Malware Analysis Report

2024-11-16 13:22

Sample ID 241030-chcfqavblj
Target 940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90
SHA256 940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90
Tags
renamer discovery worm evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90

Threat Level: Known bad

The file 940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90 was found to be: Known bad.

Malicious Activity Summary

renamer discovery worm evasion

Detects Renamer worm.

Renamer family

Renamer, Grenam

Modifies firewall policy service

Drops file in Drivers directory

Drops startup file

Loads dropped DLL

Enumerates connected drives

Drops autorun.inf file

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-30 02:04

Signatures

Detects Renamer worm.

Description Indicator Process Target
N/A N/A N/A N/A

Renamer family

renamer

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-30 02:04

Reported

2024-10-30 02:06

Platform

win7-20240903-en

Max time kernel

140s

Max time network

119s

Command Line

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

Signatures

Detects Renamer worm.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renamer family

renamer

Renamer, Grenam

worm renamer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Paint.lnk C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\vsetup.ico C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\vConvertInkStore.ico C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\vjavafxpackager.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\vidlj.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\vjrunscript.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\DVD Maker\vDVDMaker.ico C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\FlickLearningWizard.exe.mui C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\TABTIP.EXE C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\FlickLearningWizard.exe.mui C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\vextcheck.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\vjabswitch.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\vMSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\7-Zip\v7zG.ico C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\PROGRAM FILES\MICROSOFT GAMES\MAHJONG\MAHJONG.EXE C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\DVD Maker\it-IT\DVDMaker.exe.mui C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\vjavap.ico C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\PROGRAM FILES\MICROSOFT GAMES\CHESS\CHESS.EXE C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\RCXDCC.tmp C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\vInputPersonalization.ico C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\vjstat.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Windows Journal\vJournal.ico C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7ZG.EXE C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\velevation_service.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\vnbexec.ico C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\PROGRAM FILES\MICROSOFT GAMES\FREECELL\FREECELL.EXE C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\vmsinfo32.ico C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Windows Journal\vJournal.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Windows Mail\vwab.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\MIP.EXE C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\PROGRAM FILES\MICROSOFT GAMES\SPIDERSOLITAIRE\SPIDERSOLITAIRE.EXE C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\RCX1329.tmp C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\7-Zip\v7z.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mip.exe.mui C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\velevation_service.ico C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Internet Explorer\vielowutil.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\vjarsigner.ico C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\vjmap.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\vjps.ico C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkWatson.exe.mui C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Windows NT\Accessories\vwordpad.ico C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkWatson.exe.mui C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\csrss.exe
PID 1688 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\csrss.exe
PID 1688 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\csrss.exe
PID 1688 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\csrss.exe
PID 1688 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\csrss.exe
PID 1688 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\csrss.exe
PID 1688 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\csrss.exe
PID 1688 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\wininit.exe
PID 1688 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\wininit.exe
PID 1688 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\wininit.exe
PID 1688 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\wininit.exe
PID 1688 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\wininit.exe
PID 1688 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\wininit.exe
PID 1688 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\wininit.exe
PID 1688 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\winlogon.exe
PID 1688 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\winlogon.exe
PID 1688 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\winlogon.exe
PID 1688 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\winlogon.exe
PID 1688 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\winlogon.exe
PID 1688 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\winlogon.exe
PID 1688 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\winlogon.exe
PID 1688 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\services.exe
PID 1688 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\services.exe
PID 1688 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\services.exe
PID 1688 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\services.exe
PID 1688 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\services.exe
PID 1688 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\services.exe
PID 1688 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\services.exe
PID 1688 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\lsass.exe
PID 1688 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\lsass.exe
PID 1688 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\lsass.exe
PID 1688 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\lsass.exe
PID 1688 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\lsass.exe
PID 1688 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\lsass.exe
PID 1688 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\lsass.exe
PID 1688 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\lsm.exe
PID 1688 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\lsm.exe
PID 1688 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\lsm.exe
PID 1688 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\lsm.exe
PID 1688 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\lsm.exe
PID 1688 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\lsm.exe
PID 1688 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\lsm.exe
PID 1688 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 1688 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 1688 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 1688 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 1688 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 1688 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 1688 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 1688 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 1688 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 1688 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 1688 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 1688 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 1688 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 1688 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 1688 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\System32\svchost.exe
PID 1688 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\System32\svchost.exe
PID 1688 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\System32\svchost.exe
PID 1688 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\System32\svchost.exe
PID 1688 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\System32\svchost.exe
PID 1688 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\System32\svchost.exe
PID 1688 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\System32\svchost.exe
PID 1688 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\System32\svchost.exe

Processes

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\wininit.exe

wininit.exe

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\1691774455\zmstage.exe

C:\Users\Admin\AppData\Local\Temp\1691774455\zmstage.exe

C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe

"C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe"

Network

N/A

Files

memory/1688-0-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/1688-2-0x00000000773C0000-0x00000000773C1000-memory.dmp

memory/1688-1-0x00000000773BF000-0x00000000773C0000-memory.dmp

memory/1688-3-0x0000000000310000-0x0000000000311000-memory.dmp

\Users\Admin\AppData\Roaming\Paint.exe

MD5 da09d53c0ea19616574f0949f3e8989e
SHA1 a53694754dce1e768068bddac41d55eb06dfe1e1
SHA256 940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90
SHA512 3ea49961548fd7f95b23124c63da51d0b6664ff0d0a31b28979b83ea2ce9d0c5bbd79114b3a55be5cf7ad2fcb77b13aa794611289f57faeedd550516d8b943d7

memory/1688-10-0x00000000003E0000-0x00000000003F0000-memory.dmp

\Program Files\7-Zip\v7z.exe

MD5 be97203f13fd65c1cb1a23b7f8c5f9ee
SHA1 92f7a89695f5d2bc28aab09f94be8bd8f88e2033
SHA256 7d8619ec91c62663f5b53ddf2c42c5ce80da9662c2e6660a516d9f67d95b605f
SHA512 8fdb83951ecf27275b791766d600f9b3462119162168a757007ae3b8cd06ef1dd03cc51acb2852192b12791354cc8259cc0d9c72242b25c33e432e54aa1c5105

memory/1688-16-0x0000000003620000-0x00000000036B5000-memory.dmp

\Program Files\7-Zip\v7zFM.exe

MD5 81a4d79660e489ad61a351d547ca4416
SHA1 f5dded4422ac4bc8c0efa8baa9d79b205c9aa31a
SHA256 66a17df46cb9cbc4bd0087596567ce06682eff4fe8596a584624b0290cbf31e9
SHA512 5c8e13cfaed9babc45de469fd22f8b394632fb7467e95f7fb61eb2481af3a5acf8669a19345360c98f431e6361ac0eea0af0f0b4853233a7036de4da4bb4ad1d

