Malware Analysis Report

2024-11-16 13:23

Sample ID 241004-2htsfazerl
Target 0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N
SHA256 0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8
Tags
discovery persistence renamer worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8

Threat Level: Known bad

The file 0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N was found to be: Known bad.

Malicious Activity Summary

discovery persistence renamer worm

Detects Renamer worm.

Renamer, Grenam

Drops startup file

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Drops autorun.inf file

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-04 22:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-04 22:35

Reported

2024-10-04 22:37

Platform

win7-20240729-en

Max time kernel

120s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Paint.lnk C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Macrovision Security Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe" C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Macrovision Security Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe" C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application Experience = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AeLookupSvi.exe" C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Macrovision Security Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe" C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application Experience = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AeLookupSvi.exe" C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application Experience = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AeLookupSvi.exe" C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 376 set thread context of 2320 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2320 set thread context of 2136 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2136 set thread context of 2596 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2596 set thread context of 1448 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 1980 set thread context of 1420 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1420 set thread context of 2188 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1448 set thread context of 1800 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2188 set thread context of 2036 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1484 set thread context of 2336 N/A C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
PID 2336 set thread context of 1908 N/A C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
PID 1800 set thread context of 2848 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 1908 set thread context of 2640 N/A C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
PID 2036 set thread context of 2680 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 2640 set thread context of 1916 N/A C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
PID 2680 set thread context of 2488 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\msinfo32.exe.mui C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\vPurblePlace.ico C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\vjconsole.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\FlickLearningWizard.exe.mui C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InputPersonalization.exe.mui C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\vjavafxpackager.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\velevation_service.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vuninstall.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\wordpad.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\vMSOXMLED.ico C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\vjar.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\vbckgzm.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\vjabswitch.ico C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\vjstatd.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\vnbexec.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\RCX9592.tmp C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File created C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File created C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\vjavaws.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.oracle.jmc.executable.win32.win32.x86_64_5.5.0 C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\RCX95A2.tmp C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\java.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\vcom.oracle.jmc.executable.win32.win32.x86_64_5.ico C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\vcom.oracle.jmc.executable.win32.win32.x86_64_5.5.0 C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\7-Zip\v7zG.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\RCX948D.tmp C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\vjstatd.ico C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File created C:\Program Files\Microsoft Games\Chess\vChess.ico C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\RCX92C4.tmp C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\FlickLearningWizard.exe.mui C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\vbckgzm.ico C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.exe.sig C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\bfsvc.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 376 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 376 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 376 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 376 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 376 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 376 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 376 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 376 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 376 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2320 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2320 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2320 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2320 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2320 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2320 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2320 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2320 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2320 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2136 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2136 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2136 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2136 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2136 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2136 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2136 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2136 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2136 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2596 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2596 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2596 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2596 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2596 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2596 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2596 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2596 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2596 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2596 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
PID 2596 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
PID 2596 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
PID 2596 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
PID 1952 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1952 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1952 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1952 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1980 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1980 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1980 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1980 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1980 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1980 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1980 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1980 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1980 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1420 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1420 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1420 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1420 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1420 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1420 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1420 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1420 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1420 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1448 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 1448 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe

"C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe"

C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe

"C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe"

C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe

"C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe"

C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe

"C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe"

C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe

"C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"

C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe

"C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe"

C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe

"C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"

Network

N/A

Files

memory/376-0-0x00000000745F1000-0x00000000745F2000-memory.dmp

memory/376-1-0x00000000745F0000-0x0000000074B9B000-memory.dmp

memory/376-2-0x00000000745F0000-0x0000000074B9B000-memory.dmp

memory/376-3-0x00000000745F0000-0x0000000074B9B000-memory.dmp

memory/2320-4-0x00000000001C0000-0x00000000002F4000-memory.dmp

memory/2320-5-0x00000000001C0000-0x00000000002F4000-memory.dmp

memory/2320-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2320-21-0x00000000001C0000-0x00000000002F4000-memory.dmp

