SeSystemtimePrivilege 1664 WMIC.exe Token: SeProfSingleProcessPrivilege 1664 WMIC.exe Token: SeIncBasePriorityPrivilege 1664 WMIC.exe Token: SeCreatePagefilePrivilege 1664 WMIC.exe Token: SeBackupPrivilege 1664 WMIC.exe Token: SeRestorePrivilege 1664 WMIC.exe Token: SeShutdownPrivilege 1664 WMIC.exe Token: SeDebugPrivilege 1664 WMIC.exe Token: SeSystemEnvironmentPrivilege 1664 WMIC.exe Token: SeRemoteShutdownPrivilege 1664 WMIC.exe Token: SeUndockPrivilege 1664 WMIC.exe Token: SeManageVolumePrivilege 1664 WMIC.exe Token: 33 1664 WMIC.exe Token: 34 1664 WMIC.exe Token: 35 1664 WMIC.exe Token: 36 1664 WMIC.exe Token: SeBackupPrivilege 4260 wbengine.exe Token: SeRestorePrivilege 4260 wbengine.exe Token: SeSecurityPrivilege 4260 wbengine.exe Token: SeShutdownPrivilege 2564 Explorer.EXE Token: SeCreatePagefilePrivilege 2564 Explorer.EXE Token: SeShutdownPrivilege 2564 Explorer.EXE Token: SeCreatePagefilePrivilege 2564 Explorer.EXE Token: SeDebugPrivilege 288 6E94.exe Token: SeDebugPrivilege 4620 7328.exe Token: SeShutdownPrivilege 2564 Explorer.EXE Token: SeCreatePagefilePrivilege 2564 Explorer.EXE Token: SeShutdownPrivilege 2564 Explorer.EXE Token: SeCreatePagefilePrivilege 2564 Explorer.EXE Token: SeShutdownPrivilege 2564 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4724 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1904 wrote to memory of 3940 1904 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe 89 PID 1904 wrote to memory of 3940 1904 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe 89 PID 1904 wrote to memory of 3940 1904 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe 89 PID 1904 wrote to memory of 3940 1904 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe 89 PID 1904 wrote to memory of 3940 1904 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe 89 PID 1904 wrote to memory of 3940 1904 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe 89 PID 1904 wrote to memory of 3940 1904 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe 89 PID 1904 wrote to memory of 3940 1904 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe 89 PID 3940 wrote to memory of 1872 3940 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe 97 PID 3940 wrote to memory of 1872 3940 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe 97 PID 3940 wrote to memory of 1872 3940 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe 97 PID 3940 wrote to memory of 1872 3940 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe 97 PID 4744 wrote to memory of 4524 4744 (yw3t.exe 105 PID 4744 wrote to memory of 4524 4744 (yw3t.exe 105 PID 4744 wrote to memory of 4524 4744 (yw3t.exe 105 PID 4744 wrote to memory of 4524 4744 (yw3t.exe 105 PID 4744 wrote to memory of 4524 4744 (yw3t.exe 105 PID 4744 wrote to memory of 4524 4744 (yw3t.exe 105 PID 4744 wrote to memory of 4524 4744 (yw3t.exe 105 PID 4744 wrote to memory of 4524 4744 (yw3t.exe 105 PID 4744 wrote to memory of 4524 4744 (yw3t.exe 105 PID 4744 wrote to memory of 4524 4744 (yw3t.exe 105 PID 3408 wrote to memory of 992 3408 Csb.exe 108 PID 3408 wrote to memory of 992 3408 Csb.exe 108 PID 3408 wrote to memory of 992 3408 Csb.exe 108 PID 3408 wrote to memory of 992 3408 Csb.exe 108 PID 3408 wrote to memory of 992 3408 Csb.exe 108 PID 3408 wrote to memory of 992 3408 Csb.exe 108 PID 3912 wrote to memory of 3712 3912 (yw3t.exe 109 PID 3912 wrote to memory of 3712 3912 (yw3t.exe 109 PID 3912 wrote to memory of 3712 3912 (yw3t.exe 109 PID 3912 wrote to memory of 3712 3912 (yw3t.exe 109 PID 3912 wrote to memory of 3712 3912 (yw3t.exe 109 PID 3912 wrote to memory of 3712 3912 (yw3t.exe 109 PID 3912 wrote to memory of 3712 3912 (yw3t.exe 109 PID 3912 wrote to memory of 3712 3912 (yw3t.exe 109 