pony | 26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5

Analysis

max time kernel
151s
max time network
208s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Size

168KB
MD5

81d77c62cc4f4d3e5891fe39d4748935
SHA1

6544ee27b7a2618504f0a8521462dc5eb5a7baa6
SHA256

26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5
SHA512

700a1d2bbbeedd20a867de7ef5c316383f502e657aeb9b2a3fcf0624d3d42e466836672501de604ac17f51e562452de88a44dcf1f6ffae7d892c0429d9f60739
SSDEEP

3072:XFHNDtQwr6iCkVBfx/+dAbTUvQyoqdvvuA7NhswmX7bWljZK:XBXr6rkzAd4U5vvuAUwmeO

Score

10^/10

pony collection discovery persistence rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://www.skshospitality.in/js/admin/Panel/gate.php

Attributes

payload_url
http://www.skshospitality.in/js/admin/Panel/invoice.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 5 IoCs

Processes:

LookupSvi.exesecdrv.exesecdrv.exesecdrv.exeLookupSvi.exe

pid process

1704 LookupSvi.exe
1772 secdrv.exe
584 secdrv.exe
1956 secdrv.exe
188 LookupSvi.exe

pid	process
1704	LookupSvi.exe
1772	secdrv.exe
584	secdrv.exe
1956	secdrv.exe
188	LookupSvi.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1720-72-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1720-74-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1720-75-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1720-79-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1720-80-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1720-89-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1956-133-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exeLookupSvi.exesecdrv.exe

pid process

284 26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
1704 LookupSvi.exe
584 secdrv.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exesecdrv.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	secdrv.exe

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exesecdrv.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	secdrv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

LookupSvi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\ Macrovision Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe"	LookupSvi.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

Processes:

26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exesecdrv.exesecdrv.exe

description	pid	process	target process
PID 1152 set thread context of 284	1152	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 284 set thread context of 1720	284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 1772 set thread context of 584	1772	secdrv.exe	secdrv.exe
PID 584 set thread context of 1956	584	secdrv.exe	secdrv.exe

Drops file in Windows directory 4 IoCs

Processes:

26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exesecdrv.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	secdrv.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	secdrv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exeLookupSvi.exe

pid	process
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
1704	LookupSvi.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
1704	LookupSvi.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
1704	LookupSvi.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
1704	LookupSvi.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
1704	LookupSvi.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
1704	LookupSvi.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
1704	LookupSvi.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
1704	LookupSvi.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
1704	LookupSvi.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
1704	LookupSvi.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
1704	LookupSvi.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
1704	LookupSvi.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exeLookupSvi.exesecdrv.exesecdrv.exe

description	pid	process
Token: SeDebugPrivilege	284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeImpersonatePrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeTcbPrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeChangeNotifyPrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeCreateTokenPrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeBackupPrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeRestorePrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeIncreaseQuotaPrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeAssignPrimaryTokenPrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeDebugPrivilege	1704	LookupSvi.exe
Token: SeDebugPrivilege	584	secdrv.exe
Token: SeImpersonatePrivilege	1956	secdrv.exe
Token: SeTcbPrivilege	1956	secdrv.exe
Token: SeChangeNotifyPrivilege	1956	secdrv.exe
Token: SeCreateTokenPrivilege	1956	secdrv.exe
Token: SeBackupPrivilege	1956	secdrv.exe
Token: SeRestorePrivilege	1956	secdrv.exe
Token: SeIncreaseQuotaPrivilege	1956	secdrv.exe
Token: SeAssignPrimaryTokenPrivilege	1956	secdrv.exe
Token: SeImpersonatePrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeTcbPrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeChangeNotifyPrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeCreateTokenPrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeBackupPrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeRestorePrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeIncreaseQuotaPrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeAssignPrimaryTokenPrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeImpersonatePrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeTcbPrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeChangeNotifyPrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeCreateTokenPrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeBackupPrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeRestorePrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeIncreaseQuotaPrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeAssignPrimaryTokenPrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeImpersonatePrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeTcbPrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeChangeNotifyPrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeCreateTokenPrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeBackupPrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeRestorePrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeIncreaseQuotaPrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeAssignPrimaryTokenPrivilege	1720	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exeLookupSvi.exesecdrv.exesecdrv.exe