memory/2320-18-0x00000000001C0000-0x00000000002F4000-memory.dmp

memory/2320-24-0x00000000745F0000-0x0000000074B9B000-memory.dmp

memory/2320-23-0x00000000745F0000-0x0000000074B9B000-memory.dmp

memory/2320-22-0x00000000745F0000-0x0000000074B9B000-memory.dmp

memory/2320-14-0x00000000001C0000-0x00000000002F4000-memory.dmp

memory/2320-13-0x00000000001C0000-0x00000000002F4000-memory.dmp

memory/2320-8-0x00000000001C0000-0x00000000002F4000-memory.dmp

memory/2320-6-0x00000000001C0000-0x00000000002F4000-memory.dmp

memory/376-25-0x00000000745F0000-0x0000000074B9B000-memory.dmp

memory/2320-26-0x00000000745F0000-0x0000000074B9B000-memory.dmp

memory/2136-27-0x00000000001C0000-0x00000000002E8000-memory.dmp

memory/2136-46-0x00000000001C0000-0x00000000002E8000-memory.dmp

memory/2136-47-0x00000000745F0000-0x0000000074B9B000-memory.dmp

memory/2136-43-0x00000000001C0000-0x00000000002E8000-memory.dmp

memory/2136-39-0x00000000001C0000-0x00000000002E8000-memory.dmp

memory/2136-38-0x00000000001C0000-0x00000000002E8000-memory.dmp

memory/2136-33-0x00000000001C0000-0x00000000002E8000-memory.dmp

memory/2136-31-0x00000000001C0000-0x00000000002E8000-memory.dmp

memory/2136-29-0x00000000001C0000-0x00000000002E8000-memory.dmp

memory/2320-48-0x00000000745F0000-0x0000000074B9B000-memory.dmp

memory/2136-49-0x00000000745F0000-0x0000000074B9B000-memory.dmp

memory/2596-51-0x0000000000400000-0x000000000051A000-memory.dmp

memory/2596-60-0x0000000000400000-0x000000000051A000-memory.dmp

memory/2596-61-0x0000000000400000-0x000000000051A000-memory.dmp

memory/2596-59-0x0000000000400000-0x000000000051A000-memory.dmp

memory/2596-56-0x0000000000400000-0x000000000051A000-memory.dmp

memory/2596-54-0x0000000000400000-0x000000000051A000-memory.dmp

memory/2596-52-0x0000000000400000-0x000000000051A000-memory.dmp

memory/2136-62-0x00000000745F0000-0x0000000074B9B000-memory.dmp

memory/1448-65-0x0000000000400000-0x0000000000500000-memory.dmp

memory/1448-76-0x0000000000400000-0x0000000000500000-memory.dmp

memory/1448-75-0x0000000000400000-0x0000000000500000-memory.dmp

memory/1448-74-0x0000000000400000-0x0000000000500000-memory.dmp

memory/1448-71-0x0000000000400000-0x0000000000500000-memory.dmp

memory/1448-69-0x0000000000400000-0x0000000000500000-memory.dmp

memory/1448-67-0x0000000000400000-0x0000000000500000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe

MD5 cf7e259dd0225ae86a29f5952bcb5b4d
SHA1 4c6b2363a754bcaa07edeee5b4837b464cfb5d5c
SHA256 bcf654651c834ff5f885a6ab272d000aa48acea1ebe68ce146c68c863c4736a8
SHA512 91c469f7b4d3c95177ccb013e3c16fe61fffa1fd631857f44bb335382b6c0c80d8bb178e72140178716312f49efbee45ccbe3467a01099561ab3ddf33b412b3a

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

MD5 0aaaf1668decb824d75242df795ee7b0
SHA1 df803cfda6898ce64d5a5d498875c324b1b17f2e
SHA256 0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8
SHA512 2b746820c3cb54cd3978c2596f64db59d451481ec93dc6c454590f67902487ec691a76fb6b5c93b0945e3a4c02277004cd08cadc45b338674f67f64794bf8d34

\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe

MD5 54b446b04c83570cc974ed428b416a63
SHA1 f6e9eb6319a45d381baef998ce45e50f247cbc7d
SHA256 ead396edbe63927c734b30f9275e52c4dde8fd3c1e53963cfdafb24f53e9fab4
SHA512 0d0129553c623c107d70d756c1d023f8f4463cd6d6517639e5ca2c79944285cfd23dffe98a3ca6c12b9d33501830de05c599d89d12a3ae5514ddd6c18b28e939

\Program Files\7-Zip\v7z.exe

MD5 9a1dd1d96481d61934dcc2d568971d06
SHA1 f136ef9bf8bd2fc753292fb5b7cf173a22675fb3
SHA256 8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525
SHA512 7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

\Program Files\7-Zip\v7zFM.exe

MD5 30ac0b832d75598fb3ec37b6f2a8c86a
SHA1 6f47dbfd6ff36df7ba581a4cef024da527dc3046
SHA256 1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74
SHA512 505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

