pony | 26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Size

168KB
MD5

81d77c62cc4f4d3e5891fe39d4748935
SHA1

6544ee27b7a2618504f0a8521462dc5eb5a7baa6
SHA256

26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5
SHA512

700a1d2bbbeedd20a867de7ef5c316383f502e657aeb9b2a3fcf0624d3d42e466836672501de604ac17f51e562452de88a44dcf1f6ffae7d892c0429d9f60739
SSDEEP

3072:XFHNDtQwr6iCkVBfx/+dAbTUvQyoqdvvuA7NhswmX7bWljZK:XBXr6rkzAd4U5vvuAUwmeO

Score

10^/10

pony collection discovery persistence rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://www.skshospitality.in/js/admin/Panel/gate.php

Attributes

payload_url
http://www.skshospitality.in/js/admin/Panel/invoice.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 5 IoCs

Processes:

LookupSvi.exesecdrv.exesecdrv.exesecdrv.exeLookupSvi.exe

pid process

3136 LookupSvi.exe
1972 secdrv.exe
4532 secdrv.exe
920 secdrv.exe
1912 LookupSvi.exe

pid	process
3136	LookupSvi.exe
1972	secdrv.exe
4532	secdrv.exe
920	secdrv.exe
1912	LookupSvi.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1416-140-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1416-142-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1416-143-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1416-149-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1416-169-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/920-178-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/920-177-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/920-186-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/920-190-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exeLookupSvi.exe26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exesecdrv.exesecdrv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	LookupSvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	secdrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	secdrv.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exesecdrv.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	secdrv.exe

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exesecdrv.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	secdrv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

LookupSvi.exeLookupSvi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Macrovision Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe"	LookupSvi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Macrovision Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe"	LookupSvi.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

Processes:

26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exesecdrv.exesecdrv.exe

description	pid	process	target process
PID 4964 set thread context of 3540	4964	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 3540 set thread context of 1416	3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 1972 set thread context of 4532	1972	secdrv.exe	secdrv.exe
PID 4532 set thread context of 920	4532	secdrv.exe	secdrv.exe

Drops file in Windows directory 4 IoCs

Processes:

26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exesecdrv.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	secdrv.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	secdrv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe

pid	process
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exeLookupSvi.exesecdrv.exesecdrv.exeLookupSvi.exe

description	pid	process
Token: SeDebugPrivilege	3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeImpersonatePrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeTcbPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeChangeNotifyPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeCreateTokenPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeBackupPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeRestorePrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeIncreaseQuotaPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeAssignPrimaryTokenPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeDebugPrivilege	3136	LookupSvi.exe
Token: SeImpersonatePrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeTcbPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeChangeNotifyPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeCreateTokenPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeBackupPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeRestorePrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeIncreaseQuotaPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeAssignPrimaryTokenPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeImpersonatePrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeTcbPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeChangeNotifyPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeCreateTokenPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeBackupPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeRestorePrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeIncreaseQuotaPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeAssignPrimaryTokenPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeImpersonatePrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeTcbPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeChangeNotifyPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeCreateTokenPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeBackupPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeRestorePrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeIncreaseQuotaPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeAssignPrimaryTokenPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeImpersonatePrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeTcbPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeChangeNotifyPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeCreateTokenPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeBackupPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeRestorePrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeIncreaseQuotaPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeAssignPrimaryTokenPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeImpersonatePrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeTcbPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeChangeNotifyPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeCreateTokenPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeBackupPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeRestorePrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeIncreaseQuotaPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeAssignPrimaryTokenPrivilege	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
Token: SeDebugPrivilege	4532	secdrv.exe
Token: SeImpersonatePrivilege	920	secdrv.exe
Token: SeTcbPrivilege	920	secdrv.exe
Token: SeChangeNotifyPrivilege	920	secdrv.exe
Token: SeCreateTokenPrivilege	920	secdrv.exe
Token: SeBackupPrivilege	920	secdrv.exe
Token: SeRestorePrivilege	920	secdrv.exe
Token: SeIncreaseQuotaPrivilege	920	secdrv.exe
Token: SeAssignPrimaryTokenPrivilege	920	secdrv.exe
Token: SeDebugPrivilege	1912	LookupSvi.exe
Token: SeImpersonatePrivilege	920	secdrv.exe
Token: SeTcbPrivilege	920	secdrv.exe
Token: SeChangeNotifyPrivilege	920	secdrv.exe
Token: SeCreateTokenPrivilege	920	secdrv.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exeLookupSvi.exesecdrv.exe26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exesecdrv.exesecdrv.exe

