fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18-10-2022 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
Size

2.1MB
MD5

10fe844edc4fc5dc0d981aa503370c17
SHA1

a5fcc664fc647c273190adc2701ec7e07ae69bce
SHA256

fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd
SHA512

336312d886b319f0ffb19d68bca66a2e130479958f579058388cce086e186887f4956d4a4786c81fe7ccfba5fa5dac08d4b00becea9cf102d02cbc9231ba9203
SSDEEP

24576:ocCT67wHqWis4l+jIACFr5hqjiLDpSJDN93pqb6W8cU4gLQO6sqjnhMgeiCl7G0Z:VCpn8t74iA3qb6W8cU4fDmg27RnWGj

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 41 IoCs

pid	Process
464	Process not Found
2020	alg.exe
1720	aspnet_state.exe
472	mscorsvw.exe
1048	mscorsvw.exe
1740	mscorsvw.exe
1956	mscorsvw.exe
532	dllhost.exe
1508	ehRecvr.exe
1608	ehsched.exe
1684	elevation_service.exe
1088	mscorsvw.exe
820	mscorsvw.exe
876	GROOVE.EXE
1656	maintenanceservice.exe
1420	OSE.EXE
1732	mscorsvw.exe
688	OSPPSVC.EXE
240	mscorsvw.exe
1732	mscorsvw.exe
1080	mscorsvw.exe
1560	mscorsvw.exe
2032	mscorsvw.exe
528	mscorsvw.exe
1656	mscorsvw.exe
1732	mscorsvw.exe
1080	mscorsvw.exe
1416	mscorsvw.exe
1136	mscorsvw.exe
1048	mscorsvw.exe
1840	mscorsvw.exe
1712	mscorsvw.exe
1104	mscorsvw.exe
1604	mscorsvw.exe
1800	mscorsvw.exe
1176	mscorsvw.exe
1048	mscorsvw.exe
1472	mscorsvw.exe
1056	mscorsvw.exe
1396	mscorsvw.exe
1976	mscorsvw.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\filename.vbs	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Paint.lnk	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe

Loads dropped DLL 64 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
1772	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\660d50d7a2d7329a.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\vjstat.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\vMineSweeper.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\DVDMaker.exe.mui	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\vappletviewer.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\vjabswitch.ico	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\vjconsole.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File created	C:\Program Files\Java\jre7\bin\vjabswitch.ico	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\RCX23F5.tmp	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InputPersonalization.exe.mui	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\vshvlzm.ico	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\RCX201C.tmp	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\7-Zip\RCXF0E6.tmp	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkWatson.exe.mui	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\vjavap.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File created	C:\Program Files\7-Zip\v7zFM.ico	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\vbckgzm.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File created	C:\Program Files\7-Zip\Uninstall.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkWatson.exe.mui	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\vidlj.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mip.exe.mui	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\vjavaws.ico	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\vidlj.ico	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\RCXFEC0.tmp	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E043F39E-C542-4CD0-8AC9-D9174B22112C}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\bfsvc.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E043F39E-C542-4CD0-8AC9-D9174B22112C}.crmlog	dllhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1476	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeDebugPrivilege	2020	alg.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1476	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1772	1476	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	36
PID 1476 wrote to memory of 1772	1476	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	36
PID 1476 wrote to memory of 1772	1476	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	36
PID 1476 wrote to memory of 1772	1476	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	36
PID 1476 wrote to memory of 1772	1476	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	36
PID 1476 wrote to memory of 1772	1476	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	36
PID 1476 wrote to memory of 1772	1476	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	36
PID 1476 wrote to memory of 1772	1476	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	36
PID 1476 wrote to memory of 1772	1476	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	36
PID 1476 wrote to memory of 1772	1476	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	36
PID 1476 wrote to memory of 1772	1476	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	36
PID 1476 wrote to memory of 1772	1476	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	36
PID 1476 wrote to memory of 1772	1476	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	36
PID 1476 wrote to memory of 1772	1476	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	36
PID 1476 wrote to memory of 1772	1476	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	36
PID 1476 wrote to memory of 1772	1476	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	36
PID 1476 wrote to memory of 1772	1476	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	36
PID 1476 wrote to memory of 1772	1476	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	36
PID 1476 wrote to memory of 1772	1476	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	36
PID 1476 wrote to memory of 1772	1476	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	36
PID 1476 wrote to memory of 1772	1476	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	36
PID 1476 wrote to memory of 1772	1476	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	36
PID 1740 wrote to memory of 1088	1740	mscorsvw.exe	38
PID 1740 wrote to memory of 1088	1740	mscorsvw.exe	38
PID 1740 wrote to memory of 1088	1740	mscorsvw.exe	38
PID 1740 wrote to memory of 1088	1740	mscorsvw.exe	38
PID 1740 wrote to memory of 820	1740	mscorsvw.exe	39
PID 1740 wrote to memory of 820	1740	mscorsvw.exe	39
PID 1740 wrote to memory of 820	1740	mscorsvw.exe	39
PID 1740 wrote to memory of 820	1740	mscorsvw.exe	39
PID 1740 wrote to memory of 1732	1740	mscorsvw.exe	43
PID 1740 wrote to memory of 1732	1740	mscorsvw.exe	43
PID 1740 wrote to memory of 1732	1740	mscorsvw.exe	43
PID 1740 wrote to memory of 1732	1740	mscorsvw.exe	43
PID 1740 wrote to memory of 240	1740	mscorsvw.exe	45
PID 1740 wrote to memory of 240	1740	mscorsvw.exe	45
PID 1740 wrote to memory of 240	1740	mscorsvw.exe	45
PID 1740 wrote to memory of 240	1740	mscorsvw.exe	45
PID 1740 wrote to memory of 1732	1740	mscorsvw.exe	46
PID 1740 wrote to memory of 1732	1740	mscorsvw.exe	46
PID 1740 wrote to memory of 1732	1740	mscorsvw.exe	46
PID 1740 wrote to memory of 1732	1740	mscorsvw.exe	46
PID 1740 wrote to memory of 1080	1740	mscorsvw.exe	47
PID 1740 wrote to memory of 1080	1740	mscorsvw.exe	47
PID 1740 wrote to memory of 1080	1740	mscorsvw.exe	47
PID 1740 wrote to memory of 1080	1740	mscorsvw.exe	47
PID 1740 wrote to memory of 1560	1740	mscorsvw.exe	48
PID 1740 wrote to memory of 1560	1740	mscorsvw.exe	48
PID 1740 wrote to memory of 1560	1740	mscorsvw.exe	48
PID 1740 wrote to memory of 1560	1740	mscorsvw.exe	48
PID 1740 wrote to memory of 2032	1740	mscorsvw.exe	49
PID 1740 wrote to memory of 2032	1740	mscorsvw.exe	49
PID 1740 wrote to memory of 2032	1740	mscorsvw.exe	49
PID 1740 wrote to memory of 2032	1740	mscorsvw.exe	49
PID 1740 wrote to memory of 528	1740	mscorsvw.exe	50
PID 1740 wrote to memory of 528	1740	mscorsvw.exe	50
PID 1740 wrote to memory of 528	1740	mscorsvw.exe	50
PID 1740 wrote to memory of 528	1740	mscorsvw.exe	50
PID 1740 wrote to memory of 1656	1740	mscorsvw.exe	51
PID 1740 wrote to memory of 1656	1740	mscorsvw.exe	51
PID 1740 wrote to memory of 1656	1740	mscorsvw.exe	51
PID 1740 wrote to memory of 1656	1740	mscorsvw.exe	51
PID 1740 wrote to memory of 1732	1740	mscorsvw.exe	52
PID 1740 wrote to memory of 1732	1740	mscorsvw.exe	52