\Program Files\7-Zip\v7zG.exe

MD5 50f289df0c19484e970849aac4e6f977
SHA1 3dc77c8830836ab844975eb002149b66da2e10be
SHA256 b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305
SHA512 877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

\Program Files\7-Zip\vUninstall.exe

MD5 ad782ffac62e14e2269bf1379bccbaae
SHA1 9539773b550e902a35764574a2be2d05bc0d8afc
SHA256 1c8a77db924ebeb952052334dc95add388700c02b073b07973cd8fe0a0a360b8
SHA512 a1e9d6316ffc55f4751090961733e98c93b2a391666ff50b50e9dea39783746e501d14127e7ee9343926976d7e3cd224f13736530354d8466ea995dab35c8dc2

\Program Files\Common Files\Microsoft Shared\OFFICE14\vMSOXMLED.EXE

MD5 f45a7db6aec433fd579774dfdb3eaa89
SHA1 2f8773cc2b720143776a0909d19b98c4954b39cc
SHA256 2bc2372cfabd26933bc4012046e66a5d2efc9554c0835d1a0aa012d3bd1a6f9a
SHA512 03a4b7c53373ff6308a0292bb84981dc1566923e93669bbb11cb03d9f58a8d477a1a2399aac5059f477bbf1cf14b17817d208bc7c496b8675ece83cdabec5662

\Program Files\Google\Chrome\Application\vchrome.exe

MD5 095092f4e746810c5829038d48afd55a
SHA1 246eb3d41194dddc826049bbafeb6fc522ec044a
SHA256 2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588
SHA512 7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

\Program Files\Google\Chrome\Application\vchrome_proxy.exe

MD5 b65d7344b0a7faa207d2e1a7adaafb60
SHA1 755ad15b1745b0e730d658d4a92e2b754425b7db
SHA256 f4b91fbbcba8a46eefe4965e4a24c6ede3decbd1fec96e141a1953173efd1c92
SHA512 f17ac73c2df7c73a31b11ce0f533d6db91bdb0cdeea653dcd52ac72c3cf28da0c236b79586ddc7a6c825fdd171290722f888465e776f12ac2cae75be82726b22

\Program Files\Google\Chrome\Application\106.0.5249.119\vchrome_pwa_launcher.exe

MD5 527e039ba9add8a7fac3a6bc30a6d476
SHA1 729a329265eda72cada039c1941e7c672addfc19
SHA256 4b8a72fc81b733ed2e6e70d4c5401f954002783dbf14927849ad579860780b94
SHA512 9e73e14e33a5f07a87e9c1fecfdaee09d1408471052aacfde3d1e877dad4d253b525ebefca6bddabc23cf81d8dcce0785aedcc2f135d171ecbb1feaeb922c449

\Program Files\Google\Chrome\Application\106.0.5249.119\velevation_service.exe

MD5 ec6386b63c3a5ffe0577905e94262c3a
SHA1 8f8c428d0e7f32c9d733ca28384ded413a060588
SHA256 302c968ab3e1227d54df4e72f39088d7483d25eeb3037f0b16bc39cef2728fa4
SHA512 ddbefb759858493de1f9d7addc6ff4488c8be3164374e0a88c3cbe97751510005dfe6d91c5499fcbdc35aa33a8eda2d45591a66e54ab9462277dc833faef77c3

\Program Files\Google\Chrome\Application\106.0.5249.119\vnotification_helper.exe

MD5 81664a918656ecd5e8eca90cedba1150
SHA1 580d0eb98bb2c838ff89eb54efd86535ee8882f6
SHA256 2f664c756727c321a3a0fb6c6e68842ca1a5f20575a02312ea10675dbd5dc40e
SHA512 7a211a01c674aaa5e8052dd339b412892c452309b651e835f0b8e27f15ee3fed42c58f43910a202150ca90704f522499deb7bca055451f1e6c8515b2d491df3d

\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\vchrmstp.exe

MD5 2161730a7ae00a1fb8c5020a43be949f
SHA1 8db6b820472cdfa266c874e0d3a9395412995aa1
SHA256 07e7896b2304e3b9966294a02d2ed32f41994ee7bd0a284e4160743edaeb9e15
SHA512 aa3659b6184f4273b7fcf1f7d2cd0a5a9129b8856d15e4ca8904b709e85cd432538ce0510ca9777760a1a9d5391671232a79908860e7d665260a54910f6fea5a

