ammyyadmin | 90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2

Analysis

max time kernel
128s
max time network
149s
platform
windows10-1703_x64
resource
win10-20231023-en
resource tags

arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
submitted
26-10-2023 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe
Size

3.5MB
MD5

825f44d2a1ca2f6fe9e670a37bef5949
SHA1

e369059a70d7731a093d1a359430f515e536689d
SHA256

90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2
SHA512

dd666c5354d716e987948ce5afcba0c1b76304bb937f91883bc5b1cfc9b3eb5423f0a058e75774160e7081b2a3e3e3ebd2955f91f15a10a12e2f0ee4c3444e62
SSDEEP

98304:Mda0zeATQBUPv45yX9xPjE80JrhFVCY1NhMighXjP5QCDcvdE4:MGUPwENRjEpxLUYjyigBPaCgvdE4

Score

10^/10

ammyyadmin flawedammyy phobos rhadamanthys smokeloader backdoor bootkit collection discovery evasion persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://servermlogs27.xyz/statweb255/

http://servmblog45.xyz/statweb255/

http://demblog575.xyz/statweb255/

http://admlogs85x.xyz/statweb255/

http://blogmstat389.xyz/statweb255/

http://blogmstat255.xyz/statweb255/

rc4.i32

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>cartilage</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #C6B5C4; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #B5CC8E; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #e6ecf2; border-left: 10px solid #B58CB2; } .alert { background: #FFE4E4; border-left: 10px solid #FFA07A; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC.</div> <div class='bold'>If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Or write us to the Tox: <span class='mark'>78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>C1126BDC-3483</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\26D7.tmp\svchost.exe	family_ammyyadmin
C:\Users\Admin\AppData\Local\Temp\26D7.tmp\svchost.exe	family_ammyyadmin

Detect rhadamanthys stealer shellcode 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4692-16-0x0000000003220000-0x0000000003620000-memory.dmp	family_rhadamanthys
behavioral1/memory/4692-17-0x0000000003220000-0x0000000003620000-memory.dmp	family_rhadamanthys
behavioral1/memory/4692-18-0x0000000003220000-0x0000000003620000-memory.dmp	family_rhadamanthys
behavioral1/memory/4692-19-0x0000000003220000-0x0000000003620000-memory.dmp	family_rhadamanthys
behavioral1/memory/4692-31-0x0000000003220000-0x0000000003620000-memory.dmp	family_rhadamanthys
behavioral1/memory/4692-33-0x0000000003220000-0x0000000003620000-memory.dmp	family_rhadamanthys

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe

description pid process target process

PID 4692 created 3328 4692 90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

4168 bcdedit.exe
2504 bcdedit.exe
2464 bcdedit.exe
6036 bcdedit.exe
Renames multiple (444) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

4744 wbadmin.exe
4128 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

164 netsh.exe
708 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

svchost.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Control Panel\International\Geo\Nation svchost.exe
Deletes itself 1 IoCs

Processes:

certreq.exe

pid process

1108 certreq.exe

description	pid	process	target process
PID 4692 created 3328	4692	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe	Explorer.EXE

pid	process
4168	bcdedit.exe
2504	bcdedit.exe
2464	bcdedit.exe
6036	bcdedit.exe

pid	process
4744	wbadmin.exe
4128	wbadmin.exe

pid	process
164	netsh.exe
708	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Control Panel\International\Geo\Nation	svchost.exe

pid	process
1108	certreq.exe

Drops startup file 3 IoCs

Processes:

9E7D.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\9E7D.exe	9E7D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	9E7D.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[C1126BDC-3483].[[email protected]].8base	9E7D.exe

Executes dropped EXE 10 IoCs

Processes:

_Vg~~.exeC)nSp.exea1L.exeC)nSp.exe9E7D.exe9E7D.exe9E7D.exe9E7D.exe9E7D.exesvchost.exe

pid process

4372 _Vg~~.exe
408 C)nSp.exe
984 a1L.exe
4208 C)nSp.exe
216 9E7D.exe
2848 9E7D.exe
1856 9E7D.exe
4976 9E7D.exe
2900 9E7D.exe
3616 svchost.exe
Loads dropped DLL 3 IoCs

Processes:

_Vg~~.exerundll32.exe

pid process

4372 _Vg~~.exe
4372 _Vg~~.exe
220 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4372	_Vg~~.exe
408	C)nSp.exe
984	a1L.exe
4208	C)nSp.exe
216	9E7D.exe
2848	9E7D.exe
1856	9E7D.exe
4976	9E7D.exe
2900	9E7D.exe
3616	svchost.exe

pid	process
4372	_Vg~~.exe
4372	_Vg~~.exe
220	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

Processes:

certreq.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9E7D.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9E7D = "C:\\Users\\Admin\\AppData\\Local\\9E7D.exe"	9E7D.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Windows\CurrentVersion\Run\9E7D = "C:\\Users\\Admin\\AppData\\Local\\9E7D.exe"	9E7D.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 64 IoCs

Processes:

9E7D.exe

description	ioc	process
File opened for modification	C:\Users\Public\Desktop\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	9E7D.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	9E7D.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-946614337-2046421199-3397417319-1000\desktop.ini	9E7D.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	9E7D.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	9E7D.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	9E7D.exe
File opened for modification	C:\Program Files\desktop.ini	9E7D.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	9E7D.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	9E7D.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	9E7D.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	9E7D.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	9E7D.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	9E7D.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	9E7D.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	9E7D.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	9E7D.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	9E7D.exe
File opened for modification	C:\Users\Public\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	9E7D.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	9E7D.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	9E7D.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	9E7D.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

svchost.exe

description ioc process

File opened for modification \??\PhysicalDrive0 svchost.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exeC)nSp.exe9E7D.exe9E7D.exe

description	pid	process	target process
PID 380 set thread context of 4692	380	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe
PID 408 set thread context of 4208	408	C)nSp.exe	C)nSp.exe
PID 216 set thread context of 1856	216	9E7D.exe	9E7D.exe
PID 4976 set thread context of 2900	4976	9E7D.exe	9E7D.exe

Drops file in Program Files directory 64 IoCs

Processes:

9E7D.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-60.png	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPluginNative.dll	9E7D.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msolui.rll.id[C1126BDC-3483].[[email protected]].8base	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Go-for_the_Gold_.png	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5511_24x24x32.png	9E7D.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.boot.tree.dat	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\muscle.png	9E7D.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\adal.dll.id[C1126BDC-3483].[[email protected]].8base	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\MedTile.scale-125.png	9E7D.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\duplicate.svg.id[C1126BDC-3483].[[email protected]].8base	9E7D.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\PYCC.pf.id[C1126BDC-3483].[[email protected]].8base	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\ServiceProvider.dll	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\va_60x42.png	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-white_scale-100.png	9E7D.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_listview_selected-hover.svg	9E7D.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Close2x.png	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-16_altform-unplated.png	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-150_8wekyb3d8bbwe\AppxManifest.xml	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.targetsize-48_altform-unplated.png	9E7D.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1850_40x40x32.png	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-100_contrast-white.png	9E7D.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\InModuleScope.ps1	9E7D.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\cs-cz\ui-strings.js	9E7D.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ppd.xrm-ms.id[C1126BDC-3483].[[email protected]].8base	9E7D.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\IEEE2006OfficeOnline.xsl.id[C1126BDC-3483].[[email protected]].8base	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-250.png	9E7D.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-environment-l1-1-0.dll	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Square310x150Logo.scale-100.png	9E7D.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected][C1126BDC-3483].[[email protected]].8base	9E7D.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ppd.xrm-ms	9E7D.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_sv.properties.id[C1126BDC-3483].[[email protected]].8base	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-white\Icon.targetsize-32.png	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Fues\Popup_shadow_1.png	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ai_60x42.png	9E7D.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\StudentReport.dotx.id[C1126BDC-3483].[[email protected]].8base	9E7D.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-gb\ui-strings.js.id[C1126BDC-3483].[[email protected]].8base	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-256_contrast-white.png	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupWideTile.scale-200.png	9E7D.exe
File opened for modification	C:\Program Files\DismountPop.tiff	9E7D.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\libwin_hotkeys_plugin.dll.id[C1126BDC-3483].[[email protected]].8base	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\aquarium_12h.png	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\RunningLate.scale-64.png	9E7D.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-pl.xrm-ms.id[C1126BDC-3483].[[email protected]].8base	9E7D.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PPSLAX.DLL.id[C1126BDC-3483].[[email protected]].8base	9E7D.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-125.png	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Outlook.scale-200.png	9E7D.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\ui-strings.js	9E7D.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozglue.dll	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-125.png	9E7D.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp.id[C1126BDC-3483].[[email protected]].8base	9E7D.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\ui-strings.js	9E7D.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nl-nl\ui-strings.js	9E7D.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\ARCTIC.INF.id[C1126BDC-3483].[[email protected]].8base	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageLargeTile.scale-200.png	9E7D.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyDrop32x32.gif.id[C1126BDC-3483].[[email protected]].8base	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\sa_60x42.png	9E7D.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-phn.xrm-ms.id[C1126BDC-3483].[[email protected]].8base	9E7D.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\SATIN.ELM	9E7D.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxBadge.scale-150.png	9E7D.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	9E7D.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll	9E7D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