description	pid	process	target process
PID 4964 wrote to memory of 3540	4964	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 4964 wrote to memory of 3540	4964	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 4964 wrote to memory of 3540	4964	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 4964 wrote to memory of 3540	4964	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 4964 wrote to memory of 3540	4964	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 4964 wrote to memory of 3540	4964	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 4964 wrote to memory of 3540	4964	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 4964 wrote to memory of 3540	4964	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 3540 wrote to memory of 1416	3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 3540 wrote to memory of 1416	3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 3540 wrote to memory of 1416	3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 3540 wrote to memory of 1416	3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 3540 wrote to memory of 1416	3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 3540 wrote to memory of 1416	3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 3540 wrote to memory of 1416	3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
PID 3540 wrote to memory of 3136	3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	LookupSvi.exe
PID 3540 wrote to memory of 3136	3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	LookupSvi.exe
PID 3540 wrote to memory of 3136	3540	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	LookupSvi.exe
PID 3136 wrote to memory of 1972	3136	LookupSvi.exe	secdrv.exe
PID 3136 wrote to memory of 1972	3136	LookupSvi.exe	secdrv.exe
PID 3136 wrote to memory of 1972	3136	LookupSvi.exe	secdrv.exe
PID 1972 wrote to memory of 4532	1972	secdrv.exe	secdrv.exe
PID 1972 wrote to memory of 4532	1972	secdrv.exe	secdrv.exe
PID 1972 wrote to memory of 4532	1972	secdrv.exe	secdrv.exe
PID 1972 wrote to memory of 4532	1972	secdrv.exe	secdrv.exe
PID 1972 wrote to memory of 4532	1972	secdrv.exe	secdrv.exe
PID 1972 wrote to memory of 4532	1972	secdrv.exe	secdrv.exe
PID 1972 wrote to memory of 4532	1972	secdrv.exe	secdrv.exe
PID 1972 wrote to memory of 4532	1972	secdrv.exe	secdrv.exe
PID 1416 wrote to memory of 5020	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	cmd.exe
PID 1416 wrote to memory of 5020	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	cmd.exe
PID 1416 wrote to memory of 5020	1416	26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe	cmd.exe
PID 4532 wrote to memory of 920	4532	secdrv.exe	secdrv.exe
PID 4532 wrote to memory of 920	4532	secdrv.exe	secdrv.exe
PID 4532 wrote to memory of 920	4532	secdrv.exe	secdrv.exe
PID 4532 wrote to memory of 920	4532	secdrv.exe	secdrv.exe
PID 4532 wrote to memory of 920	4532	secdrv.exe	secdrv.exe
PID 4532 wrote to memory of 920	4532	secdrv.exe	secdrv.exe
PID 4532 wrote to memory of 920	4532	secdrv.exe	secdrv.exe
PID 4532 wrote to memory of 1912	4532	secdrv.exe	LookupSvi.exe
PID 4532 wrote to memory of 1912	4532	secdrv.exe	LookupSvi.exe
PID 4532 wrote to memory of 1912	4532	secdrv.exe	LookupSvi.exe
PID 920 wrote to memory of 3504	920	secdrv.exe	cmd.exe
PID 920 wrote to memory of 3504	920	secdrv.exe	cmd.exe
PID 920 wrote to memory of 3504	920	secdrv.exe	cmd.exe

outlook_win_path 1 IoCs

Processes:

secdrv.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	secdrv.exe

C:\Users\Admin\AppData\Local\Temp\26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
"C:\Users\Admin\AppData\Local\Temp\26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4964