description	pid	process	target process
PID 1152 wrote to memory of 284	1152	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 1152 wrote to memory of 284	1152	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 1152 wrote to memory of 284	1152	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 1152 wrote to memory of 284	1152	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 1152 wrote to memory of 284	1152	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 1152 wrote to memory of 284	1152	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 1152 wrote to memory of 284	1152	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 1152 wrote to memory of 284	1152	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 1152 wrote to memory of 284	1152	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 284 wrote to memory of 1720	284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 284 wrote to memory of 1720	284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 284 wrote to memory of 1720	284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 284 wrote to memory of 1720	284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 284 wrote to memory of 1720	284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 284 wrote to memory of 1720	284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 284 wrote to memory of 1720	284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 284 wrote to memory of 1720	284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 284 wrote to memory of 1704	284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	LookupSvi.exe
PID 284 wrote to memory of 1704	284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	LookupSvi.exe
PID 284 wrote to memory of 1704	284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	LookupSvi.exe
PID 284 wrote to memory of 1704	284	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	LookupSvi.exe
PID 1704 wrote to memory of 1772	1704	LookupSvi.exe	secdrv.exe
PID 1704 wrote to memory of 1772	1704	LookupSvi.exe	secdrv.exe
PID 1704 wrote to memory of 1772	1704	LookupSvi.exe	secdrv.exe
PID 1704 wrote to memory of 1772	1704	LookupSvi.exe	secdrv.exe
PID 1772 wrote to memory of 584	1772	secdrv.exe	secdrv.exe
PID 1772 wrote to memory of 584	1772	secdrv.exe	secdrv.exe
PID 1772 wrote to memory of 584	1772	secdrv.exe	secdrv.exe
PID 1772 wrote to memory of 584	1772	secdrv.exe	secdrv.exe
PID 1772 wrote to memory of 584	1772	secdrv.exe	secdrv.exe
PID 1772 wrote to memory of 584	1772	secdrv.exe	secdrv.exe
PID 1772 wrote to memory of 584	1772	secdrv.exe	secdrv.exe
PID 1772 wrote to memory of 584	1772	secdrv.exe	secdrv.exe
PID 1772 wrote to memory of 584	1772	secdrv.exe	secdrv.exe
PID 584 wrote to memory of 1956	584	secdrv.exe	secdrv.exe
PID 584 wrote to memory of 1956	584	secdrv.exe	secdrv.exe
PID 584 wrote to memory of 1956	584	secdrv.exe	secdrv.exe
PID 584 wrote to memory of 1956	584	secdrv.exe	secdrv.exe
PID 584 wrote to memory of 1956	584	secdrv.exe	secdrv.exe
PID 584 wrote to memory of 1956	584	secdrv.exe	secdrv.exe
PID 584 wrote to memory of 1956	584	secdrv.exe	secdrv.exe
PID 584 wrote to memory of 1956	584	secdrv.exe	secdrv.exe
PID 584 wrote to memory of 188	584	secdrv.exe	LookupSvi.exe
PID 584 wrote to memory of 188	584	secdrv.exe	LookupSvi.exe
PID 584 wrote to memory of 188	584	secdrv.exe	LookupSvi.exe
PID 584 wrote to memory of 188	584	secdrv.exe	LookupSvi.exe

outlook_win_path 1 IoCs

Processes:

secdrv.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	secdrv.exe

C:\Users\Admin\AppData\Local\Temp\26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
"C:\Users\Admin\AppData\Local\Temp\26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Local\Temp\26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
"C:\Users\Admin\AppData\Local\Temp\26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:284