C)nSp.exevds.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C)nSp.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C)nSp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C)nSp.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe_Vg~~.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	_Vg~~.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	_Vg~~.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2580 timeout.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

4740 vssadmin.exe
4448 vssadmin.exe

pid	process
2580	timeout.exe

pid	process
4740	vssadmin.exe
4448	vssadmin.exe

Modifies registry class 3 IoCs

Processes:

Explorer.EXE9E7D.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings	9E7D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.execertreq.exeC)nSp.exe_Vg~~.exeExplorer.EXE

pid	process
4692	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe
4692	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe
4692	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe
4692	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe
1108	certreq.exe
1108	certreq.exe
1108	certreq.exe
1108	certreq.exe
4208	C)nSp.exe
4208	C)nSp.exe
4372	_Vg~~.exe
4372	_Vg~~.exe
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3328 Explorer.EXE

pid	process
3328	Explorer.EXE

Suspicious behavior: MapViewOfSection 33 IoCs

Processes:

C)nSp.exeExplorer.EXEexplorer.exe

pid	process
4208	C)nSp.exe
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
820	explorer.exe
820	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exeC)nSp.exeExplorer.EXE9E7D.exe9E7D.exe9E7D.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	380	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe
Token: SeDebugPrivilege	408	C)nSp.exe
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeDebugPrivilege	216	9E7D.exe
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeDebugPrivilege	4976	9E7D.exe
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeDebugPrivilege	1856	9E7D.exe
Token: SeBackupPrivilege	3392	vssvc.exe
Token: SeRestorePrivilege	3392	vssvc.exe
Token: SeAuditPrivilege	3392	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3020	WMIC.exe
Token: SeSecurityPrivilege	3020	WMIC.exe
Token: SeTakeOwnershipPrivilege	3020	WMIC.exe
Token: SeLoadDriverPrivilege	3020	WMIC.exe
Token: SeSystemProfilePrivilege	3020	WMIC.exe
Token: SeSystemtimePrivilege	3020	WMIC.exe
Token: SeProfSingleProcessPrivilege	3020	WMIC.exe
Token: SeIncBasePriorityPrivilege	3020	WMIC.exe
Token: SeCreatePagefilePrivilege	3020	WMIC.exe
Token: SeBackupPrivilege	3020	WMIC.exe
Token: SeRestorePrivilege	3020	WMIC.exe
Token: SeShutdownPrivilege	3020	WMIC.exe
Token: SeDebugPrivilege	3020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3020	WMIC.exe
Token: SeRemoteShutdownPrivilege	3020	WMIC.exe
Token: SeUndockPrivilege	3020	WMIC.exe
Token: SeManageVolumePrivilege	3020	WMIC.exe
Token: 33	3020	WMIC.exe
Token: 34	3020	WMIC.exe
Token: 35	3020	WMIC.exe
Token: 36	3020	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3020	WMIC.exe
Token: SeSecurityPrivilege	3020	WMIC.exe
Token: SeTakeOwnershipPrivilege	3020	WMIC.exe
Token: SeLoadDriverPrivilege	3020	WMIC.exe
Token: SeSystemProfilePrivilege	3020	WMIC.exe
Token: SeSystemtimePrivilege	3020	WMIC.exe
Token: SeProfSingleProcessPrivilege	3020	WMIC.exe
Token: SeIncBasePriorityPrivilege	3020	WMIC.exe
Token: SeCreatePagefilePrivilege	3020	WMIC.exe
Token: SeBackupPrivilege	3020	WMIC.exe
Token: SeRestorePrivilege	3020	WMIC.exe
Token: SeShutdownPrivilege	3020	WMIC.exe
Token: SeDebugPrivilege	3020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3020	WMIC.exe
Token: SeRemoteShutdownPrivilege	3020	WMIC.exe
Token: SeUndockPrivilege	3020	WMIC.exe
Token: SeManageVolumePrivilege	3020	WMIC.exe
Token: 33	3020	WMIC.exe
Token: 34	3020	WMIC.exe
Token: 35	3020	WMIC.exe
Token: 36	3020	WMIC.exe
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeBackupPrivilege	1516	wbengine.exe
Token: SeRestorePrivilege	1516	wbengine.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

svchost.exe

pid process

3616 svchost.exe

pid	process
3616	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exeC)nSp.exe_Vg~~.execmd.exeExplorer.EXE9E7D.exe9E7D.exe9E7D.execmd.execmd.exe