memory/1688-24-0x0000000003620000-0x0000000003715000-memory.dmp

\Program Files\7-Zip\v7zG.exe

MD5 2bff7cf2afc7972557112971ad19c910
SHA1 5e23dad50aec99afd23430c2278f7ed1856ef6da
SHA256 22f4d982f761a6a838d7ae1623e46350b683db0742a05af860b589e043ba504b
SHA512 44bb7b25cdaf05556face3593ce209f48189121d48760cf5a0beb89df245058881dae82a3b106e0240f895b3d4efce3269936617b61373ebe441ea0a2a4090cb

memory/1688-42-0x0000000003620000-0x00000000036D9000-memory.dmp

C:\Program Files\7-Zip\RCX6B7.tmp

MD5 c856224d386962b8b6a8f44d0fb1cf86
SHA1 1240f212d2dfa8f08a8646a91b7f4be8b082897d
SHA256 a3db2614d45247ca9eb6612e638303f15b3d226ae4ab623b5041a6024134e8ff
SHA512 a63ffd40a3377168325d9dfbcdd4348d1a5ea482ca2ab6b19bb33c69535cfba7f2dab26b78783a2d827e97111bf15c72e2087db6d09821080a84452f49219656

\Program Files\7-Zip\vUninstall.exe

MD5 20890ac55e6a0a1f265a34805d140417
SHA1 500ac4ea349ce1f895abcad6df6b7185d04c2e2b
SHA256 5ef109eb46d594710b25173b7b384adb22e0d46ec04a9fc80b5326d0a8114a86
SHA512 c3c4c90cb78fe256ab924357a531e8241fd48bc7f624a96fc0747d7f9ecbc2c8bb08bcd358f527bd3ec7b8426929a8286083753d276eafb1d0641f5803c308d4

memory/1688-56-0x00000000003E0000-0x00000000003EF000-memory.dmp

memory/1688-55-0x0000000000400000-0x00000000004E2000-memory.dmp

\Program Files\Common Files\Microsoft Shared\ink\vConvertInkStore.exe

MD5 4175bdaed35d1daa6883327fd2bd512f
SHA1 902eb77f4334ce1a4d733dcc5c972b774769d7fc
SHA256 b48c4c9022ff5fb19563e53255c4d354f01a561bb6b730baa9cc29c20bdfffb8
SHA512 8755e9d7f4abfc0bad3217ef62193be15e81ee6828e96519cef031abb90be7daaf4c619305ad318971d568ffa5b9423ae5b8b682e8e7d7bda43da5d6cea08078

memory/1688-59-0x0000000002190000-0x00000000021CB000-memory.dmp

\Program Files\Common Files\Microsoft Shared\ink\vFlickLearningWizard.exe

MD5 fe3e12479fb2e536c31b3b70249dbdba
SHA1 9de58e500dd8c145234aca13ed0be48ad41c759d
SHA256 61e7038938798a9345bbc078f71bfc9abc7c028a053fad55bd573f00cee2add3
SHA512 1a659f3c534bcc5de83890bcfa1d346116f519db226d503cda3c18d1987723f2cb729b4a7ac04bde64958a214776993c3225941331346a426378d829f5c6f431

memory/1688-72-0x0000000003620000-0x000000000370D000-memory.dmp

\Program Files\Common Files\Microsoft Shared\ink\vInkWatson.exe

MD5 a3e1c35053d0cba695867de547a0cd1e
SHA1 d64d3b987267b6d807f74471e3e5c6882b276499
SHA256 881e99b59dcb17c7d2e66e071461cf8c0196ea1d78ea5948aabc06e460988ce7
SHA512 0f40cdeed21b03284bdded09a31bb5c28e86d3fde2b8ac74a83bc4d32ce5657616fdd368e7506a58a7fb6a6a580882a49fc8130fde3ed9091b1dc869834a0309

memory/1688-75-0x0000000002190000-0x00000000021FD000-memory.dmp

memory/1688-88-0x0000000000310000-0x0000000000311000-memory.dmp

\Program Files\Common Files\Microsoft Shared\ink\vInputPersonalization.exe

MD5 6dc1535d9a370a1a7c4f317fbf2ad2f7
SHA1 3abb225a6150b116a091da176f5816f3461c3612
SHA256 9d5cf70c7f0742e14c9fa0522fb5670a6a3410ac1d44162058295a3d41579619
SHA512 b24243ff1a7c8419b5e13b85dcf00065ee6a75ba3daf90e7778daacd10edda0865b61de3c2794c0627809eea5f7dbcffa346d76c2c1da07193661d5118db4e42

memory/1688-89-0x0000000002190000-0x00000000021F9000-memory.dmp

\Program Files\Common Files\Microsoft Shared\ink\vmip.exe

MD5 906454f4f019a0c7e025b04fe3482c48
SHA1 c2d9ea450847257c2eee084a37bb8087da08b135
SHA256 dda19cb921f2873ae699ea9fed83177be4e8fd9b8b79c7feabc967c2d7bca1c9
SHA512 24a6b09dd4e23599543c71530adea03dac9141af72e33cf2dcf73d4183b57e14145936d17e8dff177574f729e7164e203756745b3f6f53d7644d254f273fa0e3

memory/1688-92-0x0000000003620000-0x00000000037A4000-memory.dmp

memory/1688-105-0x00000000003E0000-0x00000000003F0000-memory.dmp

\Program Files\Common Files\Microsoft Shared\ink\vShapeCollector.exe

MD5 42b3077d6cdeac5a7ab749da4ed2c926
SHA1 3e7fe5a06a1c7631644ccfa404547b6e787c8095
SHA256 0c46fb3450273b0a9b119c951f1a7ea0031e7bb9210b583633982586ffa7ffce
SHA512 0fb1a6d967fbb47d44e20ff7cf1e3bece42c651bc50f752a159d65106bb42a669d41c2712984c9c69e9c264ac922e31d8c00e5690a2fe90fb32a13c4a4b22d57

memory/1688-116-0x0000000003620000-0x00000000036D4000-memory.dmp

\Program Files\Common Files\Microsoft Shared\ink\vTabTip.exe

MD5 05d40e9a31bd2188ec7ad32c23b93cbb
SHA1 fc3bb423ea9200ddda7b0b59e7bc55ddcefb7be4
SHA256 860b66e906ecdb32071cb01adbfad5c8e1a8a486591a4c67c2482c604a18f4c8
SHA512 c3ab5c1bea86507161889c356f43b097ace4979557d4aba2a7674fed3e18e9b075f06be619bebbf18747de2356ad343ab2c77e9b1d129fd75a786040ebca8dfd