C:\Users\Admin\AppData\Local\Temp\26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
"C:\Users\Admin\AppData\Local\Temp\26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540

C:\Users\Admin\AppData\Local\Temp\26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe
"C:\Users\Admin\AppData\Local\Temp\26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe"
3⤵
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240626671.bat" "C:\Users\Admin\AppData\Local\Temp\26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe" "
4⤵
PID:5020

C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3136

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240661750.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe" "
7⤵
PID:3504

C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD
Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F
Filesize
834B

MD5
2f9af8e0d783cfa432c7041713c8f5ee

SHA1
974e325ade4fd9e3f450913e8269c78d1ef4836a

SHA256
b4c71719b03d24adf1b8d89707cdf20e2b0be78c58686d78c340da6fd3a00eb3

SHA512
3ccb5b22dd0cb7e4841b4979d1c0aa6e921925cc9a187c88d67d6e2f19285ed4acc30424c7e481b61e215bdae8af9d4bdc9c17fada508ff0385cd9d456968c72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3BB9C1BA2D19E090AE305B2683903A0_6E9A9670139B949E0946278E14EB2FC8
Filesize
1KB

MD5
b3d0239089fef62c4a3dfa29e2ebff32

SHA1
0a8d0a0ef140c56f56363a77dfe3894d3f97338c

SHA256
9d3c300d8b44eb138afe059655ca379fb17133c5cb8c56c5d56d795533dedae0

SHA512
86ff92d39257d518465b055ccfb5aba2b85b12d0b00ae68f8250f1f1317728a06f1260e1c030dfe6f7499f9d7cfb9a4bc56a1ee0ed882564a2abe82353151a97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD
Filesize
408B

MD5
94dc33bceea96d15c429d1e287024fec

SHA1
4f2b174e3e13b5480207714b5d77f93eeeb82437

SHA256
5a5bfa1549c82e46d6ddf9411fd88becb96b395dd6bcd39705a2c12f22019374

SHA512
45357476e21811d9b2360133639c6a6db55ca46d18d243a5eb1cb8703e221274941d6a1e14ae95d7aa662b3e0febfe046a3a07b57bc064702913cc320a76e30a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F
Filesize
188B

MD5
97e41b03d9fb1c08a304d7efe85ca606

SHA1
f8f5ea4280a24f7e9c69c4258070de1f6bb13592

SHA256
9c8fcdc04169ed03f34469985ca2408aa95d72ef74d0e9755c9a47de7adeba0d

SHA512
dee7c7c2502e624e8ca062d5c023700fae344e2f386f127286920bbe8fe8cb8a13e390b771b3a8e4c4a9c16dd50eee83456acefd114fe73eeffb6e274b80a7a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3BB9C1BA2D19E090AE305B2683903A0_6E9A9670139B949E0946278E14EB2FC8
Filesize
412B

MD5
aaaaf8204cf871b0d76c6b8698ace7a7

SHA1
bed18f1969c94bc2e2393f57e295732acd054900

SHA256
b8a44de72380042fd0b16cf5783086ed40c94d34e16bf2173e2ba685feda31b5

SHA512
ae4b20df5978f789b3eb2d54299a8ace9cfb0314651c3de03ee0e941e9e12b34b5e7abb093ab62ade671572e6d541df95e3e90d652dc87ed74a42646967509b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5.exe.log
Filesize
411B