description	pid	process	target process
PID 380 wrote to memory of 4692	380	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe
PID 380 wrote to memory of 4692	380	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe
PID 380 wrote to memory of 4692	380	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe
PID 380 wrote to memory of 4692	380	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe
PID 380 wrote to memory of 4692	380	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe
PID 380 wrote to memory of 4692	380	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe
PID 380 wrote to memory of 4692	380	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe
PID 380 wrote to memory of 4692	380	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe
PID 4692 wrote to memory of 1108	4692	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe	certreq.exe
PID 4692 wrote to memory of 1108	4692	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe	certreq.exe
PID 4692 wrote to memory of 1108	4692	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe	certreq.exe
PID 4692 wrote to memory of 1108	4692	90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe	certreq.exe
PID 408 wrote to memory of 4208	408	C)nSp.exe	C)nSp.exe
PID 408 wrote to memory of 4208	408	C)nSp.exe	C)nSp.exe
PID 408 wrote to memory of 4208	408	C)nSp.exe	C)nSp.exe
PID 408 wrote to memory of 4208	408	C)nSp.exe	C)nSp.exe
PID 408 wrote to memory of 4208	408	C)nSp.exe	C)nSp.exe
PID 408 wrote to memory of 4208	408	C)nSp.exe	C)nSp.exe
PID 4372 wrote to memory of 3616	4372	_Vg~~.exe	cmd.exe
PID 4372 wrote to memory of 3616	4372	_Vg~~.exe	cmd.exe
PID 4372 wrote to memory of 3616	4372	_Vg~~.exe	cmd.exe
PID 3616 wrote to memory of 2580	3616	cmd.exe	timeout.exe
PID 3616 wrote to memory of 2580	3616	cmd.exe	timeout.exe
PID 3616 wrote to memory of 2580	3616	cmd.exe	timeout.exe
PID 3328 wrote to memory of 216	3328	Explorer.EXE	9E7D.exe
PID 3328 wrote to memory of 216	3328	Explorer.EXE	9E7D.exe
PID 3328 wrote to memory of 216	3328	Explorer.EXE	9E7D.exe
PID 216 wrote to memory of 2848	216	9E7D.exe	9E7D.exe
PID 216 wrote to memory of 2848	216	9E7D.exe	9E7D.exe
PID 216 wrote to memory of 2848	216	9E7D.exe	9E7D.exe
PID 216 wrote to memory of 1856	216	9E7D.exe	9E7D.exe
PID 216 wrote to memory of 1856	216	9E7D.exe	9E7D.exe
PID 216 wrote to memory of 1856	216	9E7D.exe	9E7D.exe
PID 216 wrote to memory of 1856	216	9E7D.exe	9E7D.exe
PID 216 wrote to memory of 1856	216	9E7D.exe	9E7D.exe
PID 216 wrote to memory of 1856	216	9E7D.exe	9E7D.exe
PID 216 wrote to memory of 1856	216	9E7D.exe	9E7D.exe
PID 216 wrote to memory of 1856	216	9E7D.exe	9E7D.exe
PID 216 wrote to memory of 1856	216	9E7D.exe	9E7D.exe
PID 216 wrote to memory of 1856	216	9E7D.exe	9E7D.exe
PID 4976 wrote to memory of 2900	4976	9E7D.exe	9E7D.exe
PID 4976 wrote to memory of 2900	4976	9E7D.exe	9E7D.exe
PID 4976 wrote to memory of 2900	4976	9E7D.exe	9E7D.exe
PID 4976 wrote to memory of 2900	4976	9E7D.exe	9E7D.exe
PID 4976 wrote to memory of 2900	4976	9E7D.exe	9E7D.exe
PID 4976 wrote to memory of 2900	4976	9E7D.exe	9E7D.exe
PID 4976 wrote to memory of 2900	4976	9E7D.exe	9E7D.exe
PID 4976 wrote to memory of 2900	4976	9E7D.exe	9E7D.exe
PID 4976 wrote to memory of 2900	4976	9E7D.exe	9E7D.exe
PID 4976 wrote to memory of 2900	4976	9E7D.exe	9E7D.exe
PID 1856 wrote to memory of 3092	1856	9E7D.exe	cmd.exe
PID 1856 wrote to memory of 3092	1856	9E7D.exe	cmd.exe
PID 1856 wrote to memory of 5036	1856	9E7D.exe	cmd.exe
PID 1856 wrote to memory of 5036	1856	9E7D.exe	cmd.exe
PID 5036 wrote to memory of 164	5036	cmd.exe	netsh.exe
PID 5036 wrote to memory of 164	5036	cmd.exe	netsh.exe
PID 3092 wrote to memory of 4448	3092	cmd.exe	vssadmin.exe
PID 3092 wrote to memory of 4448	3092	cmd.exe	vssadmin.exe
PID 3092 wrote to memory of 3020	3092	cmd.exe	WMIC.exe
PID 3092 wrote to memory of 3020	3092	cmd.exe	WMIC.exe
PID 5036 wrote to memory of 708	5036	cmd.exe	netsh.exe
PID 5036 wrote to memory of 708	5036	cmd.exe	netsh.exe
PID 3092 wrote to memory of 4168	3092	cmd.exe	bcdedit.exe
PID 3092 wrote to memory of 4168	3092	cmd.exe	bcdedit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3328

C:\Users\Admin\AppData\Local\Temp\90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe
"C:\Users\Admin\AppData\Local\Temp\90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:380

C:\Users\Admin\AppData\Local\Temp\90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe
C:\Users\Admin\AppData\Local\Temp\90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4692

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Deletes itself
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1108

C:\Users\Admin\AppData\Local\Temp\9E7D.exe
C:\Users\Admin\AppData\Local\Temp\9E7D.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216

C:\Users\Admin\AppData\Local\Temp\9E7D.exe
C:\Users\Admin\AppData\Local\Temp\9E7D.exe
3⤵
- Executes dropped EXE
PID:2848

C:\Users\Admin\AppData\Local\Temp\9E7D.exe
C:\Users\Admin\AppData\Local\Temp\9E7D.exe
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Local\Temp\9E7D.exe
"C:\Users\Admin\AppData\Local\Temp\9E7D.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976

C:\Users\Admin\AppData\Local\Temp\9E7D.exe
C:\Users\Admin\AppData\Local\Temp\9E7D.exe
5⤵
- Executes dropped EXE
PID:2900

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3092

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:4448

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
5⤵
- Modifies boot configuration data using bcdedit
PID:4168

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
5⤵
- Modifies boot configuration data using bcdedit
PID:2504

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
5⤵
- Deletes backup catalog
PID:4744

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
5⤵
- Modifies Windows Firewall
PID:164

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
5⤵
- Modifies Windows Firewall
PID:708

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
4⤵
PID:6028

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
4⤵
PID:5820

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
4⤵
PID:5000

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
4⤵
PID:5960

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
PID:952

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:4740

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
PID:1244

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
5⤵
- Modifies boot configuration data using bcdedit
PID:2464

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
5⤵
- Modifies boot configuration data using bcdedit
PID:6036

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
5⤵
- Deletes backup catalog
PID:4128

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1736

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4484

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1596

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4752

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4456

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4352

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1688

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4228

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4540

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:3932

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1948

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:696

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4168

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:3832

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Suspicious behavior: MapViewOfSection
PID:820

C:\Users\Admin\AppData\Local\Temp\26D7.tmp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\26D7.tmp\svchost.exe -debug
3⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
PID:3616

C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
4⤵
PID:2908

C:\Windows\SYSTEM32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\26D7.tmp\aa_nts.dll",run
4⤵
- Loads dropped DLL
PID:220

C:\Users\Admin\AppData\Local\Microsoft\_Vg~~.exe
"C:\Users\Admin\AppData\Local\Microsoft\_Vg~~.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Microsoft\_Vg~~.exe" & del "C:\ProgramData\*.dll"" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:2580

C:\Users\Admin\AppData\Local\Microsoft\C)nSp.exe
"C:\Users\Admin\AppData\Local\Microsoft\C)nSp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408

C:\Users\Admin\AppData\Local\Microsoft\C)nSp.exe
C:\Users\Admin\AppData\Local\Microsoft\C)nSp.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4208

C:\Users\Admin\AppData\Local\Microsoft\a1L.exe
"C:\Users\Admin\AppData\Local\Microsoft\a1L.exe"
1⤵
- Executes dropped EXE
PID:984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3392

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2728

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:5092

C:\Users\Admin\AppData\Roaming\ijtbbcg
C:\Users\Admin\AppData\Roaming\ijtbbcg
1⤵
PID:1104

C:\Users\Admin\AppData\Roaming\ijtbbcg
C:\Users\Admin\AppData\Roaming\ijtbbcg
2⤵
PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[C1126BDC-3483].[[email protected]].8base
Filesize
3.2MB

MD5
2bbcc8738a940591c15dc18aaa0ae775

SHA1
6aec420abc79b6ee45defd75422f5b006d1d910f

SHA256
959b186f0c7a4ae98665d91f1bddd7d8e6c0ad5d96e189f89262ef5e403c9a80

SHA512
490d32f63f0708d6597184f01f5d7c25f397a83fdae39f743f4cf2024b9caebced487b94085377330ccb0688ab9f5a67a807f6a5dd8ed2072df96c805433bf8d

Download Submit
C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\9E7D.exe
Filesize
1.7MB

MD5
2519f369f426e4d2cdd88290d1c25d3c

SHA1
e464001902893ab6aea89b8ccfc66f9eb1d45988

SHA256
91abe280381d0faf55b521f51d16d8aa022f0cc14b1310334d4fffc3474459d4

SHA512
bedda8d51127c186946cdb3755f9bcc049a0efc308ed645de52d58cdffa8fad85778e4a77338f1c3d68bd2b725ff68e5829a4bba8879983f7380df350754d443