\Program Files\Java\jdk1.7.0_80\bin\vappletviewer.exe

MD5 c9aaf1247944e0928d6a7eae35e8cdc4
SHA1 af91d57336d495bb220d8f72dcf59f34f5998fd3
SHA256 05b153ba07dc1a262fb1013d42bfc24d9000ce607f07d227593c975cdf0bb25b
SHA512 bf3bc64135810948626105a8f76dc4439e68ee531f20d901c3082ae2155f2ea35f34d408de44b46ede61ded832fcc61ac1cb9719e432f0f07b49479c95847e51

\Program Files\Java\jdk1.7.0_80\bin\vapt.exe

MD5 407d2d7dab36cdea871d4c6b9c62b258
SHA1 86cd158ad810c6772c22a5799c7acf4b9d7c9f57
SHA256 3c040679ea4be0cc5ca20c9f24caf6c13d3002560347e7446dc963b611523bd9
SHA512 dcdb53a3ca2a3637216a9d8133d1dbda336a6d3a98c6b956af42f94adbc136dc5a0245e87512d0314f23dbf3cab4900bc40ac13c79ee93a677d93a89e0cd9e17

\Program Files\Java\jdk1.7.0_80\bin\vextcheck.exe

MD5 1cb4c95888edfdedb61628680fffd415
SHA1 3336670c701c61bb8062d7620c4244dbc01756d1
SHA256 182d8ab5ec2ee2ec57d60c2d2d75df6c852810e74c50289aa9c2c99a6b050fc6
SHA512 24c8c05baef516fba5aa763c0abc603065a75e5816501c713b24ec8baddad4fc290b3973dad89ac65f09d0277c2fa72d8b00f0eb2871170dbd89a8d9062bacf3

\Program Files\Java\jdk1.7.0_80\bin\vidlj.exe

MD5 26b70aa2ab871a72a3fd30829f2f1f29
SHA1 73934bad6bf5ca22484a88e1a4b1263ae278c419
SHA256 4e11bf944fb0a34c5cf1871fec3c8f7473e1944642cadf89a86db2eed874d35f
SHA512 40cacfff6c7f47aa0703e8cb3186f8bacbff1d56dc0547d67c44e716fc0d28705995a439a88a02ce8a262628b33cf2f6ec6f0586cdc2fc86597e3da4fb6a1d84

\Program Files\Java\jdk1.7.0_80\bin\vjarsigner.exe

MD5 2f7770a34bb22b99f8f6966851331d82
SHA1 2a2860cde1482df656544e1983e957f815be4193
SHA256 f873c02b69408f905c2c0b35b188d2c0b0a7cccc98a59d18dd0c297f761d2ef7
SHA512 8611f8bace081711d6f5dcd41177f594314970c5b2f328755027383e4ad2a239bbd85e0cedf6d1a76d9d1f54afbd340c9bd4ab119bb87cfd5a11149a0cb71dfc

\Program Files\Java\jdk1.7.0_80\bin\vjar.exe

MD5 3eeb342d48cfaa4c568a93ffdfc847d0
SHA1 ed5fd565c4a1867ca554314f038fc20c7de01b90
SHA256 29e65344e34c2354da05e8de64b106aa0ec99d8c5c22b58797d0047e227879ff
SHA512 db5b84233d40139c44cb8fd1a43e1c8a41c967358641e1488cc19474a8de381c5aa2c84f61b10d69d019f0d7170177cccea47ce9460d409a480c8537232a2ef0

\Program Files\Java\jdk1.7.0_80\bin\vjabswitch.exe

MD5 502e87232756dfacda7d1686d4bc9ea4
SHA1 6e40897d0a957783b8b88f2a6487dba028954b22
SHA256 d230ada81f3add58fd8a646d25b8f25fe6271b3eed5edef9fdc8945baabd5631
SHA512 96366e76942f6da30c02e9f6cf7cdf0cb7550455c8cbaaae7358d15a2258e1f0b2bfa960d52cb774039f2070dc8c383c3df187805f4910d40601b853e4309d9b

\Program Files\Java\jdk1.7.0_80\bin\vjava-rmi.exe

MD5 a5f4cccc602a42b4ddbd8acbcf34f158
SHA1 5f26277884b2f6cdac26267f9b582ac5a5d21b08
SHA256 2d9044e9265fc09680d5f0c054c4ccac7d8d14b3a4a42e803a2097108e0f1acc
SHA512 3cb0d0028468edb1687c6142ce3ed6b594428bd209bf8b85ab2315e7992af12c4d622f26e652d6be0718d51d0d6a171c0a881b36d2e67a199998442e91621149