C:\Users\Admin\AppData\Local\Temp\26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
"C:\Users\Admin\AppData\Local\Temp\26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe"
3⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
6⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:1956

C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"
6⤵
- Executes dropped EXE
PID:188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD
Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F
Filesize
834B

MD5
2f9af8e0d783cfa432c7041713c8f5ee

SHA1
974e325ade4fd9e3f450913e8269c78d1ef4836a

SHA256
b4c71719b03d24adf1b8d89707cdf20e2b0be78c58686d78c340da6fd3a00eb3

SHA512
3ccb5b22dd0cb7e4841b4979d1c0aa6e921925cc9a187c88d67d6e2f19285ed4acc30424c7e481b61e215bdae8af9d4bdc9c17fada508ff0385cd9d456968c72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3BB9C1BA2D19E090AE305B2683903A0_6E9A9670139B949E0946278E14EB2FC8
Filesize
1KB

MD5
b3d0239089fef62c4a3dfa29e2ebff32

SHA1
0a8d0a0ef140c56f56363a77dfe3894d3f97338c

SHA256
9d3c300d8b44eb138afe059655ca379fb17133c5cb8c56c5d56d795533dedae0

SHA512
86ff92d39257d518465b055ccfb5aba2b85b12d0b00ae68f8250f1f1317728a06f1260e1c030dfe6f7499f9d7cfb9a4bc56a1ee0ed882564a2abe82353151a97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD
Filesize
408B

MD5
f08f920469e0788638e115e2ce05de5b

SHA1
e401389ca0688475205b2f24a5fc82e0fc7ded03

SHA256
49e6914e064d1e06573524aa7371f65fd71492485af32782b25cc07411ec2666

SHA512
41326b7e25f07fdc5daf2737c56bc90a0f2c660d3dfa7c8bd5d7951a63829f9a1a7ffde3d161a76b2e4c032b704515cb37d09c9263b27fbeafc08de4902509fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F
Filesize
188B

MD5
e71b9675775583a2fd6e6fa11a5b2bf0

SHA1
04f9d90e29f2582934360f4282b5f176e34bdadc

SHA256
90092245d11c5ff618128a8a0cde535b6f1dc38dd8cca837c9e5e3610717f1bd

SHA512
f98847f7db9e67709533eef095f5192bb0e46c2e4bfab491e566a882bc3568ea8a9556b6b56a0914760f9f4bebb315ca358721bc333449dab403441e24c33bac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a423d139f1926a6fddf2521a5519e9fa

SHA1
9d1d3ee466350f35e5b248e4eaf55963074ef39a

SHA256
5df8b4e6482563b48a5b5f5c89727d8d38cb0b9efa142cb8349eb27f4727a45d

SHA512
a8a9a194253833919aead8571eebdaff9ef5a11048c2e1b94cc82883e333ba259e80974f924207177664e3273cea08260bd4be62afcd25f3646b80eacc4264fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3BB9C1BA2D19E090AE305B2683903A0_6E9A9670139B949E0946278E14EB2FC8
Filesize
412B

MD5
2be8c9e4c85bb057f9c7ebc6b9bcb2e6

SHA1
367c7b577907c649f8c6427aa432a803e8be66f2

SHA256
aa4bae62c8892f798e3ff9e619ef3d3ca0d9e52f904ee8b780498f85ba837812

SHA512
442d810d08547164b1e1cbc58d82f5f548ff41f1ab170b5bcb59a03e70a35665e376baa92d6f9af2391f40344bbf47ef40b2cdae8557e9c317220db768adf90e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
Filesize
13KB

MD5
bc61e848984ec98f66479d18562f6745

SHA1
f41c96bcdcc9c1683b5bbe5d3815ea12e1b150a2

SHA256
45b66bd8113fc8aaf3d0ca9e1dc2f97215380244e52a0245f74064209f589946

SHA512
2465e70369b378ab69974f9fd7617d4af8d42b2d187b258e1721001752042dcc3a3befbe91e49d9ebb9c7f5f8c7d8140202fe9a88f297666a93aa406732735c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
Filesize
13KB