Download Submit
C:\ProgramData\freebl3.dll
Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll
Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.7MB

MD5
08bdc6b26749320ed8af55ccc6ea55ab

SHA1
74aa975d7ac2ac08b2aeccc87eb62f60b57a7969

SHA256
6e3d30e056bb902775b1736f254c811b4f8a019bd7d756b349c1db48ad317ed0

SHA512
a7405ffa2bd5f1a0196dbb09c31b71b4282a0e9d0389e8116e9706d223e0f3bb4a085168f281b4a95dbab2aefdfcfe4f53ee8bdc24f9163e7014486941606cb4

Download Submit
C:\ProgramData\softokn3.dll
Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll
Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\C)nSp.exe
Filesize
1.7MB

MD5
2d8f85c975ee6e7321c5cecc5b83c47a

SHA1
e58860e2c14ae1c2b99c72d3af99383250305392

SHA256
cd4d8b52c3992f7a9c170fd79829ae9e01cd774cbeb75e22b04bd44daa912591

SHA512
b1cd01df354cbada513e60f172c70e62960b1de0fd1c21d32afbff96fde4e8f8cb69e10f8154eccff17e777cab1ee39eeb8370ce3fa893247960882f831f14e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\C)nSp.exe
Filesize
1.7MB

MD5
2d8f85c975ee6e7321c5cecc5b83c47a

SHA1
e58860e2c14ae1c2b99c72d3af99383250305392

SHA256
cd4d8b52c3992f7a9c170fd79829ae9e01cd774cbeb75e22b04bd44daa912591

SHA512
b1cd01df354cbada513e60f172c70e62960b1de0fd1c21d32afbff96fde4e8f8cb69e10f8154eccff17e777cab1ee39eeb8370ce3fa893247960882f831f14e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\C)nSp.exe
Filesize
1.7MB

MD5
2d8f85c975ee6e7321c5cecc5b83c47a

SHA1
e58860e2c14ae1c2b99c72d3af99383250305392

SHA256
cd4d8b52c3992f7a9c170fd79829ae9e01cd774cbeb75e22b04bd44daa912591

SHA512
b1cd01df354cbada513e60f172c70e62960b1de0fd1c21d32afbff96fde4e8f8cb69e10f8154eccff17e777cab1ee39eeb8370ce3fa893247960882f831f14e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\90c0db8ec400e98196ef525657e1269c5be5292717ad15b39d28ff12a0361cf2.exe.log
Filesize
1016B

MD5
eb3e72abb586428b38f41d71484f335d

SHA1
8375215687670327b15c0d3f063f19e6e2021a09

SHA256
5a9f35944e264977518dc3433c80e3098247bb0909306a1e9c50d924e7b03ada

SHA512
70864b63590ac683e98885818d759fdc3ea9363a5bfc44ded834f6921c9ec8e7df479e8807652ba72c32e2414517c304da03bc1e0fb3d9342469c8e6a6ab288c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9E7D.exe.log
Filesize
1016B

MD5
eb3e72abb586428b38f41d71484f335d

SHA1
8375215687670327b15c0d3f063f19e6e2021a09

SHA256
5a9f35944e264977518dc3433c80e3098247bb0909306a1e9c50d924e7b03ada

SHA512
70864b63590ac683e98885818d759fdc3ea9363a5bfc44ded834f6921c9ec8e7df479e8807652ba72c32e2414517c304da03bc1e0fb3d9342469c8e6a6ab288c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\C)nSp.exe.log
Filesize
1016B

MD5
eb3e72abb586428b38f41d71484f335d

SHA1
8375215687670327b15c0d3f063f19e6e2021a09

SHA256
5a9f35944e264977518dc3433c80e3098247bb0909306a1e9c50d924e7b03ada

SHA512
70864b63590ac683e98885818d759fdc3ea9363a5bfc44ded834f6921c9ec8e7df479e8807652ba72c32e2414517c304da03bc1e0fb3d9342469c8e6a6ab288c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000016.db.id[C1126BDC-3483].[[email protected]].8base
Filesize
92KB

MD5
5a800c9782bd5f62c259599d60c538f5

SHA1
69e76bc028c5bf5b32d66efe9eb4cf8e135c3e93

SHA256
d238373271395a51c9ab997a9d3f09bfbfb9306beb44861d851bed693dcacc8c

SHA512
e3b861c88898b209035b8c9cced7216f3bb3f36ce6e09b6500365f48825c257a239de8f4dcc3f4fb1cd6b9c0df8ee5adb73d56b32503ae13bda3e60c3078dc84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\_Vg~~.exe
Filesize
180KB

MD5
f95e60679dbd15e9880f458208c67e40

SHA1
aad73196caa868f18c4300388e7a3016da5d3bea

SHA256
26631236ff95976ed7af3ff82a8ef32b8801c9a52aded4e047d5bd01fa9f92cc

SHA512
84484674abc2a0d8795cfe3d015a245d647956c03ddf77290c2db7dc3b334f6cfa560bc045c41c40bb5651bff900c7eb9631baa1b9f54f09d5fd75826029cc60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\_Vg~~.exe
Filesize
180KB

MD5
f95e60679dbd15e9880f458208c67e40

SHA1
aad73196caa868f18c4300388e7a3016da5d3bea

SHA256
26631236ff95976ed7af3ff82a8ef32b8801c9a52aded4e047d5bd01fa9f92cc

SHA512
84484674abc2a0d8795cfe3d015a245d647956c03ddf77290c2db7dc3b334f6cfa560bc045c41c40bb5651bff900c7eb9631baa1b9f54f09d5fd75826029cc60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\a1L.exe
Filesize
968KB

MD5
2a40a56b3dbe361864baac57a7815de4

SHA1
a0b67c7eb5bb378010ada7a3cf6bfe4101df9049

SHA256
3d62c31dd2a3749a264d72bd87c287c9367d3198d612c5566ca54809b714af99

SHA512
6c426f00cac5bbf67fd6e56c95561b8ad94da32d1199cfbf5d9e3b2627b39cdf8e089856fd346a44097006a0f32a78480b32554f39ba4ceaf72182126f78e4b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\a1L.exe
Filesize
968KB

MD5
2a40a56b3dbe361864baac57a7815de4

SHA1
a0b67c7eb5bb378010ada7a3cf6bfe4101df9049

SHA256
3d62c31dd2a3749a264d72bd87c287c9367d3198d612c5566ca54809b714af99

SHA512
6c426f00cac5bbf67fd6e56c95561b8ad94da32d1199cfbf5d9e3b2627b39cdf8e089856fd346a44097006a0f32a78480b32554f39ba4ceaf72182126f78e4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.Background.winmd
Filesize
7KB

MD5
64d3f93322e5e6932ad162365441301d

SHA1
832e1b6e6560f8dae2b8282b72a1d80545ea5891

SHA256
df52db081c34a78391d85832bcb2190a9417fb34e468d5f15e84ac1916a085cc

SHA512
86b8e1f699321c6eb187b597a08bdfdd4b47686681e495783b981ca82cfaaa8be22d1775143cfd0a6d3c7b381b419930609c8370e67a906eba9e1b6a5024eb20

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll
Filesize
349KB

MD5
49ba729dd7ad347eb8ad44dcc3f20de4

SHA1
36bfc3b216daa23e7c3a1e89df88ca533ad878d1

SHA256
88fd9d7794d1e0549facf9534da6abcb3db4be57e2fd045f678b621f7f5a6f3d

SHA512
c7a6750d34e85534fdf3be543a12340de9623ed7c094b9f8f8dd8e7f7308406e5ee90fe7b3c147b170ed67948bb875f72ad5035ecde3f608843fa74d19f9bf0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe
Filesize
15KB