\Program Files\Java\jdk1.7.0_80\bin\vjava.exe

MD5 641b4ed6ab90a6f52ee512ea88a64cd1
SHA1 28d014900accc98e6089d83d0b2a8cb8735ed101
SHA256 13590945a04037dfd15d61166e0771682c7809674fca42f53fdb3afdcbe21410
SHA512 00a588556196e305dbf1714e573a5c5516c2988356b984a7284ba017a78bacb8d576b590da35be40171d6dca73580c5b9ab06808c7246c2e13c8d9b816f2ca09

\Program Files\Java\jdk1.7.0_80\bin\vjavadoc.exe

MD5 516f6320ae4d755b9ea0c7c8347f5801
SHA1 bfce7c2869725ec8f327b083be57d20671fcb2a2
SHA256 9e696aa5772e8cba27545b47b00be4a3b8fc888f8c83ca11939b753850feab14
SHA512 0e12bc2f01f2897df41e56cee150177a3cc09ca5e889b61fcb9dbe07391a6f2537454401a2ca2ad93c652303a8e5782fd9860ca83734401393e314570175a6f0

\Program Files\Java\jdk1.7.0_80\bin\vjavafxpackager.exe

MD5 cace8f27a66ffec4f9823aa258c307a9
SHA1 dc515d29aa43d2b6b7e157f05e97e87d5f785884
SHA256 3cf626dac6e91a03f688bf5ab674871a3e0411314f261bb2c69346a1c46bc733
SHA512 4a5d5b564bd483e1949826d388e41c63a7b056236c5972c76721fd98c9b704a79622ed4c1b045080e4470340a9953595df955148999e15677f0e38e529a6a5f7

\Program Files\Java\jdk1.7.0_80\bin\vjavac.exe

MD5 000b77a2ed92887856174641dfb6f485
SHA1 7872d9768f3a4b0601b91bd0b55f08c8992819e6
SHA256 1100a8d298426491aeb34288f7d6e600622f2d94fc01bfeb093fcea3ac32a8e4
SHA512 cec8642269bee8162b8d317ba61777b4005cb2dae8e9837bfd336bc6fd633066cd52b878160f4496113c147a7d0374619367e9bb451e82f7a5a39f0db3fde152

\Program Files\Java\jdk1.7.0_80\bin\vjavah.exe

MD5 8ffd9b7406e8aecf1d6117606d2bd149
SHA1 edf1f0f2f1024cd0fb6b39dadca251c99ccdedcc
SHA256 dd6b65e78cb194055494bbb7736ef917d3d6da1863567afe50b8abfc8e51267d
SHA512 ee54a1bec20608477053e87c641cc59dfe3c5a77061395c9d41759c3c559d6d5e8761b75327f3a05e62c602031650ec0be375a1b2235a944048ab340efce7397

\Program Files\Java\jdk1.7.0_80\bin\vjavap.exe

MD5 95cf3bf094a35c9e7434bc402c09630c
SHA1 2b4d21ee55666f0664a644ec443502a942b9e7d4
SHA256 4973b97a274648d53977499891b919f98684fdbebce10751d71ce4d2754f6622
SHA512 09db399afec354ab699701f4196e93178db613421beda9e695bc36414698f83084d05b70595d2b31fe2a0d757ba98640f7e3953defb8dd71df03e4c01391fe8e

\Program Files\Java\jdk1.7.0_80\bin\vjavaw.exe

MD5 0266d98252b6beee2e842d5e876031a8
SHA1 8d57c6d94835ac6b1b0f9a657af6baa4be25779d
SHA256 c5d59069dcaf86222c9c189c8ba8932ced66ab77b4baad485e1f0ac715e6037c
SHA512 7eebbff75a67a0408ff2f507d9f1b387dcfbe6765ccd4247fd78a64c2ea6090e88fd30f561e30f48bc107dd9378364fd18dba4ea22eedee76a1f993fbb1e9f32

C:\Program Files\Java\jdk1.7.0_80\bin\vjavaws.ico

MD5 38b41d03e9dfcbbd08210c5f0b50ba71
SHA1 2fbfde75ce9fe8423d8e7720bf7408cedcb57a70
SHA256 611f2cb2e03bd8dbcb584cd0a1c48accfba072dd3fc4e6d3144e2062553637f5
SHA512 ec97556b6ff6023d9e6302ba586ef27b1b54fbf7e8ac04ff318aa4694f13ad343049210ef17b7b603963984c1340589665d67d9c65fec0f91053ff43b1401ba9