memory/1688-124-0x0000000003620000-0x00000000036B5000-memory.dmp

memory/1688-130-0x0000000002190000-0x00000000021D0000-memory.dmp

\Program Files\Common Files\Microsoft Shared\MSInfo\vmsinfo32.exe

MD5 7bef0518b89fdd6f6a8772b82dee384d
SHA1 4a231b472812af39f4d49f990d3a52384784a0e7
SHA256 382b788d957381aeabf6bf4b12de0b447b9d4e842dd787b8c558babb8e6d3c24
SHA512 204e26aa591fe027fbc276d050813af250005c81c9738b48e6c74524b52c4960183ef6d4131a0264b73ca877dc047e46b0c0f9f37683c193560d9ecdaffe05f8

memory/1688-144-0x0000000002190000-0x00000000021FB000-memory.dmp

memory/1688-143-0x0000000003620000-0x0000000003715000-memory.dmp

\Program Files\Common Files\Microsoft Shared\OFFICE14\vMSOXMLED.EXE

MD5 f45a7db6aec433fd579774dfdb3eaa89
SHA1 2f8773cc2b720143776a0909d19b98c4954b39cc
SHA256 2bc2372cfabd26933bc4012046e66a5d2efc9554c0835d1a0aa012d3bd1a6f9a
SHA512 03a4b7c53373ff6308a0292bb84981dc1566923e93669bbb11cb03d9f58a8d477a1a2399aac5059f477bbf1cf14b17817d208bc7c496b8675ece83cdabec5662

\Program Files\DVD Maker\vDVDMaker.exe

MD5 7a32c0468c57229fd7e9969e5b3d1009
SHA1 f8243857e1ee362cdfa2521258c4bd7fa7976704
SHA256 049e5e8bd880be8fd0d77621b6a9ce5224c1618b96e2daca18174bb1f312e27f
SHA512 7e109d14e0208a5e440435bcf542d75254bd4f379513f00541e92cf227436be82ca9cebde451a15fa09c821da3162aabeb2fb7b097a4ade34723262fb28172ca

memory/1688-170-0x0000000003620000-0x0000000003852000-memory.dmp

memory/1688-168-0x0000000003620000-0x00000000036D9000-memory.dmp

\Program Files\Google\Chrome\Application\vchrome.exe

MD5 095092f4e746810c5829038d48afd55a
SHA1 246eb3d41194dddc826049bbafeb6fc522ec044a
SHA256 2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588
SHA512 7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

\Program Files\Google\Chrome\Application\vchrome_proxy.exe

MD5 b65d7344b0a7faa207d2e1a7adaafb60
SHA1 755ad15b1745b0e730d658d4a92e2b754425b7db
SHA256 f4b91fbbcba8a46eefe4965e4a24c6ede3decbd1fec96e141a1953173efd1c92
SHA512 f17ac73c2df7c73a31b11ce0f533d6db91bdb0cdeea653dcd52ac72c3cf28da0c236b79586ddc7a6c825fdd171290722f888465e776f12ac2cae75be82726b22

\Program Files\Google\Chrome\Application\106.0.5249.119\vchrome_pwa_launcher.exe

MD5 527e039ba9add8a7fac3a6bc30a6d476
SHA1 729a329265eda72cada039c1941e7c672addfc19
SHA256 4b8a72fc81b733ed2e6e70d4c5401f954002783dbf14927849ad579860780b94
SHA512 9e73e14e33a5f07a87e9c1fecfdaee09d1408471052aacfde3d1e877dad4d253b525ebefca6bddabc23cf81d8dcce0785aedcc2f135d171ecbb1feaeb922c449

\Program Files\Google\Chrome\Application\106.0.5249.119\velevation_service.exe

MD5 ec6386b63c3a5ffe0577905e94262c3a
SHA1 8f8c428d0e7f32c9d733ca28384ded413a060588
SHA256 302c968ab3e1227d54df4e72f39088d7483d25eeb3037f0b16bc39cef2728fa4
SHA512 ddbefb759858493de1f9d7addc6ff4488c8be3164374e0a88c3cbe97751510005dfe6d91c5499fcbdc35aa33a8eda2d45591a66e54ab9462277dc833faef77c3

\Program Files\Google\Chrome\Application\106.0.5249.119\vnotification_helper.exe

MD5 81664a918656ecd5e8eca90cedba1150
SHA1 580d0eb98bb2c838ff89eb54efd86535ee8882f6
SHA256 2f664c756727c321a3a0fb6c6e68842ca1a5f20575a02312ea10675dbd5dc40e
SHA512 7a211a01c674aaa5e8052dd339b412892c452309b651e835f0b8e27f15ee3fed42c58f43910a202150ca90704f522499deb7bca055451f1e6c8515b2d491df3d

\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\vchrmstp.exe

MD5 2161730a7ae00a1fb8c5020a43be949f
SHA1 8db6b820472cdfa266c874e0d3a9395412995aa1
SHA256 07e7896b2304e3b9966294a02d2ed32f41994ee7bd0a284e4160743edaeb9e15
SHA512 aa3659b6184f4273b7fcf1f7d2cd0a5a9129b8856d15e4ca8904b709e85cd432538ce0510ca9777760a1a9d5391671232a79908860e7d665260a54910f6fea5a

memory/1688-227-0x00000000003E0000-0x00000000003EF000-memory.dmp

\Program Files\Internet Explorer\vieinstal.exe

MD5 11def895f02f91b990f880557189a9d4
SHA1 73c1ab85488057a9fb50b19b866fe8cff9fca69a
SHA256 526163924f6c091dfa01aa01b11f5d5818b4253ff54f4b2141fc3eb1b01e057a
SHA512 1701c7e884a91dba255e4e51818e77cfbd3e6d87668ce95acd041d5f490feecc3394de7b9c69d1ffc2a1482ac1d3ecfb5ac5fb52d294bd0817956757625cadbc

memory/1688-232-0x0000000002190000-0x0000000002210000-memory.dmp

\Program Files\Internet Explorer\vielowutil.exe

MD5 8f8f1ae3fa8a49cfe74bc3168af84b4b
SHA1 dec675d8e7fa52a90ea09f8cd6e6078ba86599bb
SHA256 219e9785322fe9fe024252ce795a135c0996b90107fba8390b37b8b2794b7818
SHA512 4f09298f45e6400b631d8e8acee5b0f588edec61b366537a52bebcc79d810efc01875f866bb8aafdf8a433feaedbb55ba76621669520ab1454b803eff952f747

memory/1688-247-0x0000000002190000-0x00000000021D3000-memory.dmp

memory/1688-245-0x0000000002190000-0x00000000021CB000-memory.dmp

\Program Files\Java\jdk1.7.0_80\bin\vappletviewer.exe

MD5 c9aaf1247944e0928d6a7eae35e8cdc4
SHA1 af91d57336d495bb220d8f72dcf59f34f5998fd3
SHA256 05b153ba07dc1a262fb1013d42bfc24d9000ce607f07d227593c975cdf0bb25b
SHA512 bf3bc64135810948626105a8f76dc4439e68ee531f20d901c3082ae2155f2ea35f34d408de44b46ede61ded832fcc61ac1cb9719e432f0f07b49479c95847e51