C:\Users\Admin\AppData\Local\Temp\fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
"C:\Users\Admin\AppData\Local\Temp\fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
  "C:\Users\Admin\AppData\Local\Temp\fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:1772

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:472

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 1e0 -NGENProcess 1e4 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1e0 -NGENProcess 1e4 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1e0 -NGENProcess 1e4 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 250 -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 248 -NGENProcess 25c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 23c -NGENProcess 258 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 260 -NGENProcess 250 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 25c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 258 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 260 -NGENProcess 270 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 240 -NGENProcess 258 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 274 -NGENProcess 268 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 26c -NGENProcess 270 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 23c -NGENProcess 278 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 280 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 270 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 278 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 268 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 270 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 278 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 268 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 270 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 278 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1056

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 1bc -NGENProcess 154 -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 1bc -NGENProcess 154 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1976

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:532

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1508

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1608

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1684

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:876

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1656

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1420

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
11ca252c2726487b58f6251dc2e6ed54

SHA1
12b4ff860f56aa66ebfeb68362a65d48512d5b66

SHA256
86d7bf64db647e0a53cc28bc03e2cc9ce263a970e4f4ee032cdcd093db1979aa

SHA512
9c95793f04cf864c6a4cb6573c8658a445fcc6bb7e95b3870be0e41a927e1d503cc3d17f89a74033b5f8e1ee017c469b0240345d51b5e32d987ba68f68d1737e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
f8009e628b80122ae7096c7b2c66326b

SHA1
cded0f2dca2b4ab7a550b6c8f849457988058a5d

SHA256
b94872efaf13cf9758d23ccf97ad335f69b203793b5702751cce64f208375523

SHA512
8504f508546d7826dabc57004f200843ab82e5d0ba120920aec0442b62eaede3f3fcd06f228cd3c39c4570ec82894f363914699d4666e142eb1f529d45d2c4ab

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
673355da33d531f07c8fc448586fbd9a

SHA1
59b8cb09d27a87f93db97b1b163ae2e09c520a2e

SHA256
c98e56ce8104a8a91df0885bf782cd6d751af1c1f51dfa79cff9114929b22d54

SHA512
bb2492eac9fb40c5b97570281d1666dd1c65761fe469aa034417aad16cf29dec6ec21fef09d986eee6ba3e689ba97d71ebb4fd91f95c9c397cedb5b786a1bb8a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.1MB

MD5
10fe844edc4fc5dc0d981aa503370c17

SHA1
a5fcc664fc647c273190adc2701ec7e07ae69bce

SHA256
fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd

SHA512
336312d886b319f0ffb19d68bca66a2e130479958f579058388cce086e186887f4956d4a4786c81fe7ccfba5fa5dac08d4b00becea9cf102d02cbc9231ba9203

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
23874439381eab6e05e19b2c03821290

SHA1
51d5dc5edc6e4b62df05819748b9629c90d480e2

SHA256
0e83f55c16abd924094f68cca7f988cbd5fc950835fed59e7f20fab1494f2aa9

SHA512
227bb8d17a729ae4f44a8c8def8217fa25c7e4fffc03ef446f94a9a5221760d793b8d9812c138816cd4009f4a11345ddc69538e40b0e029e1eb6897a44bb2735

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.5MB

MD5
23874439381eab6e05e19b2c03821290

SHA1
51d5dc5edc6e4b62df05819748b9629c90d480e2

SHA256
0e83f55c16abd924094f68cca7f988cbd5fc950835fed59e7f20fab1494f2aa9

SHA512
227bb8d17a729ae4f44a8c8def8217fa25c7e4fffc03ef446f94a9a5221760d793b8d9812c138816cd4009f4a11345ddc69538e40b0e029e1eb6897a44bb2735