\Program Files\Java\jdk1.7.0_80\bin\vjavaws.exe

MD5 bf91501c9b39c728ade2cf3788b647c8
SHA1 fbcb53c4ca9836f5bbfbb2b63e7a1a00a6bf10c6
SHA256 d602330327fd3630d625c9023131fd2318f677c67aa421631b8a4080dba38578
SHA512 01a6639a580bd418cc4d1dd2bd8794f356c08b6f7fa801245e9200c883d32c6b103aeac2615195868a8e63e3515911de2a9afcced21f62fc41edefdd0a66001c

\Program Files\Java\jdk1.7.0_80\bin\vjcmd.exe

MD5 36e8cb42bbfc16e1395a88d183caed83
SHA1 ca1c513aaa7d49adfe0f43ceec81e6d0c0ae67d8
SHA256 40ea55ebd7ef975135dafffb396871a8ab728abc24b42eaab76f08859994e996
SHA512 f7620b06a5d43d21a0d492b66b0e5bacea6918f1490fb0504e9440524b7ef02ba83d2ae3c2211113b478b8325a3a6b6c8f65939ef5a01b835451cce2e72de00f

\Program Files\Java\jdk1.7.0_80\bin\vjconsole.exe

MD5 805f6272e5e3a80aac3540cc5b42b08e
SHA1 437bee3476647f7b55a49630cb86ed4befc34293
SHA256 910dbe44d17bd60a295a956e98e18347080cc879ed7ef7241cd2d0edfc060551
SHA512 319f8f50dfca4adf148edf878fa7c83bc6e4f1053da0c7d412645fcae9c63e67b838c876838805d9a33b28067947d3844479c9ddab11eb9e760b9df285f27041

\Program Files\Java\jdk1.7.0_80\bin\vjdb.exe

MD5 0b5681808a793728fc658f1e9b94ec52
SHA1 05763b10f153447edcc08afeeeee71fa2f221033
SHA256 d18fab0d0e24e8f1d9551e2667f6b2c34fcd75232c39e85ce50660588174079f
SHA512 65e64980a30285b29888b9eeb66ec1c27c98a15effd67d761c3c62358e3ec008fbda61feda4fada8f9af8bce740b8f38236495c6f1b274d98c14209cd56b414c

\Program Files\Java\jdk1.7.0_80\bin\vjhat.exe

MD5 1dbd51882c2b82a5496106c31db425f1
SHA1 f47bee48a7d0da0c4930cccc6fe7a8d8600d4b05
SHA256 659fecc81e846405613c2080ac81a567df17c97449a9c2ba179ac216280223db
SHA512 81418b0510b58f782b843312069842aeeede8d35feb8f393807169398464896f281dc13bc82d51279a07adfbe97758b82143218cf9a56d653b3a9d11da62f50f

\Program Files\Java\jdk1.7.0_80\bin\vjinfo.exe

MD5 f499825b88d200d9348b5f97ff297ec7
SHA1 366adce5911c160fa26d6fdb4d65af357cf0e3bc
SHA256 8b2d599efa66da695e503b480f355fc5f22347fcf5c294100abaeb3e9a20c1f6
SHA512 3017bf630ba53ee0855d1e657df197732e4fe2fa6455fabad2085e5a24918589d487362fc2819fff85b3fcf7e684376d4b7a5bbc6e71ea57cc62ab397a87dba9

\Program Files\Java\jdk1.7.0_80\bin\vjmap.exe

MD5 30989429490b9ccbde4fae1fc6df84e4
SHA1 64c8cf20ebb4e8dc31521f0084eb046a9e3f0500
SHA256 aa98634e3668beae535738d25c2094a7ef0d855ebd9d945b484368f9e543bc0d
SHA512 9a78ed9cd8dcf333ea240ff309e24a2e5de39bbeba4e9291b55d51fdbc10ee672c674a9f4393b13819562a0d9bc99667eb03519cefed0218444874f15729eefe

\Program Files\Java\jdk1.7.0_80\bin\vjmc.exe

MD5 c8db7998995218d59addc586ce9679d6
SHA1 694f18eef5aa6dfe1aa607ad5a08980f9656ed07
SHA256 e3712cd917e4d41696165a98233443d63dbfb28560967de92ca4e707c50d7df2
SHA512 ba7bdfae350c4b98067a2875295a20fbee1b7e9cb1f1afde1a299ca1b8d6aab3996dec59119cd83214461018e5e4ff91894ad3f0e909359382cf5183811d3d12