\Program Files\Java\jdk1.7.0_80\bin\vapt.exe

MD5 407d2d7dab36cdea871d4c6b9c62b258
SHA1 86cd158ad810c6772c22a5799c7acf4b9d7c9f57
SHA256 3c040679ea4be0cc5ca20c9f24caf6c13d3002560347e7446dc963b611523bd9
SHA512 dcdb53a3ca2a3637216a9d8133d1dbda336a6d3a98c6b956af42f94adbc136dc5a0245e87512d0314f23dbf3cab4900bc40ac13c79ee93a677d93a89e0cd9e17

\Program Files\Java\jdk1.7.0_80\bin\vextcheck.exe

MD5 1cb4c95888edfdedb61628680fffd415
SHA1 3336670c701c61bb8062d7620c4244dbc01756d1
SHA256 182d8ab5ec2ee2ec57d60c2d2d75df6c852810e74c50289aa9c2c99a6b050fc6
SHA512 24c8c05baef516fba5aa763c0abc603065a75e5816501c713b24ec8baddad4fc290b3973dad89ac65f09d0277c2fa72d8b00f0eb2871170dbd89a8d9062bacf3

\Program Files\Java\jdk1.7.0_80\bin\vidlj.exe

MD5 26b70aa2ab871a72a3fd30829f2f1f29
SHA1 73934bad6bf5ca22484a88e1a4b1263ae278c419
SHA256 4e11bf944fb0a34c5cf1871fec3c8f7473e1944642cadf89a86db2eed874d35f
SHA512 40cacfff6c7f47aa0703e8cb3186f8bacbff1d56dc0547d67c44e716fc0d28705995a439a88a02ce8a262628b33cf2f6ec6f0586cdc2fc86597e3da4fb6a1d84

\Program Files\Java\jdk1.7.0_80\bin\vjabswitch.exe

MD5 502e87232756dfacda7d1686d4bc9ea4
SHA1 6e40897d0a957783b8b88f2a6487dba028954b22
SHA256 d230ada81f3add58fd8a646d25b8f25fe6271b3eed5edef9fdc8945baabd5631
SHA512 96366e76942f6da30c02e9f6cf7cdf0cb7550455c8cbaaae7358d15a2258e1f0b2bfa960d52cb774039f2070dc8c383c3df187805f4910d40601b853e4309d9b

\Program Files\Java\jdk1.7.0_80\bin\vjarsigner.exe

MD5 2f7770a34bb22b99f8f6966851331d82
SHA1 2a2860cde1482df656544e1983e957f815be4193
SHA256 f873c02b69408f905c2c0b35b188d2c0b0a7cccc98a59d18dd0c297f761d2ef7
SHA512 8611f8bace081711d6f5dcd41177f594314970c5b2f328755027383e4ad2a239bbd85e0cedf6d1a76d9d1f54afbd340c9bd4ab119bb87cfd5a11149a0cb71dfc

\Program Files\Java\jdk1.7.0_80\bin\vjar.exe

MD5 3eeb342d48cfaa4c568a93ffdfc847d0
SHA1 ed5fd565c4a1867ca554314f038fc20c7de01b90
SHA256 29e65344e34c2354da05e8de64b106aa0ec99d8c5c22b58797d0047e227879ff
SHA512 db5b84233d40139c44cb8fd1a43e1c8a41c967358641e1488cc19474a8de381c5aa2c84f61b10d69d019f0d7170177cccea47ce9460d409a480c8537232a2ef0

\Program Files\Java\jdk1.7.0_80\bin\vjava-rmi.exe

MD5 a5f4cccc602a42b4ddbd8acbcf34f158
SHA1 5f26277884b2f6cdac26267f9b582ac5a5d21b08
SHA256 2d9044e9265fc09680d5f0c054c4ccac7d8d14b3a4a42e803a2097108e0f1acc
SHA512 3cb0d0028468edb1687c6142ce3ed6b594428bd209bf8b85ab2315e7992af12c4d622f26e652d6be0718d51d0d6a171c0a881b36d2e67a199998442e91621149

\Program Files\Java\jdk1.7.0_80\bin\vjava.exe

MD5 641b4ed6ab90a6f52ee512ea88a64cd1
SHA1 28d014900accc98e6089d83d0b2a8cb8735ed101
SHA256 13590945a04037dfd15d61166e0771682c7809674fca42f53fdb3afdcbe21410
SHA512 00a588556196e305dbf1714e573a5c5516c2988356b984a7284ba017a78bacb8d576b590da35be40171d6dca73580c5b9ab06808c7246c2e13c8d9b816f2ca09

\Program Files\Java\jdk1.7.0_80\bin\vjavac.exe

MD5 000b77a2ed92887856174641dfb6f485
SHA1 7872d9768f3a4b0601b91bd0b55f08c8992819e6
SHA256 1100a8d298426491aeb34288f7d6e600622f2d94fc01bfeb093fcea3ac32a8e4
SHA512 cec8642269bee8162b8d317ba61777b4005cb2dae8e9837bfd336bc6fd633066cd52b878160f4496113c147a7d0374619367e9bb451e82f7a5a39f0db3fde152

\Program Files\Java\jdk1.7.0_80\bin\vjavadoc.exe

MD5 516f6320ae4d755b9ea0c7c8347f5801
SHA1 bfce7c2869725ec8f327b083be57d20671fcb2a2
SHA256 9e696aa5772e8cba27545b47b00be4a3b8fc888f8c83ca11939b753850feab14
SHA512 0e12bc2f01f2897df41e56cee150177a3cc09ca5e889b61fcb9dbe07391a6f2537454401a2ca2ad93c652303a8e5782fd9860ca83734401393e314570175a6f0

\Program Files\Java\jdk1.7.0_80\bin\vjavafxpackager.exe

MD5 cace8f27a66ffec4f9823aa258c307a9
SHA1 dc515d29aa43d2b6b7e157f05e97e87d5f785884
SHA256 3cf626dac6e91a03f688bf5ab674871a3e0411314f261bb2c69346a1c46bc733
SHA512 4a5d5b564bd483e1949826d388e41c63a7b056236c5972c76721fd98c9b704a79622ed4c1b045080e4470340a9953595df955148999e15677f0e38e529a6a5f7

\Program Files\Java\jdk1.7.0_80\bin\vjavah.exe

MD5 8ffd9b7406e8aecf1d6117606d2bd149
SHA1 edf1f0f2f1024cd0fb6b39dadca251c99ccdedcc
SHA256 dd6b65e78cb194055494bbb7736ef917d3d6da1863567afe50b8abfc8e51267d
SHA512 ee54a1bec20608477053e87c641cc59dfe3c5a77061395c9d41759c3c559d6d5e8761b75327f3a05e62c602031650ec0be375a1b2235a944048ab340efce7397