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
584eecb596341141c2c10065d3a2fb55

SHA1
b9edf276524608583d7978a8c36c3a4c7446289d

SHA256
da43792e1a0b1cfb799d9ef04c8ac06df8d1242f2a0215992f19a47ffca917e9

SHA512
1c8245f923e4fe152375caf41b4b6491036bdb7efd53017f161030105ec3ade961aea2a759cd168f36a8283fef73660b22544deee196e8198a3934561ca67411

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
5bbbfdc7a11d642860b641305bc52138

SHA1
efcbec8d137de2c4d3b200557bf98d17fbdb57b6

SHA256
e6b4ed9a17c77e5ecce06e9d85ed91e7c9d3451c078e36b8224507284d95bca2

SHA512
d924a1c9c17cc124c5220e00a45a872db1f76c47736eb32a17cb2a999302935e0cdf4512db726aff351d323f6fc9de74608a9e8c4f1dc4885e669d333f3a2acf

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe

Filesize
3.3MB

MD5
01fab6048cfc41034c393b7a8beeda70

SHA1
0afab0b3ffbaef21cc8e5ce8c987aa38c263cd1a

SHA256
9c8a5ecbea0bab7828bc1e2da1253285e49e14be3880f6f07240dbe0cd646484

SHA512
26ed35fa47ba9c2e1b9596e5312b6fd405e21bb8f6e9549359e28a7ffce7459d5d69fc98fa781837034f6e5a5aa2ef824d0dbaf0925e1198f7fe9f95a542b22a

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe

Filesize
3.3MB

MD5
96133378e97fab3da795cb8ecc4c230a

SHA1
97e27dab08c786fa2be979f9c9cfc2ef5e2a8458

SHA256
d41dc5c3a3f38cb4e58a304b6c2361aaf3caf78ad619fd136ed5423e67684f16

SHA512
792a8558b2aabc0ce04007470e7801294c61616e764a8d805a3a4c2d798424ac86c3bc7782411789462723ac1d1452a2be3a3aa38207d703b214b911fda0f383

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
42ee2189a49270f23bec5f0a11da6a8f

SHA1
e4dbc336f264f56d23ffdd4b3cd844689f68974d

SHA256
135f6abf294fc3cb4fd0971cb47e4cfbbfac70a8bbe2334aec90976dcea5fc53

SHA512
7e73a484913a3fc07cababbb1dd48e821115f89736ca972b1b361b6b0e9b2192cf0f990baed8296a1d2c09f9b4142c348c4162d1f36982bebc850d59af06b4cb

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
b194a848e2e78f6b0dbf5d8aea1ec6c9

SHA1
2e09c1d756d052dae6d81f5dd425b6ac56e67509

SHA256
b4caadb966b34d2179110d81e4bee51458a34b9fb7716594572265c1512e3bbb

SHA512
bfa3c535d4a1702487c1cd607dd2a5e9668729358cbb59be515700b021ac7c930bb07c3b5607181f2eae521c7bfc788fd97b226d04402327318f28781e32d889

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
b194a848e2e78f6b0dbf5d8aea1ec6c9

SHA1
2e09c1d756d052dae6d81f5dd425b6ac56e67509

SHA256
b4caadb966b34d2179110d81e4bee51458a34b9fb7716594572265c1512e3bbb

SHA512
bfa3c535d4a1702487c1cd607dd2a5e9668729358cbb59be515700b021ac7c930bb07c3b5607181f2eae521c7bfc788fd97b226d04402327318f28781e32d889

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe

Filesize
1.6MB

MD5
dd238e60b237163a6d068038f0db2296

SHA1
4792bffd14016b23ce457ca9e5250bc30b186d0b

SHA256
9a334967d6a4032b59393d2ce91314ba9a4fa44e8220c27e47e0a68c7c4b9436

SHA512
42d353cbd5b6c25d5e0755f71978319f506924e2dfad2795e8a2b5987ff23187ff08ebf5c8024802fa885fff90daa639ce3611db4044e09a54eadd84a48ad42f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.4MB

MD5
032f7b01d86c8017110b35c793343ef5

SHA1
91c078a16127458442c3f805ff51f6841b60ee55

SHA256
7cdf95f48d41821d4832a19c64a1bf323b85f9a03b2909d9a7be2d71b3b8e5cb

SHA512
c9e8751cccf24a517d5ce61758b61b39a61b5384f41babf1ffc9a48a49174ddbdf409550372d6146de1650d3a6cbbfd2992d78382a2c9476bfdd3c2ea9047df7

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
1.2MB

MD5
6606733fd8de05df91aa479de5257e26

SHA1
2270cfa919e7e1238a75b08c6fd8f69196ca8483

SHA256
613b5a6ca13a09315fea8fefc5790bb06157be912f875ddccbf9c9d09025fef5

SHA512
e89e86a9a6c32a4d93f4a773cc2fd0dcd7f067d0e0ad3c9ab9da36d056f1f07598927dfb4814896e27828f5a48fbbf4c99064b6ee76ac1a0bf17e7bc13372490

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
1.2MB

MD5
3951885dd1b9d45593f6c00aad66b1c2

SHA1
54d5110d432cd37794fc2ceb6568c7f0b1d7cbc5

SHA256
9deb6e979ffd836eab2759204af393503edc1b85a8414dc80c90221f9428462d

SHA512
10be0917c22c18f76943c4a5841fae8a22fc05b1ae8b9b89ac95085414e03168fffa537640cd65c48371e2c5baaedc7c50cd35b8a5ef0def91f90c4cb69a6073