\Program Files\Java\jdk1.7.0_80\bin\vjps.exe

MD5 4ce9dbe70ae911f1fef704e2c5594214
SHA1 3431c1d6fa21e04e79f0b2f48cd30b037ab009cb
SHA256 e45733934ff8c01f79a98ea2fd6b2a78fc5f0164e5d4fea7aef5119c7218a5fd
SHA512 291420138d84108ebbb8f3dc81bc4595206144b8eac0a459ae63754aa137a3d6789330dc764c6dafb5cecc76908166d93cccaecbcb3987d4cbba662980ee6359

\Program Files\Java\jdk1.7.0_80\bin\vjrunscript.exe

MD5 c77fa8599058f2f08f6f028ad1ba3d29
SHA1 ea42e7eed011b8b71f32d4d47827a5b56198d134
SHA256 db2beff59876773d223f4813c05c65a1e582604c420ae6d7f6f3844a0a060398
SHA512 f2834be1925ca448884877e7236d2febb72190ebf43a2dab29a76b71c4976360d56df17879966ec74c60b3d62dadd81d577e3034961ed64418c0300f9710f43f

\Program Files\Java\jdk1.7.0_80\bin\vjstack.exe

MD5 095d24917473c666b8906e45852378f7
SHA1 2ca5842715ad03982eb9094786832775926e4b4d
SHA256 3289a0fb8c701e7eae9fc792329c0eff6cd2a42ffbf1845f4e630a3e1a019529
SHA512 fba9fe4ca6498c9fcf0d251906b537286f2e7bdb2399293c71f9b0bce379c2684da14212231535a81889928fcbe0adf7354bc83e272a3f6d9082f125494cc50c

\Program Files\Java\jdk1.7.0_80\bin\vjsadebugd.exe

MD5 da1c77dc8b88afc927144ac6814ffecc
SHA1 ff50b5fefd7275f3972f2e3f228384816fe22e63
SHA256 78d50c2ca489676456b3a0ccd1696dda0f1e1e144baacd26cdbc472869578b30
SHA512 02fbc972c889a71947b2671bcc7e22f9a0edce3e0462f332753d974d73035315aef7b4ae1069e309aa560f98065b792447b2ef8f1e8be1874969de916b2f3e25

F:\autorun.inf

MD5 5513829683bff23161ca7d8595c25c72
SHA1 9961b65bbd3bac109dddd3a161fc30650e8a7096
SHA256 94e323bd9071db7369ade16f45454e7a0dbfb6a39efddc1234c4719d1f7ee4c2
SHA512 308c84446106cda0a71e37b0de46aaf4b7361f9ddcc3c4c29f8e87da8acb606525dce8a42caf9d74e708c56b31c524f9535a2f5f4757c6c357401da1c495ddb6

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-04 22:35

Reported

2024-10-04 22:37

Platform

win10v2004-20240802-en

Max time kernel

120s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe"

Signatures

Detects Renamer worm.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renamer, Grenam

worm renamer

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Macrovision Security Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe" C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application Experience = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AeLookupSvi.exe" C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Macrovision Security Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe" C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Macrovision Security Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe" C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application Experience = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AeLookupSvi.exe" C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3640 set thread context of 1440 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 1440 set thread context of 5060 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 5060 set thread context of 3948 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 3948 set thread context of 4564 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 1560 set thread context of 396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 396 set thread context of 2612 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 4564 set thread context of 2676 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 2612 set thread context of 3112 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 5052 set thread context of 4436 N/A C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
PID 4436 set thread context of 4700 N/A C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
PID 2676 set thread context of 916 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 4700 set thread context of 2060 N/A C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
PID 3112 set thread context of 4800 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 2060 set thread context of 4384 N/A C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
PID 4800 set thread context of 624 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3640 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 3640 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 3640 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 3640 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 3640 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 3640 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 3640 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 3640 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 1440 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 1440 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 1440 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 1440 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 1440 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 1440 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 1440 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 1440 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 5060 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 5060 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 5060 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 5060 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 5060 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 5060 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 5060 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 5060 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 3948 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 3948 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 3948 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 3948 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 3948 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 3948 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 3948 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 3948 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 3948 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
PID 3948 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
PID 3948 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
PID 1148 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1148 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1148 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1560 wrote to memory of 396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1560 wrote to memory of 396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1560 wrote to memory of 396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1560 wrote to memory of 396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1560 wrote to memory of 396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1560 wrote to memory of 396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1560 wrote to memory of 396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 1560 wrote to memory of 396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 396 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 396 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 396 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 396 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 396 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 396 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 396 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 396 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
PID 4564 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 4564 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 4564 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 4564 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 4564 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 4564 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 4564 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 4564 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
PID 4564 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe
PID 4564 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe

"C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe"

C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe

"C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe"

C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe

"C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe"

C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe

"C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe"

C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe

"C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"

C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe

"C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe"

C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe

"C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 916 -ip 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 432

C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3640-0-0x0000000075062000-0x0000000075063000-memory.dmp

memory/3640-1-0x0000000075060000-0x0000000075611000-memory.dmp

memory/3640-2-0x0000000075060000-0x0000000075611000-memory.dmp

memory/3640-3-0x0000000075060000-0x0000000075611000-memory.dmp

memory/1440-4-0x0000000000400000-0x0000000000534000-memory.dmp

memory/3640-7-0x0000000075060000-0x0000000075611000-memory.dmp

memory/1440-6-0x0000000075060000-0x0000000075611000-memory.dmp

memory/1440-8-0x0000000075060000-0x0000000075611000-memory.dmp

memory/1440-9-0x0000000075060000-0x0000000075611000-memory.dmp

memory/1440-10-0x0000000075060000-0x0000000075611000-memory.dmp

memory/5060-13-0x0000000075060000-0x0000000075611000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe.log

MD5 3bc2150211e33cd343b025da5a9b1457
SHA1 a180ee6e62a496a226590390651a1d3708c7b89c
SHA256 ff2e05f53cc9b927bed429bb2df53290223b459c49be1bea6b0ef13c52903787
SHA512 e192903a8d0855203615c2ddd60c45c791492327fcd8a025e1dd1744cc2a526a4e90b8619e19b170f3ed808f3cbe4c839dc86fc70d97c5b0fb86ea529b78442c

memory/5060-14-0x0000000075060000-0x0000000075611000-memory.dmp

memory/1440-16-0x0000000075060000-0x0000000075611000-memory.dmp

memory/5060-15-0x0000000075060000-0x0000000075611000-memory.dmp

memory/5060-17-0x0000000075060000-0x0000000075611000-memory.dmp

memory/5060-20-0x0000000075060000-0x0000000075611000-memory.dmp

memory/3948-19-0x0000000075060000-0x0000000075611000-memory.dmp

memory/3948-21-0x0000000075060000-0x0000000075611000-memory.dmp

memory/4564-24-0x0000000000400000-0x0000000000500000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe

MD5 cf7e259dd0225ae86a29f5952bcb5b4d
SHA1 4c6b2363a754bcaa07edeee5b4837b464cfb5d5c
SHA256 bcf654651c834ff5f885a6ab272d000aa48acea1ebe68ce146c68c863c4736a8
SHA512 91c469f7b4d3c95177ccb013e3c16fe61fffa1fd631857f44bb335382b6c0c80d8bb178e72140178716312f49efbee45ccbe3467a01099561ab3ddf33b412b3a

C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

MD5 0aaaf1668decb824d75242df795ee7b0
SHA1 df803cfda6898ce64d5a5d498875c324b1b17f2e
SHA256 0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8
SHA512 2b746820c3cb54cd3978c2596f64db59d451481ec93dc6c454590f67902487ec691a76fb6b5c93b0945e3a4c02277004cd08cadc45b338674f67f64794bf8d34

memory/3948-40-0x0000000075060000-0x0000000075611000-memory.dmp

memory/2612-42-0x0000000000400000-0x0000000000528000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe

MD5 54b446b04c83570cc974ed428b416a63
SHA1 f6e9eb6319a45d381baef998ce45e50f247cbc7d
SHA256 ead396edbe63927c734b30f9275e52c4dde8fd3c1e53963cfdafb24f53e9fab4
SHA512 0d0129553c623c107d70d756c1d023f8f4463cd6d6517639e5ca2c79944285cfd23dffe98a3ca6c12b9d33501830de05c599d89d12a3ae5514ddd6c18b28e939

memory/3112-56-0x0000000000400000-0x000000000051A000-memory.dmp

memory/916-68-0x0000000000730000-0x000000000080B000-memory.dmp

memory/916-73-0x0000000000730000-0x000000000080B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\LookupSvi.exe.log

MD5 a5dcc7c9c08af7dddd82be5b036a4416
SHA1 4f998ca1526d199e355ffb435bae111a2779b994
SHA256 e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5
SHA512 56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

memory/624-101-0x0000000000400000-0x00000000004EA000-memory.dmp