MD5
bc61e848984ec98f66479d18562f6745

SHA1
f41c96bcdcc9c1683b5bbe5d3815ea12e1b150a2

SHA256
45b66bd8113fc8aaf3d0ca9e1dc2f97215380244e52a0245f74064209f589946

SHA512
2465e70369b378ab69974f9fd7617d4af8d42b2d187b258e1721001752042dcc3a3befbe91e49d9ebb9c7f5f8c7d8140202fe9a88f297666a93aa406732735c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
Filesize
13KB

MD5
bc61e848984ec98f66479d18562f6745

SHA1
f41c96bcdcc9c1683b5bbe5d3815ea12e1b150a2

SHA256
45b66bd8113fc8aaf3d0ca9e1dc2f97215380244e52a0245f74064209f589946

SHA512
2465e70369b378ab69974f9fd7617d4af8d42b2d187b258e1721001752042dcc3a3befbe91e49d9ebb9c7f5f8c7d8140202fe9a88f297666a93aa406732735c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
Filesize
13KB

MD5
bc61e848984ec98f66479d18562f6745

SHA1
f41c96bcdcc9c1683b5bbe5d3815ea12e1b150a2

SHA256
45b66bd8113fc8aaf3d0ca9e1dc2f97215380244e52a0245f74064209f589946

SHA512
2465e70369b378ab69974f9fd7617d4af8d42b2d187b258e1721001752042dcc3a3befbe91e49d9ebb9c7f5f8c7d8140202fe9a88f297666a93aa406732735c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
Filesize
168KB

MD5
81d77c62cc4f4d3e5891fe39d4748935

SHA1
6544ee27b7a2618504f0a8521462dc5eb5a7baa6

SHA256
26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5

SHA512
700a1d2bbbeedd20a867de7ef5c316383f502e657aeb9b2a3fcf0624d3d42e466836672501de604ac17f51e562452de88a44dcf1f6ffae7d892c0429d9f60739

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
Filesize
168KB

MD5
81d77c62cc4f4d3e5891fe39d4748935

SHA1
6544ee27b7a2618504f0a8521462dc5eb5a7baa6

SHA256
26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5

SHA512
700a1d2bbbeedd20a867de7ef5c316383f502e657aeb9b2a3fcf0624d3d42e466836672501de604ac17f51e562452de88a44dcf1f6ffae7d892c0429d9f60739

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
Filesize
168KB

MD5
81d77c62cc4f4d3e5891fe39d4748935

SHA1
6544ee27b7a2618504f0a8521462dc5eb5a7baa6

SHA256
26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5

SHA512
700a1d2bbbeedd20a867de7ef5c316383f502e657aeb9b2a3fcf0624d3d42e466836672501de604ac17f51e562452de88a44dcf1f6ffae7d892c0429d9f60739

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
Filesize
168KB

MD5
81d77c62cc4f4d3e5891fe39d4748935

SHA1
6544ee27b7a2618504f0a8521462dc5eb5a7baa6

SHA256
26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5

SHA512
700a1d2bbbeedd20a867de7ef5c316383f502e657aeb9b2a3fcf0624d3d42e466836672501de604ac17f51e562452de88a44dcf1f6ffae7d892c0429d9f60739

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
Filesize
514B

MD5
20db5a8e7d98275629cf9f1cc773d04d

SHA1
77fc41175df4e46a860d5bd930e840aca9d57f18

SHA256
27918f39a4fb90f6048480f0050fb5addb68e1b8d6ce7a175ee229016b52fe2d

SHA512
78bd991a3422a04c488b205201db77ab3b87831548451ba727316ef3d814362fb6e60ae112a6c974a6988858d7838d10ba562cf1e212806d5138d21ce2edfbfa