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
1.2MB

MD5
48eeaa5e21913d08a8c9ac5f2d83b94b

SHA1
9d49a662400372cade9c8631b416ca47eecf7643

SHA256
37c6694eaa56dc7873e96413b8787052da0319c151a63972625b6f2acfe38379

SHA512
b88a706a6fe6d2e9fa3f0cc86e5c47a7109ac7a582ec8eddbd15b6bee27c56a92725c2e01b2cac19f79e7c237679a34c51d9d185be23038a6f676ada0ebd1d29

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
1.2MB

MD5
3da06dedb6cde761916a43123d97acd1

SHA1
4076050ecd11eff1c3e6a8ea812bef0c2c7e68bb

SHA256
cb2d3aa846871d6b4780ec46cc7179725ca0efdc1ef6d202da99f0a295332c57

SHA512
5187e20571a52fdbfbbe2fc87127d7efe6e4bd6c18e157f057f452a3f631f7f6471d2bab41c6e54f819373af04df522f304d715605a9de2000e97de0b4adbcd8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
1.2MB

MD5
7d8ae1ca2c532f8b93b6c89dccf851c8

SHA1
03f6dac7300e5f26afda1485c9d0c56044934e25

SHA256
84e4300a360faac3c370394b894d3f3fcbbf7ecb86429539b873e6877c935a03

SHA512
493e64ec6377a1bec0f6446e6b714dcced42d2183ba8e585a296b2da5a9819f03b4c10cce563f9b3050bf89de9b88a50e9d411c4d46dfd23baa0ddac8c0f83e3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

Filesize
1.2MB

MD5
225cce79a554cba36d19b30c901cb32e

SHA1
b3639d835ded6c2bee5a36da7d21b8faf6676638

SHA256
8c5a62966b5ac809368972c58ff2af33e2b993da1ea5bcd520f95d1fc157d261

SHA512
349fc3bfa21bba13d77ed78ed4bbdc421c6ef25cf15de39536ccec932a84561e2305e937062db9e59fca4d8b08f572eefa3d6ba15f867211e98fe92c36339d12

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
b3319f1d5fc1ca778805dae31165996a

SHA1
3f5e095f2989828326d8b65e778e9d9eb69ce3b5

SHA256
5f80364b0535f86e6bce2b2b1952682034792fde5fb386e62460c1ac53c799e2

SHA512
32ab7b548078b6b1cdc46598e0d0b9ed1d2f2b951ad387d2f9d05d97032e74e33078f861e409324b3589c2f7c1b4e61ef9173f14dcbba024a1931faed1623bcb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
b3319f1d5fc1ca778805dae31165996a

SHA1
3f5e095f2989828326d8b65e778e9d9eb69ce3b5

SHA256
5f80364b0535f86e6bce2b2b1952682034792fde5fb386e62460c1ac53c799e2

SHA512
32ab7b548078b6b1cdc46598e0d0b9ed1d2f2b951ad387d2f9d05d97032e74e33078f861e409324b3589c2f7c1b4e61ef9173f14dcbba024a1931faed1623bcb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
5bb4ff3d3e6180079cbf466b5e2aca20

SHA1
1b5f06ca076712796cd972203f369901c53e5572

SHA256
da0ba8929c76fd7e3dba7bd1ec60f1312de941bf01831734656a183e82872c12

SHA512
a7d9e4b62122018f65aa6b743c2c188a13b794d6337ec8cdfe4184172b32c0494ff00bce9c2e3a1b1bd6878c4de36275415fe5e9cefedf6819bb47cce7bbb540

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3349053a6747d8b964c93e1f99c5f8e6

SHA1
ae4590ebd8940ff2f33894acf6b0edd038813e88

SHA256
641467eef0412cc062d5c50d5c33f7976b90c76c865e426328676a78eb56a354

SHA512
3dde3c4db3b9e721f93f55267584ceeed5b5a78449b96ad020af05b3ad09f8ab80762d7602a1df5c7f438fc1aa467e4d20ea01caadbe71674a36dd99ff95d81b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3349053a6747d8b964c93e1f99c5f8e6

SHA1
ae4590ebd8940ff2f33894acf6b0edd038813e88

SHA256
641467eef0412cc062d5c50d5c33f7976b90c76c865e426328676a78eb56a354

SHA512
3dde3c4db3b9e721f93f55267584ceeed5b5a78449b96ad020af05b3ad09f8ab80762d7602a1df5c7f438fc1aa467e4d20ea01caadbe71674a36dd99ff95d81b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
318e40165091d466de25ece783b05f3d

SHA1
6f82eac72c7495668652021dcdd8ccc40245115a

SHA256
d0b1477cf53f15af224f11183a2b1ce01892d7af92d1ba8223011db44db733c5

SHA512
c8f7e8a06ee98fcf084512da7ea2b6045ddb4ee2428a123309dca9e5cf6c8b55c46ea495dfd70b983d4976dbb59789530a21e160f288c13b395073f3bb6a3128

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
318e40165091d466de25ece783b05f3d

SHA1
6f82eac72c7495668652021dcdd8ccc40245115a

SHA256
d0b1477cf53f15af224f11183a2b1ce01892d7af92d1ba8223011db44db733c5

SHA512
c8f7e8a06ee98fcf084512da7ea2b6045ddb4ee2428a123309dca9e5cf6c8b55c46ea495dfd70b983d4976dbb59789530a21e160f288c13b395073f3bb6a3128

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b599602e5b6540cab2f743b5e8aa5024