MD5
a4bd1ce8b5026e59037a3903cd6e4e3a

SHA1
352243b758a585cf869cd9f9354cd302463f4d9d

SHA256
39d69cd43e452c4899dbf1aa5b847c2a2d251fb8e13df9232ebdb5f0fdc3594c

SHA512
c86901a1bdcebc5721743fca6ac7f1909b64518e046752f3b412183db940563c088e0ec12613ad0b763c814bc3b6bf99dd3b6f8a6bce54add30a10d29e38400c

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletLockScreenLogo.scale-200.png
Filesize
268B

MD5
541abea8b402b4ddd7463b2cd1bf54ec

SHA1
e0bfa993adcc35d6cc955be49c2f952529660ad5

SHA256
d436906bb661ba5d0ae3ad2d949b709f92bf50eb79a9faedd7f66d5598e07f16

SHA512
b22478881f719ac94392ef43dbf553c4644e2b3676191cb35c7bd212f496978e5b4e15869d254b96a393314a30e2ce397a6d6bf44cac45a2eff38d997b40c7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSplashScreen.png
Filesize
1KB

MD5
52bf805c4241200c576401a59f9e211a

SHA1
a10074a87d7c244fcee9b8d45005673aa48140a1

SHA256
adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c

SHA512
9142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare150x150Logo.scale-200.png
Filesize
946B

MD5
0262d1daca4c1c1e22dec63b012e3641

SHA1
609258b00f17f2a9dd586fe5a7e485573ef477c9

SHA256
8b0ccafcace92ee624e057fa91550d306efd5dc21bb0c850c174ef38d79754fc

SHA512
a1ad7e32bfabfa4ecf32be9ab96db5c84ecf48a8b8a6e267cb106281e119669fed0fb12eaea024e21aa2f13de8f14fa0b805f869b53ec85524b60dc1db7743d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.scale-200.png
Filesize
14KB

MD5
1572efa3e47162a7b2198893a362b803

SHA1
a291f6f1cae15d03d5ef0f748b83bee024aa2fca

SHA256
d39fb03894ed83d57acf16976ae256c9912bd7e9feb63cb5c85709e1617e90dc

SHA512
4267d64626b808e9b338d973335794a5b3c3586c26fb0d11c96b07c2ad551486150449d83d5ae2756451c32365a8877a0c59592e5b173a27142464787de7ff45

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.targetsize-24_altform-unplated.png
Filesize
169B

MD5
2bb84fb822fe6ed44bf10bbf31122308

SHA1
e9049ca6522a736d75fc85b3b16a0ad0dc271334

SHA256
afb6768acc7e2229c7566d68dabf863bafdb8d59e2cca45f39370fc7261965dc

SHA512
1f24ca0e934881760a94c1f90d31ef6ccbab165d39c0155fb83b31e92abe4e5e3b70f49189f75d8cdd859796a55312f27c71fda0b8296e8cf30167a02d7391f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletStoreLogo.png
Filesize
174B

MD5
08de9d6a366fb174872e8043e2384099

SHA1
955114d06eefae5e498797f361493ee607676d95

SHA256
0289105cf9484cf5427630866c0525b60f6193dea0afacd0224f997ce8103861

SHA512
59004a4920d5e3b80b642c285ff649a2ee5c52df25b6209be46d2f927a9c2ab170534ea0819c7c70292534ee08eb90e36630d11da18edba502776fac42872ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletWide310x150Logo.scale-200.png
Filesize
1KB

MD5
52bf805c4241200c576401a59f9e211a

SHA1
a10074a87d7c244fcee9b8d45005673aa48140a1

SHA256
adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c

SHA512
9142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
1KB

MD5
5b333e85c957925ec5f7ae9c47872020

SHA1
97431745824321574e6e6c9666e79147b5a6ea67

SHA256
c2c28b18a9bbe65c7f29640ec18d5836fa51ce720b336dc6e44d49ff2d807d08

SHA512
377b42d7a432c597cbf41c5c9f4303592f88a3fef368e53532ec1474529d5d915f264ca1f099c269a4d4bc35fea22d35140d45c099f4fdb66be8cb109b533f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe.xml
Filesize
4KB

MD5
44628eb64853341f7678ec488959efe2

SHA1
60e37cb04f7941b6070d3ce035af3d434c78fbfd

SHA256
f44e196695dffbc9442ab694343447097b8362fccaf4269057890f39da50df2e

SHA512
0134c598e3ada0a5ae47c9803b1c0f248d88a92c5fd79dd2baea7dea82322ff52f8b218be41bd3b72f270fe170ad36df5106d2f21ca51be5f8f3c6791da9d86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
1KB

MD5
5b333e85c957925ec5f7ae9c47872020

SHA1
97431745824321574e6e6c9666e79147b5a6ea67

SHA256
c2c28b18a9bbe65c7f29640ec18d5836fa51ce720b336dc6e44d49ff2d807d08

SHA512
377b42d7a432c597cbf41c5c9f4303592f88a3fef368e53532ec1474529d5d915f264ca1f099c269a4d4bc35fea22d35140d45c099f4fdb66be8cb109b533f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe.xml
Filesize
4KB

MD5
44628eb64853341f7678ec488959efe2

SHA1
60e37cb04f7941b6070d3ce035af3d434c78fbfd

SHA256
f44e196695dffbc9442ab694343447097b8362fccaf4269057890f39da50df2e

SHA512
0134c598e3ada0a5ae47c9803b1c0f248d88a92c5fd79dd2baea7dea82322ff52f8b218be41bd3b72f270fe170ad36df5106d2f21ca51be5f8f3c6791da9d86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.Background.winmd
Filesize
7KB

MD5
64d3f93322e5e6932ad162365441301d

SHA1
832e1b6e6560f8dae2b8282b72a1d80545ea5891

SHA256
df52db081c34a78391d85832bcb2190a9417fb34e468d5f15e84ac1916a085cc

SHA512
86b8e1f699321c6eb187b597a08bdfdd4b47686681e495783b981ca82cfaaa8be22d1775143cfd0a6d3c7b381b419930609c8370e67a906eba9e1b6a5024eb20

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll
Filesize
349KB

MD5
49ba729dd7ad347eb8ad44dcc3f20de4

SHA1
36bfc3b216daa23e7c3a1e89df88ca533ad878d1

SHA256
88fd9d7794d1e0549facf9534da6abcb3db4be57e2fd045f678b621f7f5a6f3d

SHA512
c7a6750d34e85534fdf3be543a12340de9623ed7c094b9f8f8dd8e7f7308406e5ee90fe7b3c147b170ed67948bb875f72ad5035ecde3f608843fa74d19f9bf0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe
Filesize
15KB

MD5
a4bd1ce8b5026e59037a3903cd6e4e3a

SHA1
352243b758a585cf869cd9f9354cd302463f4d9d

SHA256
39d69cd43e452c4899dbf1aa5b847c2a2d251fb8e13df9232ebdb5f0fdc3594c

SHA512
c86901a1bdcebc5721743fca6ac7f1909b64518e046752f3b412183db940563c088e0ec12613ad0b763c814bc3b6bf99dd3b6f8a6bce54add30a10d29e38400c

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletLockScreenLogo.scale-200.png
Filesize
268B

MD5
541abea8b402b4ddd7463b2cd1bf54ec

SHA1
e0bfa993adcc35d6cc955be49c2f952529660ad5

SHA256
d436906bb661ba5d0ae3ad2d949b709f92bf50eb79a9faedd7f66d5598e07f16

SHA512
b22478881f719ac94392ef43dbf553c4644e2b3676191cb35c7bd212f496978e5b4e15869d254b96a393314a30e2ce397a6d6bf44cac45a2eff38d997b40c7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSplashScreen.png
Filesize
1KB