\Program Files\Java\jdk1.7.0_80\bin\vjavap.exe

MD5 95cf3bf094a35c9e7434bc402c09630c
SHA1 2b4d21ee55666f0664a644ec443502a942b9e7d4
SHA256 4973b97a274648d53977499891b919f98684fdbebce10751d71ce4d2754f6622
SHA512 09db399afec354ab699701f4196e93178db613421beda9e695bc36414698f83084d05b70595d2b31fe2a0d757ba98640f7e3953defb8dd71df03e4c01391fe8e

\Program Files\Java\jdk1.7.0_80\bin\vjavaw.exe

MD5 0266d98252b6beee2e842d5e876031a8
SHA1 8d57c6d94835ac6b1b0f9a657af6baa4be25779d
SHA256 c5d59069dcaf86222c9c189c8ba8932ced66ab77b4baad485e1f0ac715e6037c
SHA512 7eebbff75a67a0408ff2f507d9f1b387dcfbe6765ccd4247fd78a64c2ea6090e88fd30f561e30f48bc107dd9378364fd18dba4ea22eedee76a1f993fbb1e9f32

\Program Files\Java\jdk1.7.0_80\bin\vjavaws.exe

MD5 bf91501c9b39c728ade2cf3788b647c8
SHA1 fbcb53c4ca9836f5bbfbb2b63e7a1a00a6bf10c6
SHA256 d602330327fd3630d625c9023131fd2318f677c67aa421631b8a4080dba38578
SHA512 01a6639a580bd418cc4d1dd2bd8794f356c08b6f7fa801245e9200c883d32c6b103aeac2615195868a8e63e3515911de2a9afcced21f62fc41edefdd0a66001c

C:\Program Files\Java\jdk1.7.0_80\bin\vjavaws.ico

MD5 38b41d03e9dfcbbd08210c5f0b50ba71
SHA1 2fbfde75ce9fe8423d8e7720bf7408cedcb57a70
SHA256 611f2cb2e03bd8dbcb584cd0a1c48accfba072dd3fc4e6d3144e2062553637f5
SHA512 ec97556b6ff6023d9e6302ba586ef27b1b54fbf7e8ac04ff318aa4694f13ad343049210ef17b7b603963984c1340589665d67d9c65fec0f91053ff43b1401ba9

\Program Files\Java\jdk1.7.0_80\bin\vjcmd.exe

MD5 36e8cb42bbfc16e1395a88d183caed83
SHA1 ca1c513aaa7d49adfe0f43ceec81e6d0c0ae67d8
SHA256 40ea55ebd7ef975135dafffb396871a8ab728abc24b42eaab76f08859994e996
SHA512 f7620b06a5d43d21a0d492b66b0e5bacea6918f1490fb0504e9440524b7ef02ba83d2ae3c2211113b478b8325a3a6b6c8f65939ef5a01b835451cce2e72de00f

\Program Files\Java\jdk1.7.0_80\bin\vjconsole.exe

MD5 805f6272e5e3a80aac3540cc5b42b08e
SHA1 437bee3476647f7b55a49630cb86ed4befc34293
SHA256 910dbe44d17bd60a295a956e98e18347080cc879ed7ef7241cd2d0edfc060551
SHA512 319f8f50dfca4adf148edf878fa7c83bc6e4f1053da0c7d412645fcae9c63e67b838c876838805d9a33b28067947d3844479c9ddab11eb9e760b9df285f27041

\Program Files\Java\jdk1.7.0_80\bin\vjdb.exe

MD5 0b5681808a793728fc658f1e9b94ec52
SHA1 05763b10f153447edcc08afeeeee71fa2f221033
SHA256 d18fab0d0e24e8f1d9551e2667f6b2c34fcd75232c39e85ce50660588174079f
SHA512 65e64980a30285b29888b9eeb66ec1c27c98a15effd67d761c3c62358e3ec008fbda61feda4fada8f9af8bce740b8f38236495c6f1b274d98c14209cd56b414c

\Program Files\Java\jdk1.7.0_80\bin\vjhat.exe

MD5 1dbd51882c2b82a5496106c31db425f1
SHA1 f47bee48a7d0da0c4930cccc6fe7a8d8600d4b05
SHA256 659fecc81e846405613c2080ac81a567df17c97449a9c2ba179ac216280223db
SHA512 81418b0510b58f782b843312069842aeeede8d35feb8f393807169398464896f281dc13bc82d51279a07adfbe97758b82143218cf9a56d653b3a9d11da62f50f

\Program Files\Java\jdk1.7.0_80\bin\vjinfo.exe

MD5 f499825b88d200d9348b5f97ff297ec7
SHA1 366adce5911c160fa26d6fdb4d65af357cf0e3bc
SHA256 8b2d599efa66da695e503b480f355fc5f22347fcf5c294100abaeb3e9a20c1f6
SHA512 3017bf630ba53ee0855d1e657df197732e4fe2fa6455fabad2085e5a24918589d487362fc2819fff85b3fcf7e684376d4b7a5bbc6e71ea57cc62ab397a87dba9

\Program Files\Java\jdk1.7.0_80\bin\vjmap.exe

MD5 30989429490b9ccbde4fae1fc6df84e4
SHA1 64c8cf20ebb4e8dc31521f0084eb046a9e3f0500
SHA256 aa98634e3668beae535738d25c2094a7ef0d855ebd9d945b484368f9e543bc0d
SHA512 9a78ed9cd8dcf333ea240ff309e24a2e5de39bbeba4e9291b55d51fdbc10ee672c674a9f4393b13819562a0d9bc99667eb03519cefed0218444874f15729eefe

\Program Files\Java\jdk1.7.0_80\bin\vjmc.exe

MD5 c8db7998995218d59addc586ce9679d6
SHA1 694f18eef5aa6dfe1aa607ad5a08980f9656ed07
SHA256 e3712cd917e4d41696165a98233443d63dbfb28560967de92ca4e707c50d7df2
SHA512 ba7bdfae350c4b98067a2875295a20fbee1b7e9cb1f1afde1a299ca1b8d6aab3996dec59119cd83214461018e5e4ff91894ad3f0e909359382cf5183811d3d12

\Program Files\Java\jdk1.7.0_80\bin\vjps.exe

MD5 4ce9dbe70ae911f1fef704e2c5594214
SHA1 3431c1d6fa21e04e79f0b2f48cd30b037ab009cb
SHA256 e45733934ff8c01f79a98ea2fd6b2a78fc5f0164e5d4fea7aef5119c7218a5fd
SHA512 291420138d84108ebbb8f3dc81bc4595206144b8eac0a459ae63754aa137a3d6789330dc764c6dafb5cecc76908166d93cccaecbcb3987d4cbba662980ee6359