MD5
7b3aaa92a5853b3c00bbdaaff2fbd94f

SHA1
5027af92cb95dc0813a7cbacb0f94a6062d6c14f

SHA256
67eada0df5a336edc5bc3c49ed6e6b589e9b76eb533a352ccc8990db1f41303c

SHA512
8f1315f761890b8795d863efad26149306936972448a22bbf6b2ef2022ef5338640d2311f6dea884046301de86157f21a48e0835885d8934f31ed1b8c7dd407c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\LookupSvi.exe.log
Filesize
128B

MD5
a5dcc7c9c08af7dddd82be5b036a4416

SHA1
4f998ca1526d199e355ffb435bae111a2779b994

SHA256
e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

SHA512
56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\240626671.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\240661750.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
Filesize
412B

MD5
164342be5355b7a49bbec3b352f323fa

SHA1
f6bb17a37ef6e6baa5642a00a5e09998ae56989d

SHA256
9b9484ac94a4c1f439fed84c2fbf6ceb1634af4a21fc26726659bc5293fd56d3

SHA512
f827f4aa3eb694833b721afc5cb989d53ed2a44a2a6efe9609af202251b77729fef4265331798eb475ac135c5657199180525485a85145b01412ed1f5d352ec6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
Filesize
13KB

MD5
bc61e848984ec98f66479d18562f6745

SHA1
f41c96bcdcc9c1683b5bbe5d3815ea12e1b150a2

SHA256
45b66bd8113fc8aaf3d0ca9e1dc2f97215380244e52a0245f74064209f589946

SHA512
2465e70369b378ab69974f9fd7617d4af8d42b2d187b258e1721001752042dcc3a3befbe91e49d9ebb9c7f5f8c7d8140202fe9a88f297666a93aa406732735c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
Filesize
13KB

MD5
bc61e848984ec98f66479d18562f6745

SHA1
f41c96bcdcc9c1683b5bbe5d3815ea12e1b150a2

SHA256
45b66bd8113fc8aaf3d0ca9e1dc2f97215380244e52a0245f74064209f589946

SHA512
2465e70369b378ab69974f9fd7617d4af8d42b2d187b258e1721001752042dcc3a3befbe91e49d9ebb9c7f5f8c7d8140202fe9a88f297666a93aa406732735c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
Filesize
13KB

MD5
bc61e848984ec98f66479d18562f6745

SHA1
f41c96bcdcc9c1683b5bbe5d3815ea12e1b150a2

SHA256
45b66bd8113fc8aaf3d0ca9e1dc2f97215380244e52a0245f74064209f589946

SHA512
2465e70369b378ab69974f9fd7617d4af8d42b2d187b258e1721001752042dcc3a3befbe91e49d9ebb9c7f5f8c7d8140202fe9a88f297666a93aa406732735c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
Filesize
13KB

MD5
bc61e848984ec98f66479d18562f6745

SHA1
f41c96bcdcc9c1683b5bbe5d3815ea12e1b150a2

SHA256
45b66bd8113fc8aaf3d0ca9e1dc2f97215380244e52a0245f74064209f589946

SHA512
2465e70369b378ab69974f9fd7617d4af8d42b2d187b258e1721001752042dcc3a3befbe91e49d9ebb9c7f5f8c7d8140202fe9a88f297666a93aa406732735c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
Filesize
168KB

MD5
81d77c62cc4f4d3e5891fe39d4748935

SHA1
6544ee27b7a2618504f0a8521462dc5eb5a7baa6

SHA256
26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5

SHA512
700a1d2bbbeedd20a867de7ef5c316383f502e657aeb9b2a3fcf0624d3d42e466836672501de604ac17f51e562452de88a44dcf1f6ffae7d892c0429d9f60739

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
Filesize
168KB

MD5
81d77c62cc4f4d3e5891fe39d4748935

SHA1
6544ee27b7a2618504f0a8521462dc5eb5a7baa6

SHA256
26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5

SHA512
700a1d2bbbeedd20a867de7ef5c316383f502e657aeb9b2a3fcf0624d3d42e466836672501de604ac17f51e562452de88a44dcf1f6ffae7d892c0429d9f60739