SHA1
4c708dea7474dfb232bb2815ec0131588a4718d4

SHA256
3eeb737a4d51c5f79b791c023291c87a1f005c0dc3a42ddc4b321677344d95c5

SHA512
1168bb65bbdf49df050770d2eb9c23567724dc24341401f31a9dbb8e870d2d8f4bfb4d003def2e8768f2f5f7f7111b832015f2430804f6f07f4b946bc628d81a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b599602e5b6540cab2f743b5e8aa5024

SHA1
4c708dea7474dfb232bb2815ec0131588a4718d4

SHA256
3eeb737a4d51c5f79b791c023291c87a1f005c0dc3a42ddc4b321677344d95c5

SHA512
1168bb65bbdf49df050770d2eb9c23567724dc24341401f31a9dbb8e870d2d8f4bfb4d003def2e8768f2f5f7f7111b832015f2430804f6f07f4b946bc628d81a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b599602e5b6540cab2f743b5e8aa5024

SHA1
4c708dea7474dfb232bb2815ec0131588a4718d4

SHA256
3eeb737a4d51c5f79b791c023291c87a1f005c0dc3a42ddc4b321677344d95c5

SHA512
1168bb65bbdf49df050770d2eb9c23567724dc24341401f31a9dbb8e870d2d8f4bfb4d003def2e8768f2f5f7f7111b832015f2430804f6f07f4b946bc628d81a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b599602e5b6540cab2f743b5e8aa5024

SHA1
4c708dea7474dfb232bb2815ec0131588a4718d4

SHA256
3eeb737a4d51c5f79b791c023291c87a1f005c0dc3a42ddc4b321677344d95c5

SHA512
1168bb65bbdf49df050770d2eb9c23567724dc24341401f31a9dbb8e870d2d8f4bfb4d003def2e8768f2f5f7f7111b832015f2430804f6f07f4b946bc628d81a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b599602e5b6540cab2f743b5e8aa5024

SHA1
4c708dea7474dfb232bb2815ec0131588a4718d4

SHA256
3eeb737a4d51c5f79b791c023291c87a1f005c0dc3a42ddc4b321677344d95c5

SHA512
1168bb65bbdf49df050770d2eb9c23567724dc24341401f31a9dbb8e870d2d8f4bfb4d003def2e8768f2f5f7f7111b832015f2430804f6f07f4b946bc628d81a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b599602e5b6540cab2f743b5e8aa5024

SHA1
4c708dea7474dfb232bb2815ec0131588a4718d4

SHA256
3eeb737a4d51c5f79b791c023291c87a1f005c0dc3a42ddc4b321677344d95c5

SHA512
1168bb65bbdf49df050770d2eb9c23567724dc24341401f31a9dbb8e870d2d8f4bfb4d003def2e8768f2f5f7f7111b832015f2430804f6f07f4b946bc628d81a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
83449f44bf1150aeb50b9a73182d53f1

SHA1
2194cff0a142d476ce162cc519fe8edeeb47e06e

SHA256
c1a212a0055535628e0a233845a7e234b363ea8916385083454ec7eeccec80af

SHA512
42ca363506d9a460eb9d24d964db0502e41226288235e8f6fd4f2d30b3fad4d7d544f5ba5794aa1228033fd2f9b69bf9a4345a2bdfdb04541416d53dfc113366

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
05b4717c5fe2e1948f4dbc5e9b0d2459

SHA1
8e17bc546d31f0d4c5a3874457acf866ae5c9951

SHA256
f2ff047a3b38955988a571b6a09b1082f0a107ffbd45e75acd92102ad8f7ca86

SHA512
5f683f309d0e50e1adbd84511d5d3d993e16003bab962cae7f79e52d040aa9e07a1268061d8ef8f7ed5b9d25175bc038c4dfda11e4de8becd063f5a2a9c86ca0

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
2fae7c8d8fab108436ce8220acd5fe8b

SHA1
562591537574662d55e263b1e59d5e577081b1ee

SHA256
700fdd2223beeaf3c66c9571e6df5f1eeae91384fbb727f5f903a71083983acb

SHA512
2ae741dfe2f7c86b7b28d640144d17aff2d2acafb52a9385302e9009c8d837d966c552b1e5b383ac852edc5da6e0a037962292603e39f7917fd532d27d444ef7

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
af527614a7b250e24baded36d7e01602

SHA1
25c01f8f931e5b151c3d0d0b27193009ad9b3533

SHA256
e942c85d6dc6b6d48db22bb47731240c7859f9e663d5a3f9b0094c7d24939eef

SHA512
b5485856cd50bc40322fb21570df7e08fcd543a1e985cafa051eaa91640efc4c97738d325d8fae7492245e6eb74730c983c43c2e5a38f526e4f1f8b1211c4fc1

Download Submit
\Program Files\7-Zip\v7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Program Files\7-Zip\v7zFM.exe

Filesize
847KB

MD5
c8f40f25f783a52262bdaedeb5555427

SHA1
e45e198607c8d7398745baa71780e3e7a2f6deca

SHA256
e81b44ee7381ae3b630488b6fb7e3d9ffbdd9ac3032181d4ccaaff3409b57316

SHA512
f5944743f54028eb1dd0f2d68468726b177d33185324da0da96cdd20768bab4ca2e507ae9157b2733fd6240c920b7e15a5f5b9f284ee09d0fd385fc895b97191

Download Submit
\Program Files\7-Zip\v7zG.exe

Filesize
568KB

MD5
04fb3ae7f05c8bc333125972ba907398

SHA1
df22612647e9404a515d48ebad490349685250de

SHA256
2fb898bacb587f2484c9c4aa6da2729079d93d1f923a017bb84beef87bf74fef

SHA512
94c164a0b884c939ece30f5038d07b756702998d46786f9f613fbea2eb30bed4bc19a409f347bb4cc565898473b18155d580b453683223beaf30ed4079c251b2