\Program Files\Java\jdk1.7.0_80\bin\vjrunscript.exe

MD5 c77fa8599058f2f08f6f028ad1ba3d29
SHA1 ea42e7eed011b8b71f32d4d47827a5b56198d134
SHA256 db2beff59876773d223f4813c05c65a1e582604c420ae6d7f6f3844a0a060398
SHA512 f2834be1925ca448884877e7236d2febb72190ebf43a2dab29a76b71c4976360d56df17879966ec74c60b3d62dadd81d577e3034961ed64418c0300f9710f43f

\Program Files\Java\jdk1.7.0_80\bin\vjsadebugd.exe

MD5 da1c77dc8b88afc927144ac6814ffecc
SHA1 ff50b5fefd7275f3972f2e3f228384816fe22e63
SHA256 78d50c2ca489676456b3a0ccd1696dda0f1e1e144baacd26cdbc472869578b30
SHA512 02fbc972c889a71947b2671bcc7e22f9a0edce3e0462f332753d974d73035315aef7b4ae1069e309aa560f98065b792447b2ef8f1e8be1874969de916b2f3e25

\Program Files\Java\jdk1.7.0_80\bin\vjstack.exe

MD5 095d24917473c666b8906e45852378f7
SHA1 2ca5842715ad03982eb9094786832775926e4b4d
SHA256 3289a0fb8c701e7eae9fc792329c0eff6cd2a42ffbf1845f4e630a3e1a019529
SHA512 fba9fe4ca6498c9fcf0d251906b537286f2e7bdb2399293c71f9b0bce379c2684da14212231535a81889928fcbe0adf7354bc83e272a3f6d9082f125494cc50c

\Program Files\Java\jdk1.7.0_80\bin\vjstat.exe

MD5 f9ae41a829d457685c00b08ea9185e1d
SHA1 54eeb13931bfdd989decb7e807996b46b75f1cd6
SHA256 d122b3df7c2b81c5eee0d3165a6741fffbc2298a8eb41740dbe0092eecf3cd47
SHA512 fef83f2670a11536b57dc3a1d86d014b49b83c720976a5592bf6fef2ec45aeb62e269ce0759b150accfc77a94a28423c833b4ad0fbec6a7e0a4132a2b152a538

\Program Files\Java\jdk1.7.0_80\bin\vjstatd.exe

MD5 d33a2ad454c698dc6cc87ff9e484229d
SHA1 cdf4c8db79f2530bdfec32a1909be5d129a23058
SHA256 bf9aef8af2046c69ccc29ab1f9fa0f4b31cfcb1892158877c01e7b3a8c4eadb3
SHA512 682e0b292f0f0cb1613c634a99df53d242ba465f1f754058d508ba8506654ebcb35f79e6e6714a288c2018ab9cdb929ef48a544071bc3ffbf3d362bf3478a818

\Program Files\Java\jdk1.7.0_80\jre\bin\vjabswitch.exe

MD5 529a2a19485ba337e8c0b6970583e94e
SHA1 1cc15db40d7bbef978b74ada8aa308e2f1731c77
SHA256 e9c0f8e00e3f884edfb0b776e4d9bb336dd7fba12f0c6d5604b4530d7016861a
SHA512 30598f68560ce73d02a8683555bbba0c316c5f04f05543dc30a273e51fda19567f375d1855d33fb7b2aa66d0faec8d8b43b064cfb5debe4f0d3f06996a416158

\Program Files\Java\jdk1.7.0_80\jre\lib\vlauncher.exe

MD5 db9c946a0f96b6971d8c206b763a12f9
SHA1 f489499793ec2089d4fa8155f0dce9cce3224a01
SHA256 dcfb9c195b17ad00722e50c3f28181e12e3de6f209e756bdde8f137950ab5b89
SHA512 eb23828b588ace5e3468d0f5aedc1cdc5b0c7c362d76481fa53a5b881ddd459661b6cd6b4e3179b16960538b0ea1103ea02174cb5a26a8227fc0ec06837ea98e

\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\vnbexec.exe

MD5 2d721aa8133aae9cedce6601b08344d7
SHA1 2d7d17947fc92e4908e43d5b235bd387890f29aa
SHA256 5dbf3b499d387e4a811f75c79a3e8671aa27eb35cdbbedb28429092e48c2e685
SHA512 669a7acd991438de338862439f8f8acf8f163620e3a4ed2b9972c8e6b1c7c2c0f478f078e3750197bd1c0ad0500de1c7e474c505d33098690014e674553f0567

\Program Files\Java\jre7\bin\vjabswitch.exe

MD5 e795eb03297dd66d2efac2c33920a69f
SHA1 bf41799164d6ab2690c39afa458122ed82f2d0a8
SHA256 133afb441f29c697a5232752483ef2eecc297446f6db941bd68af7ed056cecf1
SHA512 6a334a07afadcd5c29c30add22142392bdc70d8ae0f36140f2ba7c9b4e70a9efd87b7fbd8b3ef862cea7aebdddfd18bb0521308d9a69070ae4a84432f522c4ef

\Program Files\Microsoft Games\Chess\vChess.exe

MD5 9920ece63fa4b674b611978ddedbb255
SHA1 82b002cbca0b04d876dac63b2e4c0463a359b06f
SHA256 20817e41315a1fda1d1f19c45ca9884d9b2564d638c798aa63bcbe80423e2bdc
SHA512 1daf3e8e827cde9f4992b23a5238d98676c0ec01750a7e3bf8202575f5772a9ae6617ec58ec6a8aa1b5baa7125de6a40760853fb4cf48ad1ab49408f1aaf290b

memory/1688-360-0x0000000003620000-0x000000000370D000-memory.dmp

memory/1688-361-0x0000000003B40000-0x0000000003E64000-memory.dmp

\Program Files\Microsoft Games\FreeCell\vFreeCell.exe

MD5 9962c7fd7786ae501e005c2932ea6ea5
SHA1 6a8133e01ccc22c3487dceb4262dcbfb4646d316
SHA256 b4e5347ff5e6c1f926f4e1a7840f146336a27f67457965c1528ba5fe1a394adf
SHA512 10b1d67ffa2b59f7f624ff18a2921ecd6fe88e1d9db7f001be04753e7c96702cbb6d3a49e516d8ce2bb63b6d0df125c8169e1ac10bb4da0c4814a7e8bc0b2dcb

memory/1688-380-0x0000000003620000-0x00000000036FE000-memory.dmp

memory/1688-374-0x0000000002190000-0x00000000021FD000-memory.dmp

\Program Files\Microsoft Games\Hearts\vHearts.exe

MD5 ad9233d10c1359d13311a4aeed74db9f
SHA1 cc657c79e2a807bd78c3ab12920015d3fe54fd33
SHA256 2c34108e4d8be8cfea2623bbe7523ad40e7d8ec7631036d83d2da7175daabd1a
SHA512 5dc1bcaad0da0888c04ee978280d86bfd872600fd925de76ea0f92ea537238d8452c3d97b28e00826266b6438004bab111a3219e2ecab742fe3568859b722efd