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
Filesize
168KB

MD5
81d77c62cc4f4d3e5891fe39d4748935

SHA1
6544ee27b7a2618504f0a8521462dc5eb5a7baa6

SHA256
26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5

SHA512
700a1d2bbbeedd20a867de7ef5c316383f502e657aeb9b2a3fcf0624d3d42e466836672501de604ac17f51e562452de88a44dcf1f6ffae7d892c0429d9f60739

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
Filesize
168KB

MD5
81d77c62cc4f4d3e5891fe39d4748935

SHA1
6544ee27b7a2618504f0a8521462dc5eb5a7baa6

SHA256
26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5

SHA512
700a1d2bbbeedd20a867de7ef5c316383f502e657aeb9b2a3fcf0624d3d42e466836672501de604ac17f51e562452de88a44dcf1f6ffae7d892c0429d9f60739

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
Filesize
514B

MD5
b451576a9531a140bf1215cead083909

SHA1
2e287e19a4ac5407563ab62cd1ce978e0f5625fb

SHA256
01b10ad70cf5f2e432eae2c5b234801de07251e9e7223ec7be4787260012b7ec

SHA512
95ab0d216a62507af263ad809e09345eaea481b556c84427063f44e4ce42d0186e95b549cf717322c14444bdd1287a83a3cd6cfaba2ac169335de143b66beac1

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
Filesize
878B

MD5
20f69cd95a3c046ebd66ec7fa93929f7

SHA1
51c0f5a8aaca8fc6f025f0c96de59fdcb7b23eff

SHA256
a158376aded4a93b5ade9f839cdf4a3b99636fc556b8fe5a583669a19d593192

SHA512
23d6360489b25d9b2168e33da761d94903bb17c3d712e055e791fde09173c8df0da9fd00bf9d8c701dfa72e2b193b14652137da425591bf3301d13f23f5dc127

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
Filesize
514B

MD5
b451576a9531a140bf1215cead083909

SHA1
2e287e19a4ac5407563ab62cd1ce978e0f5625fb

SHA256
01b10ad70cf5f2e432eae2c5b234801de07251e9e7223ec7be4787260012b7ec

SHA512
95ab0d216a62507af263ad809e09345eaea481b556c84427063f44e4ce42d0186e95b549cf717322c14444bdd1287a83a3cd6cfaba2ac169335de143b66beac1

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
Filesize
878B

MD5
20f69cd95a3c046ebd66ec7fa93929f7

SHA1
51c0f5a8aaca8fc6f025f0c96de59fdcb7b23eff

SHA256
a158376aded4a93b5ade9f839cdf4a3b99636fc556b8fe5a583669a19d593192

SHA512
23d6360489b25d9b2168e33da761d94903bb17c3d712e055e791fde09173c8df0da9fd00bf9d8c701dfa72e2b193b14652137da425591bf3301d13f23f5dc127

Download Submit
memory/920-173-0x0000000000000000-mapping.dmp

Download
memory/920-190-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/920-186-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/920-177-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/920-178-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1416-142-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1416-143-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1416-149-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1416-139-0x0000000000000000-mapping.dmp

Download
memory/1416-140-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1416-169-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1912-188-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/1912-187-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/1912-179-0x0000000000000000-mapping.dmp

Download
memory/1972-164-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/1972-166-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/1972-153-0x0000000000000000-mapping.dmp

Download
memory/3136-151-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3136-171-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3136-144-0x0000000000000000-mapping.dmp

Download
memory/3136-150-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3504-189-0x0000000000000000-mapping.dmp

Download
memory/3540-134-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3540-137-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3540-138-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3540-172-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3540-133-0x0000000000000000-mapping.dmp

Download
memory/4532-165-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4532-161-0x0000000000000000-mapping.dmp

Download
memory/4532-167-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4964-132-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4964-136-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/5020-168-0x0000000000000000-mapping.dmp

Download