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
Filesize
878B

MD5
77e82aecc02655fff855769896d67a24

SHA1
245fea717a02bfe701a4b56dfcbd3c9b06f49bb7

SHA256
a0db77bc044b37f4473e9af8fe21447939e7b5527be4f4287a6020b57153e70c

SHA512
6abee5d47099acfe29612a0ebe43bc5025088ff538100f48bb9aa06984713769aa160de257157f97f4b0d9feb2f19efcf5a4850c8c6ec046346790640cbe2d84

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
Filesize
878B

MD5
77e82aecc02655fff855769896d67a24

SHA1
245fea717a02bfe701a4b56dfcbd3c9b06f49bb7

SHA256
a0db77bc044b37f4473e9af8fe21447939e7b5527be4f4287a6020b57153e70c

SHA512
6abee5d47099acfe29612a0ebe43bc5025088ff538100f48bb9aa06984713769aa160de257157f97f4b0d9feb2f19efcf5a4850c8c6ec046346790640cbe2d84

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
Filesize
514B

MD5
20db5a8e7d98275629cf9f1cc773d04d

SHA1
77fc41175df4e46a860d5bd930e840aca9d57f18

SHA256
27918f39a4fb90f6048480f0050fb5addb68e1b8d6ce7a175ee229016b52fe2d

SHA512
78bd991a3422a04c488b205201db77ab3b87831548451ba727316ef3d814362fb6e60ae112a6c974a6988858d7838d10ba562cf1e212806d5138d21ce2edfbfa

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
Filesize
13KB

MD5
bc61e848984ec98f66479d18562f6745

SHA1
f41c96bcdcc9c1683b5bbe5d3815ea12e1b150a2

SHA256
45b66bd8113fc8aaf3d0ca9e1dc2f97215380244e52a0245f74064209f589946

SHA512
2465e70369b378ab69974f9fd7617d4af8d42b2d187b258e1721001752042dcc3a3befbe91e49d9ebb9c7f5f8c7d8140202fe9a88f297666a93aa406732735c2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
Filesize
13KB

MD5
bc61e848984ec98f66479d18562f6745

SHA1
f41c96bcdcc9c1683b5bbe5d3815ea12e1b150a2

SHA256
45b66bd8113fc8aaf3d0ca9e1dc2f97215380244e52a0245f74064209f589946

SHA512
2465e70369b378ab69974f9fd7617d4af8d42b2d187b258e1721001752042dcc3a3befbe91e49d9ebb9c7f5f8c7d8140202fe9a88f297666a93aa406732735c2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
Filesize
168KB

MD5
81d77c62cc4f4d3e5891fe39d4748935

SHA1
6544ee27b7a2618504f0a8521462dc5eb5a7baa6

SHA256
26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5

SHA512
700a1d2bbbeedd20a867de7ef5c316383f502e657aeb9b2a3fcf0624d3d42e466836672501de604ac17f51e562452de88a44dcf1f6ffae7d892c0429d9f60739

Download Submit
memory/188-136-0x0000000000000000-mapping.dmp

Download
memory/188-141-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/284-122-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/284-70-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/284-68-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/284-64-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/284-66-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/284-62-0x000000000041D45E-mapping.dmp

Download
memory/284-56-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/284-61-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/284-59-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/284-60-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/284-57-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/584-110-0x000000000041D45E-mapping.dmp

Download
memory/584-119-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/584-117-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/1152-54-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/1152-55-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/1152-69-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-120-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-88-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-102-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-82-0x0000000000000000-mapping.dmp

Download
memory/1720-76-0x000000000041A200-mapping.dmp

Download
memory/1720-89-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1720-80-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1720-71-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1720-79-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1720-72-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1720-74-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1720-75-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1772-92-0x0000000000000000-mapping.dmp

Download
memory/1772-134-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/1772-118-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/1772-103-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-133-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1956-127-0x000000000041A200-mapping.dmp

Download