PID 3912 wrote to memory of 3712 3912 (yw3t.exe 109 PID 3912 wrote to memory of 3712 3912 (yw3t.exe 109 PID 4524 wrote to memory of 3960 4524 (yw3t.exe 110 PID 4524 wrote to memory of 3960 4524 (yw3t.exe 110 PID 4524 wrote to memory of 4448 4524 (yw3t.exe 112 PID 4524 wrote to memory of 4448 4524 (yw3t.exe 112 PID 3960 wrote to memory of 3744 3960 cmd.exe 114 PID 3960 wrote to memory of 3744 3960 cmd.exe 114 PID 4448 wrote to memory of 4224 4448 cmd.exe 115 PID 4448 wrote to memory of 4224 4448 cmd.exe 115 PID 3960 wrote to memory of 1664 3960 cmd.exe 118 PID 3960 wrote to memory of 1664 3960 cmd.exe 118 PID 3960 wrote to memory of 4968 3960 cmd.exe 119 PID 3960 wrote to memory of 4968 3960 cmd.exe 119 PID 3960 wrote to memory of 756 3960 cmd.exe 120 PID 3960 wrote to memory of 756 3960 cmd.exe 120 PID 3960 wrote to memory of 2136 3960 cmd.exe 121 PID 3960 wrote to memory of 2136 3960 cmd.exe 121 PID 4448 wrote to memory of 4172 4448 cmd.exe 125 PID 4448 wrote to memory of 4172 4448 cmd.exe 125 PID 2564 wrote to memory of 288 2564 Explorer.EXE 127 PID 2564 wrote to memory of 288 2564 Explorer.EXE 127 PID 2564 wrote to memory of 288 2564 Explorer.EXE 127 PID 2564 wrote to memory of 4620 2564 Explorer.EXE 128 PID 2564 wrote to memory of 4620 2564 Explorer.EXE 128 PID 2564 wrote to memory of 4620 2564 Explorer.EXE 128 PID 288 wrote to memory of 2096 288 6E94.exe 129 PID 288 wrote to memory of 2096 288 6E94.exe 129 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe"C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exeC:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3940
-
-
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1872
-
-
C:\Users\Admin\AppData\Local\Temp\6E94.exeC:\Users\Admin\AppData\Local\Temp\6E94.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Users\Admin\AppData\Local\Temp\6E94.exeC:\Users\Admin\AppData\Local\Temp\6E94.exe3⤵
- Executes dropped EXE
PID:2096
-
-
-
C:\Users\Admin\AppData\Local\Temp\7328.exeC:\Users\Admin\AppData\Local\Temp\7328.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\7328.exe"C:\Users\Admin\AppData\Local\Temp\7328.exe"3⤵
- Executes dropped EXE
PID:2360
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2356
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:2248
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:3352
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:296
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2772
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:64
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4904
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:1760
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:1228
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:4312
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4076
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:3412
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:5044
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:4056
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Suspicious behavior: MapViewOfSection
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\B561.tmp\svchost.exeC:\Users\Admin\AppData\Local\Temp\B561.tmp\svchost.exe -debug3⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
PID:4724 -
C:\Windows\SYSTEM32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\B561.tmp\aa_nts.dll",run4⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4924
-
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\(yw3t.exe"C:\Users\Admin\AppData\Local\Microsoft\(yw3t.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Users\Admin\AppData\Local\Microsoft\(yw3t.exeC:\Users\Admin\AppData\Local\Microsoft\(yw3t.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Users\Admin\AppData\Local\Microsoft\(yw3t.exe"C:\Users\Admin\AppData\Local\Microsoft\(yw3t.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Users\Admin\AppData\Local\Microsoft\(yw3t.exeC:\Users\Admin\AppData\Local\Microsoft\(yw3t.exe4⤵