Download Submit
\Program Files\7-Zip\vUninstall.exe

Filesize
15KB

MD5
b0cec9f342bf95700b602ee376446577

SHA1
b955b1b64280bb0ea873538029cf5ea44081501b

SHA256
24a2472e3bd5016cb22ce14cefee112d5bc18354bf099e8e66ad9846aea15088

SHA512
05ebecfc8d3e2e7885d3cacc65bfd97db710c2cbc0fb76b19b7d6cc82b327b25df953a20affc8d84002167dd8ac7710622279d3579c6605e742a98fe7095aa4e

Download Submit
\Program Files\Common Files\Microsoft Shared\OFFICE14\vMSOXMLED.EXE

Filesize
118KB

MD5
f45a7db6aec433fd579774dfdb3eaa89

SHA1
2f8773cc2b720143776a0909d19b98c4954b39cc

SHA256
2bc2372cfabd26933bc4012046e66a5d2efc9554c0835d1a0aa012d3bd1a6f9a

SHA512
03a4b7c53373ff6308a0292bb84981dc1566923e93669bbb11cb03d9f58a8d477a1a2399aac5059f477bbf1cf14b17817d208bc7c496b8675ece83cdabec5662

Download Submit
\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\vchrmstp.exe

Filesize
3.3MB

MD5
01fab6048cfc41034c393b7a8beeda70

SHA1
0afab0b3ffbaef21cc8e5ce8c987aa38c263cd1a

SHA256
9c8a5ecbea0bab7828bc1e2da1253285e49e14be3880f6f07240dbe0cd646484

SHA512
26ed35fa47ba9c2e1b9596e5312b6fd405e21bb8f6e9549359e28a7ffce7459d5d69fc98fa781837034f6e5a5aa2ef824d0dbaf0925e1198f7fe9f95a542b22a

Download Submit
\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\vsetup.exe

Filesize
3.3MB

MD5
96133378e97fab3da795cb8ecc4c230a

SHA1
97e27dab08c786fa2be979f9c9cfc2ef5e2a8458

SHA256
d41dc5c3a3f38cb4e58a304b6c2361aaf3caf78ad619fd136ed5423e67684f16

SHA512
792a8558b2aabc0ce04007470e7801294c61616e764a8d805a3a4c2d798424ac86c3bc7782411789462723ac1d1452a2be3a3aa38207d703b214b911fda0f383

Download Submit
\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
b194a848e2e78f6b0dbf5d8aea1ec6c9

SHA1
2e09c1d756d052dae6d81f5dd425b6ac56e67509

SHA256
b4caadb966b34d2179110d81e4bee51458a34b9fb7716594572265c1512e3bbb

SHA512
bfa3c535d4a1702487c1cd607dd2a5e9668729358cbb59be515700b021ac7c930bb07c3b5607181f2eae521c7bfc788fd97b226d04402327318f28781e32d889

Download Submit
\Program Files\Google\Chrome\Application\89.0.4389.114\vchrome_pwa_launcher.exe

Filesize
1.9MB

MD5
42ee2189a49270f23bec5f0a11da6a8f

SHA1
e4dbc336f264f56d23ffdd4b3cd844689f68974d

SHA256
135f6abf294fc3cb4fd0971cb47e4cfbbfac70a8bbe2334aec90976dcea5fc53

SHA512
7e73a484913a3fc07cababbb1dd48e821115f89736ca972b1b361b6b0e9b2192cf0f990baed8296a1d2c09f9b4142c348c4162d1f36982bebc850d59af06b4cb

Download Submit
\Program Files\Google\Chrome\Application\89.0.4389.114\velevation_service.exe

Filesize
2.0MB

MD5
b194a848e2e78f6b0dbf5d8aea1ec6c9

SHA1
2e09c1d756d052dae6d81f5dd425b6ac56e67509

SHA256
b4caadb966b34d2179110d81e4bee51458a34b9fb7716594572265c1512e3bbb

SHA512
bfa3c535d4a1702487c1cd607dd2a5e9668729358cbb59be515700b021ac7c930bb07c3b5607181f2eae521c7bfc788fd97b226d04402327318f28781e32d889

Download Submit
\Program Files\Google\Chrome\Application\89.0.4389.114\vnotification_helper.exe

Filesize
1.6MB

MD5
dd238e60b237163a6d068038f0db2296

SHA1
4792bffd14016b23ce457ca9e5250bc30b186d0b

SHA256
9a334967d6a4032b59393d2ce91314ba9a4fa44e8220c27e47e0a68c7c4b9436

SHA512
42d353cbd5b6c25d5e0755f71978319f506924e2dfad2795e8a2b5987ff23187ff08ebf5c8024802fa885fff90daa639ce3611db4044e09a54eadd84a48ad42f

Download Submit
\Program Files\Google\Chrome\Application\vchrome.exe

Filesize
2.2MB

MD5
b555ce6924de8b22121d29a6a153d3fa

SHA1
49e5a197e7e4e5bded33820a55ab664c370c9794

SHA256
0c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19

SHA512
1109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0

Download Submit
\Program Files\Google\Chrome\Application\vchrome_proxy.exe

Filesize
1.4MB

MD5
032f7b01d86c8017110b35c793343ef5

SHA1
91c078a16127458442c3f805ff51f6841b60ee55

SHA256
7cdf95f48d41821d4832a19c64a1bf323b85f9a03b2909d9a7be2d71b3b8e5cb

SHA512
c9e8751cccf24a517d5ce61758b61b39a61b5384f41babf1ffc9a48a49174ddbdf409550372d6146de1650d3a6cbbfd2992d78382a2c9476bfdd3c2ea9047df7