MD5
52bf805c4241200c576401a59f9e211a

SHA1
a10074a87d7c244fcee9b8d45005673aa48140a1

SHA256
adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c

SHA512
9142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare150x150Logo.scale-200.png
Filesize
946B

MD5
0262d1daca4c1c1e22dec63b012e3641

SHA1
609258b00f17f2a9dd586fe5a7e485573ef477c9

SHA256
8b0ccafcace92ee624e057fa91550d306efd5dc21bb0c850c174ef38d79754fc

SHA512
a1ad7e32bfabfa4ecf32be9ab96db5c84ecf48a8b8a6e267cb106281e119669fed0fb12eaea024e21aa2f13de8f14fa0b805f869b53ec85524b60dc1db7743d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.scale-200.png
Filesize
14KB

MD5
1572efa3e47162a7b2198893a362b803

SHA1
a291f6f1cae15d03d5ef0f748b83bee024aa2fca

SHA256
d39fb03894ed83d57acf16976ae256c9912bd7e9feb63cb5c85709e1617e90dc

SHA512
4267d64626b808e9b338d973335794a5b3c3586c26fb0d11c96b07c2ad551486150449d83d5ae2756451c32365a8877a0c59592e5b173a27142464787de7ff45

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.targetsize-24_altform-unplated.png
Filesize
169B

MD5
2bb84fb822fe6ed44bf10bbf31122308

SHA1
e9049ca6522a736d75fc85b3b16a0ad0dc271334

SHA256
afb6768acc7e2229c7566d68dabf863bafdb8d59e2cca45f39370fc7261965dc

SHA512
1f24ca0e934881760a94c1f90d31ef6ccbab165d39c0155fb83b31e92abe4e5e3b70f49189f75d8cdd859796a55312f27c71fda0b8296e8cf30167a02d7391f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletStoreLogo.png
Filesize
174B

MD5
08de9d6a366fb174872e8043e2384099

SHA1
955114d06eefae5e498797f361493ee607676d95

SHA256
0289105cf9484cf5427630866c0525b60f6193dea0afacd0224f997ce8103861

SHA512
59004a4920d5e3b80b642c285ff649a2ee5c52df25b6209be46d2f927a9c2ab170534ea0819c7c70292534ee08eb90e36630d11da18edba502776fac42872ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletWide310x150Logo.scale-200.png
Filesize
1KB

MD5
52bf805c4241200c576401a59f9e211a

SHA1
a10074a87d7c244fcee9b8d45005673aa48140a1

SHA256
adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c

SHA512
9142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Windows\WinSxS\wow64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.15063.0_none_5f8e4354b974f702\WalletBackgroundServiceProxy.dll
Filesize
10KB

MD5
d3c040e9217f31648250f4ef718fa13d

SHA1
72e1174edd4ee04b9c72e6d233af0b83fbfc17dc

SHA256
52e4a039e563ee5b63bbf86bdaf28c2e91c87947f4edeebb42691502cb07cbd7

SHA512
e875f1ff68a425567024800c6000a861275c5b882f671178ca97d0dbf0dda2bdd832f38f02138a16817871aa2ddb154998987efc4a9b49ccaac6a22a9713a3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Windows\WinSxS\wow64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.15063.0_none_c4bc07330185781a\WalletProxy.dll
Filesize
36KB

MD5
590c906654ff918bbe91a14daac58627

SHA1
f598edc38b61654f12f57ab1ddad0f576fe74d0d

SHA256
5d37fbfe7320aa0e215be9d8b05d77a0f5ace2deec010606b512572af2bb4dfc

SHA512
98a50429b039f98dd9adda775e7d2a0d51bb2beea2452247a2041e1f20b3f13b505bcdeecd833030bbecb58f74a82721cc577932dec086fff64ecef5432e8f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Windows\WinSxS\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.15063.0_none_e6c3164a2494c88b\Windows.ApplicationModel.Wallet.dll
Filesize
405KB

MD5
6161c69d5d0ea175d6c88d7921e41385

SHA1
088b440405ddba778df1736b71459527aca63363

SHA256
8128dff83791b26a01ce2146302f1d8b1159f4943844ab325522cf0fc1e2597e

SHA512
cba6e3d1fcb3147193adde3b0f4a95848996999180b59e7bdf16e834e055261cf53548c3972e84d81f840d862c5af53d44945cf4319f24705aecc7d47d1cda07

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.cat
Filesize
8KB

MD5
6523a368322f50d964b00962f74b3f65

SHA1
5f360ae5b5b5e76f390e839cf1b440333506e4e8

SHA256
652687424e20a2d6c16ea15ae653150467cfae4993d5ca28dc30106ff8a0ca67

SHA512
210737efc4e2775f261b0dc00ca1ad2aa1a7630633688c5bb9190fa5ff791e9757bbae190f4f7e931f8a4c7e4acf1effce479fdafd3952777ee40d08bdf1c046

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.mum
Filesize
1KB

MD5
f82f048efc3466bd287ecaa6f5a2d679

SHA1
9eedd9499deae645ffe402eb50361e83def12f14

SHA256
e35cd2ee9eae753175b9b88e032d4973672ff5677b9b7b79eaff1839e0c3044c

SHA512
5cc7337eebc480c482d56a8a5a2c788daa5c4e0370dc33d612caf59c65757cfa7cfc3cbb3321a7e01c6bb97e827962c4d156cfa661ea0b230a43e67940c81230

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat
Filesize
8KB

MD5
be70c63aeccef9f4c5175a8741b13b69

SHA1
c5ef2591b7f1df2ecbca40219d2513d516825e9a

SHA256
d648d365d08a7c503edc75535a58f15b865f082b49355254d539a41bf3af87ff

SHA512
b93bf53a5c71a587df7b59fdcaf8046c47e5d82838666ca12e6f56e26c0b9223edf7bf3dbb9352d5718486c531e34a060a05d7924896ab3b6d370dd4ef262186

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.mum
Filesize
1KB

MD5
741bc0bd78e3693cb950954aa1bf2e52

SHA1
bd322ece9153b51214eda41bba0c6b803d6caa30

SHA256
a349648c7ac60c4711585d09d0c9012f2c8b96077ccaf957c672b34a05c5ad8d

SHA512
b6dd9a8b794ee35fe99f04f5d78b2168157e3fed76752a98b8a39cc5c567ec23581b5c348da6e149ab28ea0cb89c0c0d0f08545174f01ba9d45a860a4eb73b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~es-ES~10.0.15063.0.cat
Filesize
8KB

MD5
463a0532986607cb1ad6b26e94153c05

SHA1
9aa5b80581530693c1f3cb32a1e107532a2a1a96

SHA256
e07a11415f11c98fa5d6e8fb8baa515be4fd071d3528910273efcbec9e882075

SHA512
a004a39ec97d816f7e2f43cd4b1bd52acbdbc5f358a5bfe6d997bfed223af2b9a9653fee8fb57e0d4ed11135802a49b85a8286a8119996a4ed88c78f641b1f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~es-ES~10.0.15063.0.mum
Filesize
1KB

MD5
ac62b24ee1c94ba09ff3b85bba930bf2

SHA1
9a9aa17c629d9e2dc09078764f59f081f69bebab

SHA256
a044c0e9036e355cc530e88831cbbe60165477929d0f838c786a513937ff1628

SHA512
1168537c3a9b92c8534434f8cf68a3d4d95a48086beb194c68519db9b65f3f57706a678bb7accf085b9f121c069a8c1fae78a1a64df853fb039a761efebf130d

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~fr-FR~10.0.15063.0.cat
Filesize
8KB

MD5
8f1ab8d6a77c7c01da26f26ddfe8b0f6

SHA1
4cae8a293cdf2b439dcd915ab070d9d94855411e

SHA256
f21e412d461eb8138fdc0f4f25d66882deed8c2498a2cbd764de5be116548a52

SHA512
17204b39b08a1275962949acb45b8f12d2d9f57ce49b16d369c58630fa185ac213ed87590dd8bc438e6bc1d477460c604bc346608744e526180b50c6f5e0a5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~fr-FR~10.0.15063.0.mum
Filesize
1KB