- Executes dropped EXE
PID:3712
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:3744
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:4968
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:756
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:2136
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
PID:4224
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable4⤵
- Modifies Windows Firewall
PID:4172
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:1372
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:4956
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:992
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:2872
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:3868
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:4964
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵PID:1552
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:872
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:1428
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:4768
-
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Csb.exe"C:\Users\Admin\AppData\Local\Microsoft\Csb.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Users\Admin\AppData\Local\Microsoft\Csb.exeC:\Users\Admin\AppData\Local\Microsoft\Csb.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:992
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:216
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3860
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:1948
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Indicator Removal
3File Deletion
3Modify Registry
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[1708EF3E-3483].[[email protected]].8base
Filesize3.2MB
MD57a240adff346e69ce1f0ce5564a1e6b8
SHA1e8a059831a2f63d9e3d14d60a5a71a6319791fc7
SHA25680c7a358e922198d30202f5f389ea8844e5bf9b0feb39dcbbc6368bda2f3efdb
SHA512d07d2c9a0f9d680c368205d944f8fb97a206993ba6c13346cdc04d367a087fe6c9e4ac2f708845f60e571d461a050e9050e57883bc45feb79a9d1c23890633e1
-
Filesize
717B
MD560fe01df86be2e5331b0cdbe86165686
SHA12a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23
-
Filesize
503B
MD53f07db8019ca8ab665d6f1be6ed7911a
SHA1286f3c3ed5f54a2b040ea6be69733053ca22c003
SHA2562f1802bb721118d76dd1838de9af80fa12bd70259b2a0abe9b2cc3fad2c96145
SHA512106dbf9c2c92d0cd4280e0464032ab93629a6e97b7fd6af24a592015107b89274810f6aeb136c9068bb6e60108f589066d1b2b19134f78c71a3f56d374eb87a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize192B
MD5f26957b272a618996c87c734dfe55571
SHA17a80f373e5d6e79a14b3a45a773159e0d6383c2c
SHA256b1b29bf0f910c9a2c2fe6ce49bcf1bb6111d1017bbf43731f6bd534f3bcf6d77
SHA5120ee12329ca6e93fcacd399e31e66ab2eda8009c10b1569ae8f1b35db6da1bb019cf22e6ecac79b7a616310f5d0571c4b37e6abced8a0a85c32a598f5ee1c78d8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5037AC1E573F140500110A0B67548B5E
Filesize556B
MD546100fd54167d95d77018c10f8b19b01
SHA158a98e55a451abd338932f350efa223b488b5fd8
SHA256ead6c4d76ba4f46538ab0a735c772fb60dcd3bf6ffd92d214e43b96eaf938486
SHA5124710a2d5bfb37ae09f3aab042961bf0bbda55fadd1e369a3d03d0173c28cf03465ca8245fef1354ca0a6a26abe15e3b978bc93e0b8b1d41b684cd0b404266a59
-
Filesize
457KB
MD53eef989524d6cbfc300edb40e13832b1
SHA1a6978138ef84fd3f190a7d42b1b642e4e29cc8b1
SHA256c4956ec15632c64ce4fdf60ac74cb02321a70e6b6cd6210499664f3a5038841e
SHA5129837b6a05688b1474741a7f18b9deaf0e3c903a9dd4575fda84802e6708192e04e684fea0a5035ecd8aa55eca7176351b9c8e534be4a04f9f6abab86069ff235
-
Filesize
457KB
MD53eef989524d6cbfc300edb40e13832b1
SHA1a6978138ef84fd3f190a7d42b1b642e4e29cc8b1
SHA256c4956ec15632c64ce4fdf60ac74cb02321a70e6b6cd6210499664f3a5038841e
SHA5129837b6a05688b1474741a7f18b9deaf0e3c903a9dd4575fda84802e6708192e04e684fea0a5035ecd8aa55eca7176351b9c8e534be4a04f9f6abab86069ff235
-
Filesize
457KB
MD53eef989524d6cbfc300edb40e13832b1
SHA1a6978138ef84fd3f190a7d42b1b642e4e29cc8b1
SHA256c4956ec15632c64ce4fdf60ac74cb02321a70e6b6cd6210499664f3a5038841e
SHA5129837b6a05688b1474741a7f18b9deaf0e3c903a9dd4575fda84802e6708192e04e684fea0a5035ecd8aa55eca7176351b9c8e534be4a04f9f6abab86069ff235
-
Filesize
457KB
MD53eef989524d6cbfc300edb40e13832b1
SHA1a6978138ef84fd3f190a7d42b1b642e4e29cc8b1
SHA256c4956ec15632c64ce4fdf60ac74cb02321a70e6b6cd6210499664f3a5038841e
SHA5129837b6a05688b1474741a7f18b9deaf0e3c903a9dd4575fda84802e6708192e04e684fea0a5035ecd8aa55eca7176351b9c8e534be4a04f9f6abab86069ff235
-
Filesize
457KB
MD53eef989524d6cbfc300edb40e13832b1
SHA1a6978138ef84fd3f190a7d42b1b642e4e29cc8b1
SHA256c4956ec15632c64ce4fdf60ac74cb02321a70e6b6cd6210499664f3a5038841e
SHA5129837b6a05688b1474741a7f18b9deaf0e3c903a9dd4575fda84802e6708192e04e684fea0a5035ecd8aa55eca7176351b9c8e534be4a04f9f6abab86069ff235
-
Filesize
927B
MD54a911455784f74e368a4c2c7876d76f4
SHA1a1700a0849ffb4f26671eb76da2489946b821c34
SHA256264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA5124617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe.log
Filesize927B
MD54a911455784f74e368a4c2c7876d76f4
SHA1a1700a0849ffb4f26671eb76da2489946b821c34
SHA256264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA5124617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d
-
Filesize
927B
MD54a911455784f74e368a4c2c7876d76f4
SHA1a1700a0849ffb4f26671eb76da2489946b821c34
SHA256264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA5124617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d
-
Filesize
927B
MD54a911455784f74e368a4c2c7876d76f4
SHA1a1700a0849ffb4f26671eb76da2489946b821c34
SHA256264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA5124617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d
-
Filesize
446KB
MD5b9e4ee9c00304a3fe3f56034dbd77ab5
SHA1d66e3e810f1ed8d11bd10b646e51a9ea27c076e3
SHA25629ac9f6c347c8afe3e35f64eebe00e6e2e1a10cef12649d4207a8723cf32218f
SHA512de2ba8bfbfe9fd28724638bcfbb9111e98c0039eae1bed32cad609aafccbda4dce0ac13f73df18efbf193e788946419d0043f8ba5cc196814a7e370150b6a587
-
Filesize
446KB
MD5b9e4ee9c00304a3fe3f56034dbd77ab5
SHA1d66e3e810f1ed8d11bd10b646e51a9ea27c076e3
SHA25629ac9f6c347c8afe3e35f64eebe00e6e2e1a10cef12649d4207a8723cf32218f
SHA512de2ba8bfbfe9fd28724638bcfbb9111e98c0039eae1bed32cad609aafccbda4dce0ac13f73df18efbf193e788946419d0043f8ba5cc196814a7e370150b6a587
-
Filesize
446KB
MD5b9e4ee9c00304a3fe3f56034dbd77ab5
SHA1d66e3e810f1ed8d11bd10b646e51a9ea27c076e3
SHA25629ac9f6c347c8afe3e35f64eebe00e6e2e1a10cef12649d4207a8723cf32218f
SHA512de2ba8bfbfe9fd28724638bcfbb9111e98c0039eae1bed32cad609aafccbda4dce0ac13f73df18efbf193e788946419d0043f8ba5cc196814a7e370150b6a587
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000028.db.id[1708EF3E-3483].[[email protected]].8base
Filesize92KB
MD5381f7157bfdea1586964318b77f669c7
SHA1f2ad34cdf06f06f3375b15bd66ec744e2b83558f
SHA256fba9b51f1867377251958969bb336662b9cbef4d86064bf18cea00dd91dd2719
SHA51259abd7e3d34c053262515f27694c66b4c311be7102a900df1c719398951611f54499fe00bffd08ada83b08bd1d3e26ac75c9cf55f2fe075037fd108d016bf616
-
Filesize
457KB
MD53eef989524d6cbfc300edb40e13832b1
SHA1a6978138ef84fd3f190a7d42b1b642e4e29cc8b1
SHA256c4956ec15632c64ce4fdf60ac74cb02321a70e6b6cd6210499664f3a5038841e
SHA5129837b6a05688b1474741a7f18b9deaf0e3c903a9dd4575fda84802e6708192e04e684fea0a5035ecd8aa55eca7176351b9c8e534be4a04f9f6abab86069ff235
-
Filesize
457KB
MD53eef989524d6cbfc300edb40e13832b1
SHA1a6978138ef84fd3f190a7d42b1b642e4e29cc8b1
SHA256c4956ec15632c64ce4fdf60ac74cb02321a70e6b6cd6210499664f3a5038841e
SHA5129837b6a05688b1474741a7f18b9deaf0e3c903a9dd4575fda84802e6708192e04e684fea0a5035ecd8aa55eca7176351b9c8e534be4a04f9f6abab86069ff235
-
Filesize
457KB
MD53eef989524d6cbfc300edb40e13832b1
SHA1a6978138ef84fd3f190a7d42b1b642e4e29cc8b1
SHA256c4956ec15632c64ce4fdf60ac74cb02321a70e6b6cd6210499664f3a5038841e
SHA5129837b6a05688b1474741a7f18b9deaf0e3c903a9dd4575fda84802e6708192e04e684fea0a5035ecd8aa55eca7176351b9c8e534be4a04f9f6abab86069ff235
-
Filesize
457KB
MD53eef989524d6cbfc300edb40e13832b1
SHA1a6978138ef84fd3f190a7d42b1b642e4e29cc8b1
SHA256c4956ec15632c64ce4fdf60ac74cb02321a70e6b6cd6210499664f3a5038841e
SHA5129837b6a05688b1474741a7f18b9deaf0e3c903a9dd4575fda84802e6708192e04e684fea0a5035ecd8aa55eca7176351b9c8e534be4a04f9f6abab86069ff235
-
Filesize
468KB
MD520bb118569b859e64feaaf30227e04b8
SHA13fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c
-
Filesize
468KB
MD520bb118569b859e64feaaf30227e04b8
SHA13fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c
-
Filesize
468KB
MD520bb118569b859e64feaaf30227e04b8
SHA13fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c
-
C:\Users\Admin\AppData\Local\Temp\A3CD\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll
Filesize5.5MB
MD5982097d65f6a8a34e1a20adc87ab8cea
SHA122f12025e43584daf68c7dfe13c5a2c7b2ef4681
SHA2566c71eb6ef4a3487cb0c5ac9d0edbc76e765301f15ec297c13828dc0903a9ade0
SHA51243efa212da302cffef9ba8fb01d63df271c7716f1231aafb220633f6bc6ce0b30cdd4cd197edc0aac82b10c687320fcab5ae57a30c4574d55ea637a3be3f3707
-
C:\Users\Admin\AppData\Local\Temp\A3CD\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll.id[1708EF3E-3483].[[email protected]].8base
Filesize5.5MB
MD5b0049c780858e9afa0a147435e9d9091
SHA125a08e8715072444c877340bf8478116e0899118
SHA25697c39afb57ad6e454cd5aa026a456b3be8137cd43f3a86b4d2638769104ca571
SHA5126d00326bc711ce76070bc4e716ecdb3e8950880f095bebbbfe793c87dbb71f2ff621df54284290d81e718c5677e09437ecae2d33c6803a2825f7533a6ab3f0b4
-
C:\Users\Admin\AppData\Local\Temp\A3CD\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe
Filesize18KB
MD5cfe72ed40a076ae4f4157940ce0c5d44
SHA18010f7c746a7ba4864785f798f46ec05caae7ece
SHA2566868894ab04d08956388a94a81016f03d5b7a7b1646c8a6235057a7e1e45de32
SHA512f002afa2131d250dd6148d8372ce45f84283b8e1209e91720cee7aff497503d0e566bae3a83cd326701458230ae5c0e200eec617889393dd46ac00ff357ff1b0
-
C:\Users\Admin\AppData\Local\Temp\A3CD\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe.id[1708EF3E-3483].[[email protected]].8base
Filesize18KB
MD537bbce91d17fbb569c4df4dd41aeac19
SHA15048c39da6a1634fee620b2854d349f7e0dca2d7
SHA2569e8a813b841cd5f84d5ee0f1dc5510f490aa64fc5ed0aa6281f61d1e218450c8
SHA512eade4b28eb290304a9a27cb92e1a8a8d6dc55e3a4ab729467c15740dd89688c8c6aa6e81f18c03a0d48fd874fceee5b09c646cf84efa4764108aa68f102d1292
-
C:\Users\Admin\AppData\Local\Temp\A3CD\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml
Filesize1KB
MD594f90fcd2b8f7f1df69224f845d9e9b7
SHA1a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA51251f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3
-
C:\Users\Admin\AppData\Local\Temp\A3CD\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml.id[1708EF3E-3483].[[email protected]].8base
Filesize1KB
MD59bad9087c1b2e0dee5ecc342011116d1
SHA131f22f24f2ede539df6fb002013529ac495dabd9
SHA2561f75c140b7d84387f9d50e213eb1dd69fa7f8eb3a70045ad5516296f56408b24
SHA512514bcd1fb347befef15f4f7598485e84bd2065d5000299d3a750a7e1c91f5494f3d196a0e4dffb04e86ec26e7ee4663b9284c974481de4598229bf4d581ce2bd
-
C:\Users\Admin\AppData\Local\Temp\A3CD\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml
Filesize7KB
MD5108f130067a9df1719c590316a5245f7
SHA179bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301
-
C:\Users\Admin\AppData\Local\Temp\A3CD\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml.id[1708EF3E-3483].[[email protected]].8base
Filesize7KB
MD5f22f7617b802ad1c5593527a8b93ec73
SHA11e4d0ff42223d740e998c7b090cd425d6c1b9438
SHA256084faa7d4d67edc118c5d91302d7feeec71be7af2e6d43b7fbd58cacd60de6b0
SHA51297126679bbd44bf1f6c60c76af4bb9132bd7d4a8f30032a89d120654d2da7d951472cc4f9cddeec1f373917a372edbfe41ec25e911913c2663e3e6eeccd0b28e
-
C:\Users\Admin\AppData\Local\Temp\A3CD\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml
Filesize1KB
MD594f90fcd2b8f7f1df69224f845d9e9b7
SHA1a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA51251f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3
-
C:\Users\Admin\AppData\Local\Temp\A3CD\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml.id[1708EF3E-3483].[[email protected]].8base
Filesize1KB
MD5ff3b984b6ceb9a3ca0737c4f4168a746
SHA1c944c2af5855ab17f7e5812cd6748bba0fdf2017
SHA25651b6d50fbfc95666112fdcf4e288a2c6ed657974f63c5b5c03bdaed885a43a4e
SHA512efd4ac89cda3d1f239f77183aa49171699d540bf8593b38ace368d25022ab51489c1941492c160dd2cc27d403d8b64eb597406cb188ee65f066b598e42257049
-
C:\Users\Admin\AppData\Local\Temp\A3CD\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml
Filesize7KB
MD5108f130067a9df1719c590316a5245f7
SHA179bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301
-
C:\Users\Admin\AppData\Local\Temp\A3CD\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml.id[1708EF3E-3483].[[email protected]].8base
Filesize7KB
MD50c92870b5a7733b3b2dd27a7e7599262
SHA1621ee8dae972c2d9773db455ff23ae69d7548cef
SHA2565f6468cd22979c594305bc99306f60b2121ccbecdcc7e5f960a782b345ba109f
SHA51228b90b29329131baa2ecd63238a6d59546a5c09fb43601cfb964710942ea51305d26bd999196cac9ba35d2754b64e14030e198fcf1723afac7285c316d567aad
-
Filesize
10KB
MD51097d1e58872f3cf58f78730a697ce4b
SHA196db4e4763a957b28dd80ec1e43eb27367869b86
SHA25683ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351
-
C:\Users\Admin\AppData\Local\Temp\A3CD\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll.id[1708EF3E-3483].[[email protected]].8base
Filesize10KB
MD5acb3a6af43c2c266892e7603ed34362c
SHA19288f965f695651686b39bfcbff4cd3c1419e43d
SHA256d70f52dc192c6c5cfbbcc960f82f8b6e46c4686066925372069c4328bca12f9f
SHA51281305abd4423ceeca129751095c6a9920959ee3c87febe11f5c0dc7c82aa0e15aa2961eb8ca04cf9ef23f6d50f3090f3177d2999f3dced2d9191cf7cea539306
-
Filesize
36KB
MD5d09724c29a8f321f2f9c552de6ef6afa
SHA1d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA25623cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed
-
C:\Users\Admin\AppData\Local\Temp\A3CD\C\Windows\SysWOW64\WalletProxy.dll.id[1708EF3E-3483].[[email protected]].8base
Filesize36KB
MD5d819f0d6eeb81f7f6132549efe0896ab
SHA135d3e035ca9693ec4337bec5261e2bbe65b702ef
SHA256be966461466ad8a5bcd17a5c6d1822134f00451bd7ae872cc4e7b76d03b42807
SHA512c3155ba4d45a6c1ef214bcd9b4096f69588d40a153b63939effe7138f20a68f69d33286d291c2cfd538b6f40db6a6af5d69d849a5ab93d4c6a53b3c748fac7cb
-
Filesize
402KB
MD502557c141c9e153c2b7987b79a3a2dd7
SHA1a054761382ee68608b6a3b62b68138dc205f576b
SHA256207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3
-
C:\Users\Admin\AppData\Local\Temp\A3CD\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll.id[1708EF3E-3483].[[email protected]].8base
Filesize402KB
MD510e9de8ff76f5e8b56a47552fd178557
SHA1d256a180c20ec9eee5e32c4f03139a84731ec998
SHA256474c80c3381e5cf4deaafc8fcabc767eb2282ecfc50539d237fe2d91cbfafa85
SHA51298c6e1b41fb0b4e9cf2b199bcff89dfa50118a5d879f632dfc2390168985d1dad2aa731b6e55c55f75082b569e3f10a51bf55a7bd5810f529a4604e96fb29209
-
Filesize
10KB
MD51097d1e58872f3cf58f78730a697ce4b
SHA196db4e4763a957b28dd80ec1e43eb27367869b86
SHA25683ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351
-
C:\Users\Admin\AppData\Local\Temp\A3CD\C\Windows\System32\WalletBackgroundServiceProxy.dll.id[1708EF3E-3483].[[email protected]].8base
Filesize10KB
MD5577be4892a9303536268b8b0ea89e6ab
SHA1cfe6098630fddb7c61108e4083bf8416f53b11d3
SHA256509a08a5d7831303f56508df28f5686046e727e12b9710c171b70043b4d5230d
SHA5129c24e31aafb8b24fa1288c6d49803658f81f4ce2b75cfc0967001e6a7c03c4f8d013f9f7ef4003eb341c4e382b27d4eec21c6a03973ac5fb0aec04c014ff14da
-
Filesize
36KB
MD5d09724c29a8f321f2f9c552de6ef6afa
SHA1d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA25623cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed
-
C:\Users\Admin\AppData\Local\Temp\A3CD\C\Windows\System32\WalletProxy.dll.id[1708EF3E-3483].[[email protected]].8base
Filesize36KB
MD519064764e8011d2af494b913bedb029e
SHA10b1030c93adfcd706352c67f6adad4ae2d67dbda
SHA25640669f11875a2141de846eb39ddcbad99c5918d0f0bd53bdc328b9efc99876da
SHA512d961bbd2e2a8452df1901a1630b953638ed725ce8fc341a81808a08a9f5dc10539bbd32f8dfbf7e0cad4ec97e9d44c1da7028cfba04b7c72e0bbc3d3fe5094c8
-
Filesize
402KB
MD502557c141c9e153c2b7987b79a3a2dd7
SHA1a054761382ee68608b6a3b62b68138dc205f576b
SHA256207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3
-
C:\Users\Admin\AppData\Local\Temp\A3CD\C\Windows\System32\Windows.ApplicationModel.Wallet.dll.id[1708EF3E-3483].[[email protected]].8base
Filesize402KB
MD5ca0f03f32b605a065aa698ba583818a8
SHA115d9764156cc391087a243074eddc7a7762860f2
SHA256c88995eeceaf4c4a546dc0bf6a4be309620bf871e7294752295bf0cfd0708a90
SHA5123e3ce8ec2b08ca77778630d93bf4d6534f19b02dcb2547b439c46bd0c7b56dc49832de6f719f2849dd94ee963b4dc8b24efa10b07205dfb3104127ba872c0758
-
C:\Users\Admin\AppData\Local\Temp\A3CD\C\Windows\WinSxS\wow64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.19041.1_none_046b779f2003c415\WalletBackgroundServiceProxy.dll
Filesize10KB
MD51097d1e58872f3cf58f78730a697ce4b
SHA196db4e4763a957b28dd80ec1e43eb27367869b86
SHA25683ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351
-
C:\Users\Admin\AppData\Local\Temp\A3CD\C\Windows\WinSxS\wow64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_69993b7d6814452d\WalletProxy.dll
Filesize36KB
MD5d09724c29a8f321f2f9c552de6ef6afa
SHA1d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA25623cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed
-
C:\Users\Admin\AppData\Local\Temp\A3CD\C\Windows\WinSxS\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_b3a887dd4a9553e8\Windows.ApplicationModel.Wallet.dll
Filesize402KB
MD502557c141c9e153c2b7987b79a3a2dd7
SHA1a054761382ee68608b6a3b62b68138dc205f576b
SHA256207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3
-
Filesize
902KB
MD5480a66902e6e7cdafaa6711e8697ff8c
SHA16ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA2567eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA5127d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5
-
Filesize
902KB
MD5480a66902e6e7cdafaa6711e8697ff8c
SHA16ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA2567eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA5127d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5
-
Filesize
121B
MD5711ed5ee4a5e1f33358414459f48d208
SHA1b19e4edd6699fa70f1dcad9e31e46726baf1dd98
SHA2566c0bb90e3bd7fe0be60b80e408c1f91ed8514a4ca59e0d08c019f29446957bde
SHA5128ac15170b3b3f47faf27ca8c862689f6c5d47c41f8ec39c700e924af8b375fc864a26924816aa367189fd5c77e1b504ce097d77bd0b92528672a5bd5b633c1e7
-
Filesize
46B
MD53f05819f995b4dafa1b5d55ce8d1f411
SHA1404449b79a16bfc4f64f2fd55cd73d5d27a85d71
SHA2567e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0
SHA51234abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026
-
Filesize
68B
MD557331a278bb6d3f0deaf011eef805c83
SHA1f657eb0640b1ea672bd31d6db8e08a59a0782936
SHA25634903c03d0312c58dc57ade36cb1d7fd8c88509082a9e70071b7797d9a07bde5
SHA51281f09e48c625605dbaee441e3ddc3a72e1e32e4f8db4baa6f3d591e88f3c59818d40eeb10d08b9e04e585f515f376411cfe33e9cbffff95b95577f1c4ae2b41b
-
Filesize
327B
MD54c0eef30e41837269e72adbbee3b6aa2
SHA19d3384704dbcebcbf1bfe8040882b84605896fe1
SHA256aeba2a2c1d3239195875919ceb8ef851ac4ad94c7c0a70ee2f01b9991d3c9a73
SHA5121d76a9e3a2cc4e718a83546dbe46761a104aa1a22ed0843d0ef7c4f5710519daf39b9b35457e68aa7ebffb7dbb92e2f3acdccc15b5ac753e3c776257693fbe70
-
Filesize
798KB
MD590aadf2247149996ae443e2c82af3730
SHA1050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
-
Filesize
798KB
MD590aadf2247149996ae443e2c82af3730
SHA1050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.id[1708EF3E-3483].[[email protected]].8base
Filesize52KB
MD5a5e3a8048817380f8fd5128112053940
SHA18d3d8dc7d7be9c6cc024f89fdc0a342151154219
SHA256cdcc819ce6e3365a50d8dd108378584cd90818d2ac59f7676c3b83d963d34d94
SHA51296f2c56d5f3888452cb93abd900623f3abcbb6df598fbd22dd74efdfca3ae7384737cfad3f95da709abf6920aa830b5750d7918b151a7156e85d83494645fe01
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ob75hbeb.default-release\cookies.sqlite.id[1708EF3E-3483].[[email protected]].8base
Filesize96KB
MD5a25076f0cbd58ce009e8c2e96bcc1af6
SHA1d10db9b8670477eee907ecf78883a34aacd80903
SHA2562c1f7c27bfbad7cd75797c1ee8bb70c32cca9e75807902b85ec62234300c60cc
SHA5125ac20e041a79af9c8e9a6bffb2993d4d750c9db8aa7c028009264de9e471a77b2ebcfda9834fec6f6e4bfceb73adce348cdad39c6733bd47d01a36b90790c0fe
-
Filesize
438KB
MD5f83e21e1dd3cf4a70c357dbaef7d4cd8
SHA14d8bdd84b7b474108e6793338e497efa8d36c89f
SHA2562989e367b7aa355b05a2b89fd62ede8e3f129a85d3d391bddbd519a6331c8c8e
SHA51297738994fd6e77767f4a69e317c62e3d4f46b7ffd8f931864d93ef4bfc1c7734c4c2a1ea474f821fdd4145f0917fbfde39403faf0585ec526daa8a4c5c0d0931
-
Filesize
446KB
MD5b9e4ee9c00304a3fe3f56034dbd77ab5
SHA1d66e3e810f1ed8d11bd10b646e51a9ea27c076e3
SHA25629ac9f6c347c8afe3e35f64eebe00e6e2e1a10cef12649d4207a8723cf32218f
SHA512de2ba8bfbfe9fd28724638bcfbb9111e98c0039eae1bed32cad609aafccbda4dce0ac13f73df18efbf193e788946419d0043f8ba5cc196814a7e370150b6a587
-
Filesize
5KB
MD59b9bd361f4e35f3fb12efb847d394b1c
SHA1c64a7b722d1c6c2dc325cb3f7266a04ce74380a4
SHA256c2524e3d1ad09fba2f35459de1d24edbe9faea9f0ef8a0491dc61868cbec9cf5
SHA5125bdc07afdb72e6c27f81011e0a3b654512a6f84a1a23fccaf79a90b6157f3a89a018c954f18fd51e863fe853d07925d871e15fcfc3ace35960fa2da1f00452b8
-
Filesize
5KB
MD59b9bd361f4e35f3fb12efb847d394b1c
SHA1c64a7b722d1c6c2dc325cb3f7266a04ce74380a4
SHA256c2524e3d1ad09fba2f35459de1d24edbe9faea9f0ef8a0491dc61868cbec9cf5
SHA5125bdc07afdb72e6c27f81011e0a3b654512a6f84a1a23fccaf79a90b6157f3a89a018c954f18fd51e863fe853d07925d871e15fcfc3ace35960fa2da1f00452b8
-
Filesize
5KB
MD59b9bd361f4e35f3fb12efb847d394b1c
SHA1c64a7b722d1c6c2dc325cb3f7266a04ce74380a4
SHA256c2524e3d1ad09fba2f35459de1d24edbe9faea9f0ef8a0491dc61868cbec9cf5
SHA5125bdc07afdb72e6c27f81011e0a3b654512a6f84a1a23fccaf79a90b6157f3a89a018c954f18fd51e863fe853d07925d871e15fcfc3ace35960fa2da1f00452b8
-
Filesize
5KB
MD59b9bd361f4e35f3fb12efb847d394b1c
SHA1c64a7b722d1c6c2dc325cb3f7266a04ce74380a4
SHA256c2524e3d1ad09fba2f35459de1d24edbe9faea9f0ef8a0491dc61868cbec9cf5
SHA5125bdc07afdb72e6c27f81011e0a3b654512a6f84a1a23fccaf79a90b6157f3a89a018c954f18fd51e863fe853d07925d871e15fcfc3ace35960fa2da1f00452b8
-
Filesize
5KB
MD59b9bd361f4e35f3fb12efb847d394b1c
SHA1c64a7b722d1c6c2dc325cb3f7266a04ce74380a4
SHA256c2524e3d1ad09fba2f35459de1d24edbe9faea9f0ef8a0491dc61868cbec9cf5
SHA5125bdc07afdb72e6c27f81011e0a3b654512a6f84a1a23fccaf79a90b6157f3a89a018c954f18fd51e863fe853d07925d871e15fcfc3ace35960fa2da1f00452b8