Download Submit
\Program Files\Java\jdk1.7.0_80\bin\vappletviewer.exe

Filesize
1.2MB

MD5
6606733fd8de05df91aa479de5257e26

SHA1
2270cfa919e7e1238a75b08c6fd8f69196ca8483

SHA256
613b5a6ca13a09315fea8fefc5790bb06157be912f875ddccbf9c9d09025fef5

SHA512
e89e86a9a6c32a4d93f4a773cc2fd0dcd7f067d0e0ad3c9ab9da36d056f1f07598927dfb4814896e27828f5a48fbbf4c99064b6ee76ac1a0bf17e7bc13372490

Download Submit
\Program Files\Java\jdk1.7.0_80\bin\vapt.exe

Filesize
1.2MB

MD5
3951885dd1b9d45593f6c00aad66b1c2

SHA1
54d5110d432cd37794fc2ceb6568c7f0b1d7cbc5

SHA256
9deb6e979ffd836eab2759204af393503edc1b85a8414dc80c90221f9428462d

SHA512
10be0917c22c18f76943c4a5841fae8a22fc05b1ae8b9b89ac95085414e03168fffa537640cd65c48371e2c5baaedc7c50cd35b8a5ef0def91f90c4cb69a6073

Download Submit
\Program Files\Java\jdk1.7.0_80\bin\vextcheck.exe

Filesize
1.2MB

MD5
48eeaa5e21913d08a8c9ac5f2d83b94b

SHA1
9d49a662400372cade9c8631b416ca47eecf7643

SHA256
37c6694eaa56dc7873e96413b8787052da0319c151a63972625b6f2acfe38379

SHA512
b88a706a6fe6d2e9fa3f0cc86e5c47a7109ac7a582ec8eddbd15b6bee27c56a92725c2e01b2cac19f79e7c237679a34c51d9d185be23038a6f676ada0ebd1d29

Download Submit
\Program Files\Java\jdk1.7.0_80\bin\vidlj.exe

Filesize
1.2MB

MD5
3da06dedb6cde761916a43123d97acd1

SHA1
4076050ecd11eff1c3e6a8ea812bef0c2c7e68bb

SHA256
cb2d3aa846871d6b4780ec46cc7179725ca0efdc1ef6d202da99f0a295332c57

SHA512
5187e20571a52fdbfbbe2fc87127d7efe6e4bd6c18e157f057f452a3f631f7f6471d2bab41c6e54f819373af04df522f304d715605a9de2000e97de0b4adbcd8

Download Submit
\Program Files\Java\jdk1.7.0_80\bin\vjabswitch.exe

Filesize
1.2MB

MD5
7d8ae1ca2c532f8b93b6c89dccf851c8

SHA1
03f6dac7300e5f26afda1485c9d0c56044934e25

SHA256
84e4300a360faac3c370394b894d3f3fcbbf7ecb86429539b873e6877c935a03

SHA512
493e64ec6377a1bec0f6446e6b714dcced42d2183ba8e585a296b2da5a9819f03b4c10cce563f9b3050bf89de9b88a50e9d411c4d46dfd23baa0ddac8c0f83e3

Download Submit
\Program Files\Java\jdk1.7.0_80\bin\vjar.exe

Filesize
1.2MB

MD5
225cce79a554cba36d19b30c901cb32e

SHA1
b3639d835ded6c2bee5a36da7d21b8faf6676638

SHA256
8c5a62966b5ac809368972c58ff2af33e2b993da1ea5bcd520f95d1fc157d261

SHA512
349fc3bfa21bba13d77ed78ed4bbdc421c6ef25cf15de39536ccec932a84561e2305e937062db9e59fca4d8b08f572eefa3d6ba15f867211e98fe92c36339d12

Download Submit
\Users\Admin\AppData\Roaming\Paint.exe

Filesize
2.1MB

MD5
10fe844edc4fc5dc0d981aa503370c17

SHA1
a5fcc664fc647c273190adc2701ec7e07ae69bce

SHA256
fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd

SHA512
336312d886b319f0ffb19d68bca66a2e130479958f579058388cce086e186887f4956d4a4786c81fe7ccfba5fa5dac08d4b00becea9cf102d02cbc9231ba9203

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
b3319f1d5fc1ca778805dae31165996a

SHA1
3f5e095f2989828326d8b65e778e9d9eb69ce3b5

SHA256
5f80364b0535f86e6bce2b2b1952682034792fde5fb386e62460c1ac53c799e2

SHA512
32ab7b548078b6b1cdc46598e0d0b9ed1d2f2b951ad387d2f9d05d97032e74e33078f861e409324b3589c2f7c1b4e61ef9173f14dcbba024a1931faed1623bcb

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
5bb4ff3d3e6180079cbf466b5e2aca20

SHA1
1b5f06ca076712796cd972203f369901c53e5572

SHA256
da0ba8929c76fd7e3dba7bd1ec60f1312de941bf01831734656a183e82872c12

SHA512
a7d9e4b62122018f65aa6b743c2c188a13b794d6337ec8cdfe4184172b32c0494ff00bce9c2e3a1b1bd6878c4de36275415fe5e9cefedf6819bb47cce7bbb540

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
83449f44bf1150aeb50b9a73182d53f1