MD5
1d420956e62d902c9bd65a62ba34bc2b

SHA1
fc917590f656b79d5d55112926dfa8e8e5635f45

SHA256
a29100bbcc276666b7182bf3b41cf6ddc1cac090dbc109f7674f2b46027fd67c

SHA512
c63177c1615d7635eb3eb13b55d67543954409acd06f19467c0bc20981278866fc3edd07cecf75c9d2256734fd315f05eb5f5f5f646e3960d89f5a969d3ca981

Download Submit
C:\Users\Admin\AppData\Local\Temp\15A1\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~it-IT~10.0.15063.0.cat
Filesize
8KB

MD5
1ece20c692f338709ea3b121feb5ad38

SHA1
e5eb5b5cc4acb056088c6874e8b415d5c72c4d63

SHA256
7240a7307734a427de9afecd44929e13ae4d2bb1d1ea7c45806b809d43ac7d4a

SHA512
c7cb73e3bf8504860546c365b2d2ce112855f5b7d746c6ae889e21f0cfa9abead94dfe090268fd9e07314cb292a9ade5f6b7a37e7bfeea15c1b740c5bccdbdcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\26D7.tmp\aa_nts.dll
Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\26D7.tmp\aa_nts.msg
Filesize
46B

MD5
3f05819f995b4dafa1b5d55ce8d1f411

SHA1
404449b79a16bfc4f64f2fd55cd73d5d27a85d71

SHA256
7e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0

SHA512
34abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026

Download Submit
C:\Users\Admin\AppData\Local\Temp\26D7.tmp\svchost.exe
Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\26D7.tmp\svchost.exe
Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E7D.exe
Filesize
1.7MB

MD5
2519f369f426e4d2cdd88290d1c25d3c

SHA1
e464001902893ab6aea89b8ccfc66f9eb1d45988

SHA256
91abe280381d0faf55b521f51d16d8aa022f0cc14b1310334d4fffc3474459d4

SHA512
bedda8d51127c186946cdb3755f9bcc049a0efc308ed645de52d58cdffa8fad85778e4a77338f1c3d68bd2b725ff68e5829a4bba8879983f7380df350754d443

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E7D.exe
Filesize
1.7MB

MD5
2519f369f426e4d2cdd88290d1c25d3c

SHA1
e464001902893ab6aea89b8ccfc66f9eb1d45988

SHA256
91abe280381d0faf55b521f51d16d8aa022f0cc14b1310334d4fffc3474459d4

SHA512
bedda8d51127c186946cdb3755f9bcc049a0efc308ed645de52d58cdffa8fad85778e4a77338f1c3d68bd2b725ff68e5829a4bba8879983f7380df350754d443

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E7D.exe
Filesize
1.7MB

MD5
2519f369f426e4d2cdd88290d1c25d3c

SHA1
e464001902893ab6aea89b8ccfc66f9eb1d45988

SHA256
91abe280381d0faf55b521f51d16d8aa022f0cc14b1310334d4fffc3474459d4

SHA512
bedda8d51127c186946cdb3755f9bcc049a0efc308ed645de52d58cdffa8fad85778e4a77338f1c3d68bd2b725ff68e5829a4bba8879983f7380df350754d443

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E7D.exe
Filesize
1.7MB

MD5
2519f369f426e4d2cdd88290d1c25d3c

SHA1
e464001902893ab6aea89b8ccfc66f9eb1d45988

SHA256
91abe280381d0faf55b521f51d16d8aa022f0cc14b1310334d4fffc3474459d4

SHA512
bedda8d51127c186946cdb3755f9bcc049a0efc308ed645de52d58cdffa8fad85778e4a77338f1c3d68bd2b725ff68e5829a4bba8879983f7380df350754d443

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E7D.exe
Filesize
1.7MB

MD5
2519f369f426e4d2cdd88290d1c25d3c

SHA1
e464001902893ab6aea89b8ccfc66f9eb1d45988

SHA256
91abe280381d0faf55b521f51d16d8aa022f0cc14b1310334d4fffc3474459d4

SHA512
bedda8d51127c186946cdb3755f9bcc049a0efc308ed645de52d58cdffa8fad85778e4a77338f1c3d68bd2b725ff68e5829a4bba8879983f7380df350754d443

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E7D.exe
Filesize
1.7MB

MD5
2519f369f426e4d2cdd88290d1c25d3c

SHA1
e464001902893ab6aea89b8ccfc66f9eb1d45988

SHA256
91abe280381d0faf55b521f51d16d8aa022f0cc14b1310334d4fffc3474459d4

SHA512
bedda8d51127c186946cdb3755f9bcc049a0efc308ed645de52d58cdffa8fad85778e4a77338f1c3d68bd2b725ff68e5829a4bba8879983f7380df350754d443

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5E7.tmp
Filesize
92KB

MD5
674e2655c91200908ca7eea977ffc25b

SHA1
0ff0e11d5933cf382d7381edbc6f216d97a2e181

SHA256
6d9706346ebea4d1cdb447635404e8a662bc2f40bc6d829b45d50aeedeeaffaa

SHA512
304ad62ea8746a6dd086687bbd9d22031c2a731d0d7809ebffaaa6649ee16a9bc89e2dc17eb360dc81309fde5a797bd9398928708d63c08cc7d4e51c2f959642

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h0hg436k.default-release\cookies.sqlite.id[C1126BDC-3483].[[email protected]].8base
Filesize
96KB

MD5
1d8a7cc3f1f1687898657d5f0ea5550a

SHA1
07def003466181a07a62a093c93ac04fed04b15a

SHA256
03c45b53931f9d04e2796dcba4d51ea9f8668086df722b101cd16b16cc979f77

SHA512
6e035761b49c7894b812e2214e1626549987bc6eeef8d30ad6f2fa7ec3ed0b5083d4c4b95f0fa51dd1e568429bad0327a911b65b437dda9d9baf75481ec74133

Download Submit
C:\info.hta
Filesize
5KB

MD5
4a8bce2cadcd888cdf43bd332869eaa8

SHA1
dc054defc29d7069ddb02f56277b39c9fd7bcb77

SHA256
d84792c63bf296d13a63fb6de6e3b855d2cbdd8a0fce46b56ed82800fdf4dd2e

SHA512
c0055a120959fb55526b0e9086c11dd50d676e00bcfa4e899c2a8b9b3ce89e298f008b6b596bedaea50dd9163c8aef3643707a43a8c78da8e3f46b665241cb64

Download Submit
\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\26D7.tmp\aa_nts.dll
Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
memory/216-184-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/216-183-0x0000000005640000-0x000000000576C000-memory.dmp

Filesize
1.2MB

Download
memory/216-194-0x0000000073C20000-0x000000007430E000-memory.dmp

Filesize
6.9MB

Download
memory/216-187-0x0000000005910000-0x0000000005944000-memory.dmp

Filesize
208KB

Download
memory/216-186-0x00000000057C0000-0x00000000057F6000-memory.dmp

Filesize
216KB

Download
memory/216-185-0x0000000005770000-0x00000000057BE000-memory.dmp

Filesize
312KB

Download
memory/216-181-0x0000000000AF0000-0x0000000000CB2000-memory.dmp

Filesize
1.8MB

Download
memory/216-182-0x0000000073C20000-0x000000007430E000-memory.dmp

Filesize
6.9MB

Download
memory/380-5-0x0000000005D60000-0x0000000005DC8000-memory.dmp

Filesize
416KB

Download
memory/380-13-0x0000000073C20000-0x000000007430E000-memory.dmp

Filesize
6.9MB

Download
memory/380-4-0x0000000005B80000-0x0000000005C00000-memory.dmp

Filesize
512KB

Download
memory/380-3-0x0000000005C30000-0x0000000005C40000-memory.dmp

Filesize
64KB

Download
memory/380-2-0x0000000005A50000-0x0000000005AE2000-memory.dmp

Filesize
584KB

Download
memory/380-0-0x0000000000ED0000-0x0000000001254000-memory.dmp

Filesize
3.5MB

Download
memory/380-6-0x0000000005E10000-0x0000000005E78000-memory.dmp

Filesize
416KB

Download
memory/380-7-0x0000000005ED0000-0x0000000005F1C000-memory.dmp

Filesize
304KB

Download
memory/380-1-0x0000000073C20000-0x000000007430E000-memory.dmp

Filesize
6.9MB

Download
memory/380-8-0x00000000067C0000-0x0000000006CBE000-memory.dmp

Filesize
5.0MB

Download
memory/408-78-0x0000000073B70000-0x000000007425E000-memory.dmp

Filesize
6.9MB

Download
memory/408-63-0x0000000000200000-0x00000000003B6000-memory.dmp

Filesize
1.7MB

Download
memory/408-66-0x0000000004D70000-0x0000000004E92000-memory.dmp

Filesize
1.1MB

Download
memory/408-67-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/408-64-0x0000000073B70000-0x000000007425E000-memory.dmp

Filesize
6.9MB

Download
memory/408-71-0x0000000004ED0000-0x0000000004F1A000-memory.dmp

Filesize
296KB

Download
memory/408-72-0x0000000004C20000-0x0000000004C52000-memory.dmp

Filesize
200KB

Download
memory/408-73-0x0000000004D30000-0x0000000004D62000-memory.dmp

Filesize
200KB

Download
memory/1108-35-0x000002895D9D0000-0x000002895D9D3000-memory.dmp

Filesize
12KB

Download
memory/1108-56-0x00007FF652650000-0x00007FF65277F000-memory.dmp

Filesize
1.2MB

Download
memory/1108-50-0x00007FF652650000-0x00007FF65277F000-memory.dmp

Filesize
1.2MB

Download
memory/1108-51-0x00007FF873D40000-0x00007FF873F1B000-memory.dmp

Filesize
1.9MB

Download
memory/1108-49-0x00007FF652650000-0x00007FF65277F000-memory.dmp

Filesize
1.2MB

Download
memory/1108-52-0x00007FF652650000-0x00007FF65277F000-memory.dmp

Filesize
1.2MB

Download
memory/1108-53-0x00007FF652650000-0x00007FF65277F000-memory.dmp

Filesize
1.2MB

Download
memory/1108-54-0x00007FF652650000-0x00007FF65277F000-memory.dmp

Filesize
1.2MB

Download
memory/1108-55-0x00007FF652650000-0x00007FF65277F000-memory.dmp

Filesize
1.2MB

Download
memory/1108-48-0x00007FF652650000-0x00007FF65277F000-memory.dmp

Filesize
1.2MB

Download
memory/1108-46-0x00007FF652650000-0x00007FF65277F000-memory.dmp

Filesize
1.2MB

Download
memory/1108-84-0x00007FF873D40000-0x00007FF873F1B000-memory.dmp

Filesize
1.9MB

Download
memory/1108-65-0x00007FF873D40000-0x00007FF873F1B000-memory.dmp

Filesize
1.9MB

Download
memory/1108-20-0x000002895D9D0000-0x000002895D9D3000-memory.dmp

Filesize
12KB

Download
memory/1108-38-0x000002895DB70000-0x000002895DB77000-memory.dmp

Filesize
28KB

Download
memory/1108-40-0x00007FF652650000-0x00007FF65277F000-memory.dmp

Filesize
1.2MB

Download
memory/1108-39-0x00007FF652650000-0x00007FF65277F000-memory.dmp

Filesize
1.2MB

Download
memory/1108-42-0x00007FF652650000-0x00007FF65277F000-memory.dmp

Filesize
1.2MB

Download
memory/1108-43-0x00007FF652650000-0x00007FF65277F000-memory.dmp

Filesize
1.2MB

Download
memory/1108-83-0x000002895DB70000-0x000002895DB75000-memory.dmp

Filesize
20KB

Download
memory/1108-41-0x00007FF652650000-0x00007FF65277F000-memory.dmp

Filesize
1.2MB

Download
memory/1596-3360-0x0000000002AB0000-0x0000000002AB9000-memory.dmp

Filesize
36KB

Download
memory/1596-3349-0x0000000002AC0000-0x0000000002AC4000-memory.dmp

Filesize
16KB

Download
memory/1736-3431-0x0000000002AB0000-0x0000000002B1B000-memory.dmp

Filesize
428KB

Download
memory/1736-3307-0x0000000002AB0000-0x0000000002B1B000-memory.dmp

Filesize
428KB

Download
memory/1736-3300-0x0000000002B20000-0x0000000002B95000-memory.dmp

Filesize
468KB

Download
memory/1856-193-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1856-195-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1856-188-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1856-684-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2900-204-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2900-1177-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3328-113-0x0000000002890000-0x00000000028A6000-memory.dmp

Filesize
88KB

Download
memory/4208-77-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4208-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4208-115-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4372-145-0x0000000000400000-0x00000000007B5000-memory.dmp

Filesize
3.7MB

Download
memory/4372-146-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/4372-81-0x0000000000820000-0x000000000083B000-memory.dmp

Filesize
108KB

Download
memory/4372-82-0x0000000000400000-0x00000000007B5000-memory.dmp

Filesize
3.7MB

Download
memory/4372-170-0x0000000000400000-0x00000000007B5000-memory.dmp

Filesize
3.7MB

Download
memory/4372-155-0x0000000000820000-0x000000000083B000-memory.dmp

Filesize
108KB

Download
memory/4372-85-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4372-164-0x0000000000400000-0x00000000007B5000-memory.dmp

Filesize
3.7MB

Download
memory/4372-80-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/4484-3239-0x0000000000740000-0x0000000000747000-memory.dmp

Filesize
28KB

Download
memory/4484-3240-0x0000000000730000-0x000000000073C000-memory.dmp

Filesize
48KB

Download
memory/4692-33-0x0000000003220000-0x0000000003620000-memory.dmp

Filesize
4.0MB

Download
memory/4692-12-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4692-19-0x0000000003220000-0x0000000003620000-memory.dmp

Filesize
4.0MB

Download
memory/4692-18-0x0000000003220000-0x0000000003620000-memory.dmp

Filesize
4.0MB

Download
memory/4692-17-0x0000000003220000-0x0000000003620000-memory.dmp

Filesize
4.0MB

Download
memory/4692-16-0x0000000003220000-0x0000000003620000-memory.dmp

Filesize
4.0MB

Download
memory/4692-15-0x0000000001520000-0x0000000001527000-memory.dmp

Filesize
28KB

Download
memory/4692-23-0x0000000003FE0000-0x0000000004016000-memory.dmp

Filesize
216KB

Download
memory/4692-14-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4692-32-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4692-9-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4692-29-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4692-30-0x0000000003FE0000-0x0000000004016000-memory.dmp

Filesize
216KB

Download
memory/4692-31-0x0000000003220000-0x0000000003620000-memory.dmp

Filesize
4.0MB

Download
memory/4752-3504-0x0000000002B40000-0x0000000002B4A000-memory.dmp

Filesize
40KB

Download
memory/4752-3511-0x0000000002B30000-0x0000000002B3B000-memory.dmp

Filesize
44KB

Download
memory/4976-205-0x0000000073C20000-0x000000007430E000-memory.dmp

Filesize
6.9MB

Download
memory/4976-199-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/4976-198-0x0000000073C20000-0x000000007430E000-memory.dmp

Filesize
6.9MB

Download