memory/1688-388-0x0000000002190000-0x00000000021F9000-memory.dmp

memory/1688-393-0x0000000003620000-0x00000000036E7000-memory.dmp

\Program Files\Microsoft Games\Mahjong\vMahjong.exe

MD5 ecf307325ec4dbf29d7c4c0b6e2e4a17
SHA1 4a27ea319e02b724c1b50acf899921457bcd87a6
SHA256 7e0aa08d4b438d8593013a477652e587d798731e737cd86e35e3e3f077db488f
SHA512 93f1a956c7eed6e5178a0e6156e44c27970cc4dd2d5a5eedf4a3e23e169932e581c9bdac4d537ca0c3b7775fd41046299b1434840ef4ba7b7f69ebd6ee7ba51d

memory/1688-402-0x0000000003620000-0x00000000037A4000-memory.dmp

memory/1688-407-0x0000000003620000-0x00000000036F7000-memory.dmp

\Program Files\Microsoft Games\Minesweeper\vMineSweeper.exe

MD5 b6f4656891a6ad143c44cf1edd8dab05
SHA1 b94ae308148d93ec97bd00ce5be3ec870f93170e
SHA256 f0a8e1aebe42453fd62c4d80fc11e535346189a7b0410bef08e37646d420d4d2
SHA512 48312695d80bc595b4154660f6f7786982308743825e48bc3c1ce05d26a9aead354e0d4b98e30fe1278bf296ec0e82ebb5ad0d37edc360f420c62f9163fbe48e

memory/1688-427-0x0000000003620000-0x0000000003702000-memory.dmp

memory/1688-420-0x0000000003620000-0x00000000036D4000-memory.dmp

memory/1688-436-0x0000000002190000-0x00000000021B3000-memory.dmp

memory/1688-434-0x0000000002190000-0x00000000021D0000-memory.dmp

\Program Files\Microsoft Games\Multiplayer\Backgammon\vbckgzm.exe

MD5 5059d53266064bcff3ac7fc8972cd08d
SHA1 9565ca752d1eaad48ff926c20e3bb44e222ac97e
SHA256 64de3c407fb546ee2772e0a060eeeef21dd9ec0e757ff35731f2806617d2fbd7
SHA512 f4a7c74c3d3a4ce87cef52dbc240cc321d98326510bdf26f5a77b1c4cb6326e8a41e5794d977a1f6e61a05512d1a1393124dd4c8f0af59b774fe2b8584852bfc

\Program Files\Microsoft Games\Multiplayer\Checkers\vchkrzm.exe

MD5 49607a59a27fb02a3df0ba75fb52eb9f
SHA1 91cad892c90e5899af076111bf4b8114f65b0a80
SHA256 c321461e65000f81c0be93ece235ec8df1f52ada690b1dc79f9f61bf625b4322
SHA512 8e399e93d9c628fc243b0d864d0d367a0e1e7ecb5b9b8e17567dd6aa797f7423065885e340d7b39f4da0c5aafcb317d8ca4e9ae9c048b4dd3ca4c4586eb09f69

memory/1688-454-0x0000000002190000-0x00000000021B4000-memory.dmp

memory/1688-453-0x0000000002190000-0x00000000021FB000-memory.dmp

memory/1688-467-0x0000000003620000-0x0000000003852000-memory.dmp

memory/1688-468-0x0000000002190000-0x00000000021B2000-memory.dmp

memory/1688-474-0x0000000002190000-0x0000000002210000-memory.dmp

memory/1688-480-0x0000000003620000-0x0000000003762000-memory.dmp

memory/1688-487-0x0000000002190000-0x00000000021D3000-memory.dmp

memory/1688-493-0x0000000003620000-0x0000000003702000-memory.dmp

memory/1688-506-0x0000000003B40000-0x0000000003E64000-memory.dmp

memory/1688-529-0x0000000003620000-0x00000000036FE000-memory.dmp

memory/1688-530-0x0000000002190000-0x00000000021CA000-memory.dmp

memory/1688-536-0x0000000003620000-0x00000000036E7000-memory.dmp

memory/1688-537-0x0000000003620000-0x000000000383C000-memory.dmp

memory/1688-550-0x0000000003620000-0x00000000036F7000-memory.dmp

memory/1688-556-0x0000000003620000-0x00000000036A9000-memory.dmp

memory/1688-568-0x0000000003620000-0x0000000003702000-memory.dmp

memory/1688-570-0x0000000003620000-0x0000000003828000-memory.dmp

memory/1688-571-0x0000000002190000-0x00000000021B3000-memory.dmp

memory/1688-582-0x0000000003B40000-0x0000000003FAA000-memory.dmp

memory/1688-584-0x0000000002190000-0x00000000021B4000-memory.dmp

memory/1688-595-0x0000000003620000-0x0000000003796000-memory.dmp

memory/1688-599-0x00000000003E0000-0x00000000003FC000-memory.dmp

F:\autorun.inf

MD5 5513829683bff23161ca7d8595c25c72
SHA1 9961b65bbd3bac109dddd3a161fc30650e8a7096
SHA256 94e323bd9071db7369ade16f45454e7a0dbfb6a39efddc1234c4719d1f7ee4c2
SHA512 308c84446106cda0a71e37b0de46aaf4b7361f9ddcc3c4c29f8e87da8acb606525dce8a42caf9d74e708c56b31c524f9535a2f5f4757c6c357401da1c495ddb6

memory/1688-608-0x0000000003620000-0x0000000003762000-memory.dmp

memory/1688-609-0x0000000003620000-0x0000000003702000-memory.dmp

memory/1688-610-0x0000000003620000-0x0000000003702000-memory.dmp

memory/1688-611-0x0000000002190000-0x00000000021CA000-memory.dmp

memory/1688-612-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/1688-613-0x0000000003620000-0x000000000383C000-memory.dmp

memory/1688-614-0x0000000003620000-0x00000000036A9000-memory.dmp

memory/1688-615-0x0000000003620000-0x0000000003828000-memory.dmp

memory/1688-616-0x0000000003B40000-0x0000000003FAA000-memory.dmp

memory/1688-617-0x00000000003E0000-0x00000000003FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-30 02:04

Reported

2024-10-30 02:07

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

144s

Command Line

winlogon.exe

Signatures

Detects Renamer worm.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe:*:enabled:@shell32.dll,-1" C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A

Renamer family

renamer

Renamer, Grenam

worm renamer

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DRIVERS\ETC\HOSTS C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Paint.lnk C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\vAppVShNotify.ico C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\vjcmd.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\RCX9C5C.tmp C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX9954.tmp C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\vcreatedump.ico C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Internet Explorer\viediagcmd.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\dotnet\dotnet.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\vIntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\vmsinfo32.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\vjava.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\vappvcleaner.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\SETUP_WM.EXE C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX9BBD.tmp C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\UNINSTALL.EXE C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\vMavInject32.ico C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\vCLVIEW.ico C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\RCX9A01.tmp C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Windows Mail\wab.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Windows Media Player\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Internet Explorer\vieinstal.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\vAppSharingHookController.ico C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\7-Zip\v7zFM.ico C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\vappvcleaner.ico C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Internet Explorer\RCX9D0B.tmp C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\dotnet\vdotnet.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Windows Mail\wab.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\vjavap.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7ZFM.EXE C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\vcrashreporter.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\vjavaws.ico C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\vMavInject32.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\vjhat.ico C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\vjinfo.ico C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\RCX9AFF.tmp C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\7-Zip\vUninstall.ico C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Internet Explorer\vExtExport.ico C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\vmisc.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\RCX9FEF.tmp C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\vchrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2428 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\winlogon.exe
PID 2428 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\winlogon.exe
PID 2428 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\winlogon.exe
PID 2428 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\winlogon.exe
PID 2428 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\winlogon.exe
PID 2428 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\winlogon.exe
PID 2428 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\lsass.exe
PID 2428 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\lsass.exe
PID 2428 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\lsass.exe
PID 2428 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\lsass.exe
PID 2428 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\lsass.exe
PID 2428 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\lsass.exe
PID 2428 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\fontdrvhost.exe
PID 2428 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\fontdrvhost.exe
PID 2428 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\fontdrvhost.exe
PID 2428 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\fontdrvhost.exe
PID 2428 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\fontdrvhost.exe
PID 2428 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\fontdrvhost.exe
PID 2428 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\fontdrvhost.exe
PID 2428 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\fontdrvhost.exe
PID 2428 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\fontdrvhost.exe
PID 2428 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\fontdrvhost.exe
PID 2428 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\fontdrvhost.exe
PID 2428 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\fontdrvhost.exe
PID 2428 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\dwm.exe
PID 2428 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\dwm.exe
PID 2428 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\dwm.exe
PID 2428 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\dwm.exe
PID 2428 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\dwm.exe
PID 2428 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\dwm.exe
PID 2428 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\System32\svchost.exe
PID 2428 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\System32\svchost.exe
PID 2428 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\System32\svchost.exe
PID 2428 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\System32\svchost.exe
PID 2428 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\System32\svchost.exe
PID 2428 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\System32\svchost.exe
PID 2428 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe
PID 2428 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe C:\Windows\system32\svchost.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\MusNotification.exe

C:\Windows\system32\MusNotification.exe

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe

"C:\Users\Admin\AppData\Local\Temp\940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ilo.brenz.pl udp
US 8.8.8.8:53 ant.trenz.pl udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ilo.brenz.pl udp
US 8.8.8.8:53 ant.trenz.pl udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 ilo.brenz.pl udp
US 8.8.8.8:53 ant.trenz.pl udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 ilo.brenz.pl udp
US 8.8.8.8:53 ant.trenz.pl udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 ilo.brenz.pl udp
US 8.8.8.8:53 ant.trenz.pl udp

Files

memory/2428-0-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2428-3-0x0000000077373000-0x0000000077374000-memory.dmp

memory/2428-2-0x0000000077372000-0x0000000077373000-memory.dmp

memory/2428-1-0x000000007FE40000-0x000000007FE4B000-memory.dmp

memory/2428-5-0x000000007FE40000-0x000000007FE4B000-memory.dmp

memory/2428-6-0x00000000007C0000-0x00000000007C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Paint.exe

MD5 da09d53c0ea19616574f0949f3e8989e
SHA1 a53694754dce1e768068bddac41d55eb06dfe1e1
SHA256 940128e16d2ba02fd1598b58b0f40a04afa9b13238ac1f9c8dfb43469cefec90
SHA512 3ea49961548fd7f95b23124c63da51d0b6664ff0d0a31b28979b83ea2ce9d0c5bbd79114b3a55be5cf7ad2fcb77b13aa794611289f57faeedd550516d8b943d7

C:\Program Files\7-Zip\RCX9954.tmp

MD5 c856224d386962b8b6a8f44d0fb1cf86
SHA1 1240f212d2dfa8f08a8646a91b7f4be8b082897d
SHA256 a3db2614d45247ca9eb6612e638303f15b3d226ae4ab623b5041a6024134e8ff
SHA512 a63ffd40a3377168325d9dfbcdd4348d1a5ea482ca2ab6b19bb33c69535cfba7f2dab26b78783a2d827e97111bf15c72e2087db6d09821080a84452f49219656

C:\Program Files\Java\jdk-1.8\bin\vjavaws.ico

MD5 38b41d03e9dfcbbd08210c5f0b50ba71
SHA1 2fbfde75ce9fe8423d8e7720bf7408cedcb57a70
SHA256 611f2cb2e03bd8dbcb584cd0a1c48accfba072dd3fc4e6d3144e2062553637f5
SHA512 ec97556b6ff6023d9e6302ba586ef27b1b54fbf7e8ac04ff318aa4694f13ad343049210ef17b7b603963984c1340589665d67d9c65fec0f91053ff43b1401ba9

C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\vmisc.ico

MD5 fc27f73816c9f640d800cdc1c9294751
SHA1 e6c3d8835d1de4e9606e5588e741cd1be27398f6
SHA256 3cc5043caa157e5f9b1870527b8c323850bdae1e58d6760e4e895d2ab8a35a05
SHA512 9e36b96acc97bc7cd45e67a47f1ae7ab7d3818cc2fdaad147524ce9e4baedfaac9cd012923ec65db763bfd850c65b497376bb0694508bee59747f97bf1591fd4

C:\Program Files\Microsoft Office 15\ClientX64\vIntegratedOffice.ico

MD5 3ea9bcbc01e1a652de5a6fc291a66d1a
SHA1 aee490d53ee201879dff37503a0796c77642a792
SHA256 a058bfd185fe714927e15642004866449bce425d34292a08af56d66cf03ebe6c
SHA512 7c740132f026341770b6a20575786da581d8a31850d0d680978a00cc4dfca1e848ef9cdc32e51bae680ea13f6cc0d7324c38765cb4e26dcb2e423aced7da0501

F:\autorun.inf

MD5 5513829683bff23161ca7d8595c25c72
SHA1 9961b65bbd3bac109dddd3a161fc30650e8a7096
SHA256 94e323bd9071db7369ade16f45454e7a0dbfb6a39efddc1234c4719d1f7ee4c2
SHA512 308c84446106cda0a71e37b0de46aaf4b7361f9ddcc3c4c29f8e87da8acb606525dce8a42caf9d74e708c56b31c524f9535a2f5f4757c6c357401da1c495ddb6

memory/2428-431-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2428-433-0x00000000007C0000-0x00000000007C1000-memory.dmp