SHA1
2194cff0a142d476ce162cc519fe8edeeb47e06e

SHA256
c1a212a0055535628e0a233845a7e234b363ea8916385083454ec7eeccec80af

SHA512
42ca363506d9a460eb9d24d964db0502e41226288235e8f6fd4f2d30b3fad4d7d544f5ba5794aa1228033fd2f9b69bf9a4345a2bdfdb04541416d53dfc113366

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
05b4717c5fe2e1948f4dbc5e9b0d2459

SHA1
8e17bc546d31f0d4c5a3874457acf866ae5c9951

SHA256
f2ff047a3b38955988a571b6a09b1082f0a107ffbd45e75acd92102ad8f7ca86

SHA512
5f683f309d0e50e1adbd84511d5d3d993e16003bab962cae7f79e52d040aa9e07a1268061d8ef8f7ed5b9d25175bc038c4dfda11e4de8becd063f5a2a9c86ca0

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
2fae7c8d8fab108436ce8220acd5fe8b

SHA1
562591537574662d55e263b1e59d5e577081b1ee

SHA256
700fdd2223beeaf3c66c9571e6df5f1eeae91384fbb727f5f903a71083983acb

SHA512
2ae741dfe2f7c86b7b28d640144d17aff2d2acafb52a9385302e9009c8d837d966c552b1e5b383ac852edc5da6e0a037962292603e39f7917fd532d27d444ef7

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
af527614a7b250e24baded36d7e01602

SHA1
25c01f8f931e5b151c3d0d0b27193009ad9b3533

SHA256
e942c85d6dc6b6d48db22bb47731240c7859f9e663d5a3f9b0094c7d24939eef

SHA512
b5485856cd50bc40322fb21570df7e08fcd543a1e985cafa051eaa91640efc4c97738d325d8fae7492245e6eb74730c983c43c2e5a38f526e4f1f8b1211c4fc1

Download Submit
memory/240-263-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/240-257-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/472-77-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/472-86-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/472-85-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/532-114-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/532-106-0x00000000002C0000-0x0000000000320000-memory.dmp

Filesize
384KB

Download
memory/532-131-0x00000000002C0000-0x0000000000320000-memory.dmp

Filesize
384KB

Download
memory/688-222-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/688-282-0x0000000071718000-0x000000007172D000-memory.dmp

Filesize
84KB

Download
memory/688-247-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/688-220-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/820-216-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/820-182-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/820-180-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/876-188-0x0000000000650000-0x00000000006B7000-memory.dmp

Filesize
412KB

Download
memory/876-186-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1048-87-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/1088-151-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/1088-163-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/1088-161-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1420-224-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/1420-226-0x0000000000510000-0x0000000000577000-memory.dmp

Filesize
412KB

Download
memory/1476-138-0x0000000003C40000-0x0000000003C55000-memory.dmp

Filesize
84KB

Download
memory/1476-133-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download
memory/1476-71-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1476-54-0x0000000000950000-0x00000000009B7000-memory.dmp

Filesize
412KB

Download
memory/1476-72-0x0000000000950000-0x00000000009B7000-memory.dmp

Filesize
412KB

Download
memory/1508-129-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1508-139-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1508-119-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1508-135-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1508-132-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1608-142-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/1608-127-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1656-192-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1656-208-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download
memory/1656-193-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download
memory/1656-207-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1684-146-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/1684-157-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1684-162-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1720-75-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/1720-286-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/1732-223-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/1732-225-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1732-233-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1740-115-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1740-116-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/1740-89-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/1772-283-0x0000000003480000-0x0000000003680000-memory.dmp

Filesize
2.0MB

Download
memory/1772-159-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1772-278-0x0000000003480000-0x000000000365E000-memory.dmp

Filesize
1.9MB

Download
memory/1772-279-0x0000000003480000-0x0000000003654000-memory.dmp

Filesize
1.8MB

Download
memory/1772-280-0x0000000003480000-0x0000000003654000-memory.dmp

Filesize
1.8MB

Download
memory/1772-281-0x0000000003480000-0x0000000003654000-memory.dmp

Filesize
1.8MB

Download
memory/1772-276-0x0000000003480000-0x0000000003654000-memory.dmp

Filesize
1.8MB

Download
memory/1772-137-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1772-284-0x0000000003480000-0x0000000003654000-memory.dmp

Filesize
1.8MB

Download
memory/1772-285-0x0000000003480000-0x0000000003664000-memory.dmp

Filesize
1.9MB

Download
memory/1772-275-0x0000000003480000-0x0000000003654000-memory.dmp

Filesize
1.8MB

Download
memory/1772-287-0x0000000003480000-0x0000000003654000-memory.dmp

Filesize
1.8MB

Download
memory/1772-274-0x0000000003480000-0x0000000003654000-memory.dmp

Filesize
1.8MB

Download
memory/1772-273-0x0000000003480000-0x00000000037D6000-memory.dmp

Filesize
3.3MB

Download
memory/1772-272-0x0000000003480000-0x00000000037D6000-memory.dmp

Filesize
3.3MB

Download
memory/1772-141-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1772-147-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1772-258-0x0000000003480000-0x000000000368E000-memory.dmp

Filesize
2.1MB

Download
memory/1772-277-0x0000000003480000-0x0000000003654000-memory.dmp

Filesize
1.8MB

Download
memory/1772-260-0x0000000003480000-0x000000000362B000-memory.dmp

Filesize
1.7MB

Download
memory/1772-181-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/1772-251-0x0000000003480000-0x00000000035F8000-memory.dmp

Filesize
1.5MB

Download
memory/1772-254-0x0000000003480000-0x0000000003671000-memory.dmp

Filesize
1.9MB

Download
memory/1956-96-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/1956-109-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1956-111-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2020-63-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2020-74-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2020-73-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads