444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5

Analysis

max time kernel
157s
max time network
175s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe
Size

891KB
MD5

5434440899fac616e43d8bb3e9a54c10
SHA1

7b2a0d508283800c74ec2f578dd433e966123cd1
SHA256

444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5
SHA512

a7a8c781af10db4cf946e6144d11350fc85cc6978b3d5af77dc25cf474ebb700fcd0e9c45d7e3249b6cb81ffa16d25e282a4152e7a1bce3ad59d246506a09ff1
SSDEEP

24576:qrX9M2+PMaSYCiSSXqjjm3nu5qPQjpQ3O1m:gX9M2+PMleXqjq3u5ZpQ3O

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 5 IoCs

pid	Process
1988	mscorsvw.exe
1860	obexk.exe
464	Process not Found
1504	mscorsvw.exe
272	mscorsvw.exe

Deletes itself 1 IoCs

pid	Process
1144	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
280	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe
280	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe
464	Process not Found

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-999675638-2867687379-27515722-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-999675638-2867687379-27515722-1000\EnableNotifications = "0"	mscorsvw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	explorer.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\hleicikg.tmp	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\fjipckln.tmp	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe
File opened for modification	\??\c:\windows\system32\alg.exe	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe
File created	\??\c:\windows\system32\jllgnfch.tmp	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 280 set thread context of 1144	280	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe	32

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\oknekine.tmp	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\pmaelapn.tmp	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\qgcpmgkn.tmp	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\cfppfonb.tmp	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\bhnhpahn.tmp	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\13477B37-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1860	obexk.exe
1860	obexk.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	280	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe
Token: SeTakeOwnershipPrivilege	280	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe
Token: SeTakeOwnershipPrivilege	1988	mscorsvw.exe
Token: SeManageVolumePrivilege	460	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
460	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
460	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
460	WinMail.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 280 wrote to memory of 1860	280	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe	28
PID 280 wrote to memory of 1860	280	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe	28
PID 280 wrote to memory of 1860	280	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe	28
PID 280 wrote to memory of 1860	280	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe	28
PID 1860 wrote to memory of 1468	1860	obexk.exe	29
PID 1860 wrote to memory of 1468	1860	obexk.exe	29
PID 1860 wrote to memory of 1468	1860	obexk.exe	29
PID 1860 wrote to memory of 1468	1860	obexk.exe	29
PID 1860 wrote to memory of 1468	1860	obexk.exe	29
PID 1860 wrote to memory of 1468	1860	obexk.exe	29
PID 1860 wrote to memory of 1468	1860	obexk.exe	29
PID 1860 wrote to memory of 1468	1860	obexk.exe	29
PID 1860 wrote to memory of 1468	1860	obexk.exe	29
PID 1860 wrote to memory of 1468	1860	obexk.exe	29
PID 1860 wrote to memory of 1468	1860	obexk.exe	29
PID 1860 wrote to memory of 1100	1860	obexk.exe	16
PID 1860 wrote to memory of 1100	1860	obexk.exe	16
PID 1860 wrote to memory of 1100	1860	obexk.exe	16
PID 1860 wrote to memory of 1100	1860	obexk.exe	16
PID 1860 wrote to memory of 1100	1860	obexk.exe	16
PID 1860 wrote to memory of 1100	1860	obexk.exe	16
PID 1860 wrote to memory of 1100	1860	obexk.exe	16
PID 1860 wrote to memory of 1172	1860	obexk.exe	18
PID 1860 wrote to memory of 1172	1860	obexk.exe	18
PID 1860 wrote to memory of 1172	1860	obexk.exe	18
PID 1860 wrote to memory of 1172	1860	obexk.exe	18
PID 1860 wrote to memory of 1172	1860	obexk.exe	18
PID 1860 wrote to memory of 1172	1860	obexk.exe	18
PID 1860 wrote to memory of 1172	1860	obexk.exe	18
PID 1860 wrote to memory of 1200	1860	obexk.exe	19
PID 1860 wrote to memory of 1200	1860	obexk.exe	19
PID 1860 wrote to memory of 1200	1860	obexk.exe	19
PID 1860 wrote to memory of 1200	1860	obexk.exe	19
PID 1860 wrote to memory of 1200	1860	obexk.exe	19
PID 1860 wrote to memory of 1200	1860	obexk.exe	19
PID 1860 wrote to memory of 1200	1860	obexk.exe	19
PID 1860 wrote to memory of 280	1860	obexk.exe	26
PID 1860 wrote to memory of 280	1860	obexk.exe	26
PID 1860 wrote to memory of 280	1860	obexk.exe	26
PID 1860 wrote to memory of 280	1860	obexk.exe	26
PID 1860 wrote to memory of 280	1860	obexk.exe	26
PID 1860 wrote to memory of 280	1860	obexk.exe	26
PID 1860 wrote to memory of 280	1860	obexk.exe	26
PID 280 wrote to memory of 1144	280	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe	32
PID 280 wrote to memory of 1144	280	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe	32
PID 280 wrote to memory of 1144	280	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe	32
PID 280 wrote to memory of 1144	280	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe	32
PID 280 wrote to memory of 1144	280	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe	32
PID 280 wrote to memory of 1144	280	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe	32
PID 280 wrote to memory of 1144	280	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe	32
PID 280 wrote to memory of 1144	280	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe	32
PID 280 wrote to memory of 1144	280	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe	32
PID 280 wrote to memory of 1144	280	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe	32
PID 280 wrote to memory of 1144	280	444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe	32
PID 1468 wrote to memory of 1200	1468	explorer.exe	19
PID 1468 wrote to memory of 1200	1468	explorer.exe	19

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	mscorsvw.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1100

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe
  "C:\Users\Admin\AppData\Local\Temp\444946a7935918d83a63fac1b34598f45d98d817a15a530a3a6c02b707dba0a5.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:280
- - C:\Users\Admin\AppData\Roaming\Guusry\obexk.exe
    "C:\Users\Admin\AppData\Roaming\Guusry\obexk.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpdbea99fb.bat"
    3⤵
    - Deletes itself
    PID:1144

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1988

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:272

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpdbea99fb.bat

Filesize
307B

MD5
91a80691c96c6e5182fbea5c679924c3

SHA1
9735742631d97ec4c00ea17e6e00ac833944b6df

SHA256
a5de9850c233ded9691fa655e4c349711b690fd254668fc6a6b9ae5a55415730

SHA512
4dc0a14d24ec2ca9d709c48fa5e292b94dab16200bf5621bcc8909355639f1a451b41f617f32c010e5a7c1a50012e787a0bd14cb7a7fcd1e98e71ffd627d44a8

Download Submit
C:\Users\Admin\AppData\Roaming\Guusry\obexk.exe

Filesize
891KB

MD5
5a55baf2a4d2672157fd9070f19f7d7a

SHA1
e3b9f16bcf5e066ab918fa9bfa1974ffd0df3838

SHA256
30d89bcc02357acd513790c3253672a4010844a4b00139f600e13369679ed4d1

SHA512
6240783174345f598f5e44ed9cf15b7377a2d291ee830ff7d2190d97c2489e601631c7c49b46f3fb7151784268dfcd815a0c96c52a62b67f8979dace615daaad

Download Submit
C:\Users\Admin\AppData\Roaming\Guusry\obexk.exe

Filesize
891KB

MD5
5a55baf2a4d2672157fd9070f19f7d7a

SHA1
e3b9f16bcf5e066ab918fa9bfa1974ffd0df3838

SHA256
30d89bcc02357acd513790c3253672a4010844a4b00139f600e13369679ed4d1

SHA512
6240783174345f598f5e44ed9cf15b7377a2d291ee830ff7d2190d97c2489e601631c7c49b46f3fb7151784268dfcd815a0c96c52a62b67f8979dace615daaad

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
660KB

MD5
715358af582f0f75d1ded78f6f942a97

SHA1
fdc1ae91337e0cdadbbea525788f816912cad69a

SHA256
9ff9b6cf4c57b0219b191bb40ab98bcb548a59c39e1147e1d066bd404909f556

SHA512
cac39dabbe07f7c50f3bfd48414e09e66169003aa0bf7fb6a4606c61b24be061cdc472afcb98b199bcf67e68297af74e9c4ed913f9f7f300557e798f6e374062

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
660KB

MD5
715358af582f0f75d1ded78f6f942a97

SHA1
fdc1ae91337e0cdadbbea525788f816912cad69a

SHA256
9ff9b6cf4c57b0219b191bb40ab98bcb548a59c39e1147e1d066bd404909f556

SHA512
cac39dabbe07f7c50f3bfd48414e09e66169003aa0bf7fb6a4606c61b24be061cdc472afcb98b199bcf67e68297af74e9c4ed913f9f7f300557e798f6e374062

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
637KB

MD5
eb958eebecc9d888ce2d5784144bfb39

SHA1
fc68c62374918a9a5e238f2c97e1d2c436b7137a

SHA256
bb789a5226a891b0d21ad46525fa480d0bb453d7eb7b3f411efeacdbc4e16032

SHA512
f59420ec8c6cbb959ff7ae445df732b3e28d69b06131254aa8783697a2505362874071ef132798f28f5a426f168ba2b9672b8d97a5b0a56069eb167749e45bd1

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
637KB

MD5
eb958eebecc9d888ce2d5784144bfb39

SHA1
fc68c62374918a9a5e238f2c97e1d2c436b7137a

SHA256
bb789a5226a891b0d21ad46525fa480d0bb453d7eb7b3f411efeacdbc4e16032

SHA512
f59420ec8c6cbb959ff7ae445df732b3e28d69b06131254aa8783697a2505362874071ef132798f28f5a426f168ba2b9672b8d97a5b0a56069eb167749e45bd1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
668KB

MD5
86f531f701f9ac7f4486967f3a3c820d

SHA1
16fa201d5e8339aca636ebea38927efcc12dfbc0

SHA256
72de7feb6e72111c317d70a9fdbb52943804886b3a6cd15b2066fc27163786d4

SHA512
c7db5a4e6e7778964f0538deadc7ed5e249eb756ecc3854450b6fff4e18bad054faa38d27cd0c37c9c715298fe1eaecda140fdcfb32f46e8cb77b193fbc838c2

Download Submit
\??\c:\windows\SysWOW64\svchost.exe

Filesize
599KB

MD5
62ad6997b8fc4feac783794b2e503532

SHA1
be90155844fd5451d44ee5f1d6ca32cca6d17b0b

SHA256
87938c7aac77172a6bf297a35501ba911c08ff8c92a8ffe18241ab9e8b49466d

SHA512
bbb5819564f881dcc27b25e00d592b477a2414b8f637659151fa46514d05d0dd798d2721f7327003369b89f16e6f845ec2cb7a013ae6da09483775be4fbf19ea

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
615KB

MD5
20458d200dff4669c393c42b036d476b

SHA1
a96663dd7fdfee79d0360b9f17c464e4c7e344ad

SHA256
996d4cdb7b01861b99efd973ad57765df8ed2b31bcace2bb879fffa92f5a1f79

SHA512
c0663bd7f64a1e8af233a9ce80278618bbcf2a920a96a78619f3548c5859e8f7f3e9c827f5b3a045335a6c3d3e92b8486c1fe81e984618bcdf204ff2349c0613

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
606e7753427ba7b031be1942e9f39a03

SHA1
525d79fa11e2bf620fa552ddd74b270aa5be7e50

SHA256
c66344337490ca1faf5e7e14145f7cecf1dd3614c67e6910cc83298336abc150

SHA512
ddd942c066b97e578eaac3dee57164dd5efd10fd9bcc202b29b7986115997353c3b42ab81a535f27bb0560244d6d67a2e103400e86d195d81f902dca4ed6b9a4

Download Submit
\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe

Filesize
668KB

MD5
86f531f701f9ac7f4486967f3a3c820d

SHA1
16fa201d5e8339aca636ebea38927efcc12dfbc0

SHA256
72de7feb6e72111c317d70a9fdbb52943804886b3a6cd15b2066fc27163786d4

SHA512
c7db5a4e6e7778964f0538deadc7ed5e249eb756ecc3854450b6fff4e18bad054faa38d27cd0c37c9c715298fe1eaecda140fdcfb32f46e8cb77b193fbc838c2

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
656KB

MD5
287e341bbcc844f3abf0a23bb27d0a49

SHA1
6d5cece83c03d068bbc2e5060f5468dbc1c52420

SHA256
79396d84ade72689c71851fedd60f691af586500b51f213bd647816401faf3d7

SHA512
538426c74bc5c4b22aff9da6c60d552d02450bd48bd086a466bd21ba8905288d651fff2156f51f09222e068c36360d8cd8f296cbeba8023bf907692f36ec17de

Download Submit
\Users\Admin\AppData\Roaming\Guusry\obexk.exe

Filesize
891KB

MD5
5a55baf2a4d2672157fd9070f19f7d7a

SHA1
e3b9f16bcf5e066ab918fa9bfa1974ffd0df3838

SHA256
30d89bcc02357acd513790c3253672a4010844a4b00139f600e13369679ed4d1

SHA512
6240783174345f598f5e44ed9cf15b7377a2d291ee830ff7d2190d97c2489e601631c7c49b46f3fb7151784268dfcd815a0c96c52a62b67f8979dace615daaad

Download Submit
\Users\Admin\AppData\Roaming\Guusry\obexk.exe

Filesize
891KB

MD5
5a55baf2a4d2672157fd9070f19f7d7a

SHA1
e3b9f16bcf5e066ab918fa9bfa1974ffd0df3838

SHA256
30d89bcc02357acd513790c3253672a4010844a4b00139f600e13369679ed4d1

SHA512
6240783174345f598f5e44ed9cf15b7377a2d291ee830ff7d2190d97c2489e601631c7c49b46f3fb7151784268dfcd815a0c96c52a62b67f8979dace615daaad

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
660KB

MD5
715358af582f0f75d1ded78f6f942a97

SHA1
fdc1ae91337e0cdadbbea525788f816912cad69a

SHA256
9ff9b6cf4c57b0219b191bb40ab98bcb548a59c39e1147e1d066bd404909f556

SHA512
cac39dabbe07f7c50f3bfd48414e09e66169003aa0bf7fb6a4606c61b24be061cdc472afcb98b199bcf67e68297af74e9c4ed913f9f7f300557e798f6e374062

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
660KB

MD5
715358af582f0f75d1ded78f6f942a97

SHA1
fdc1ae91337e0cdadbbea525788f816912cad69a

SHA256
9ff9b6cf4c57b0219b191bb40ab98bcb548a59c39e1147e1d066bd404909f556

SHA512
cac39dabbe07f7c50f3bfd48414e09e66169003aa0bf7fb6a4606c61b24be061cdc472afcb98b199bcf67e68297af74e9c4ed913f9f7f300557e798f6e374062

Download Submit
memory/272-134-0x0000000000400000-0x000000000066F000-memory.dmp

Filesize
2.4MB

Download
memory/280-151-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/280-125-0x00000000003D0000-0x00000000003FC000-memory.dmp

Filesize
176KB

Download
memory/280-68-0x0000000003220000-0x00000000034F5000-memory.dmp

Filesize
2.8MB

Download
memory/280-129-0x0000000003220000-0x00000000034F5000-memory.dmp

Filesize
2.8MB

Download
memory/280-54-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/280-128-0x0000000003220000-0x00000000034F5000-memory.dmp

Filesize
2.8MB

Download
memory/280-152-0x00000000003D0000-0x00000000003FC000-memory.dmp

Filesize
176KB

Download
memory/280-132-0x00000000003D0000-0x00000000003FC000-memory.dmp

Filesize
176KB

Download
memory/280-69-0x0000000003220000-0x00000000034F5000-memory.dmp

Filesize
2.8MB

Download
memory/280-127-0x00000000003D0000-0x00000000003FC000-memory.dmp

Filesize
176KB

Download
memory/280-126-0x00000000003D0000-0x00000000003FC000-memory.dmp

Filesize
176KB

Download
memory/280-124-0x00000000003D0000-0x00000000003FC000-memory.dmp

Filesize
176KB

Download
memory/280-59-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/280-58-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/280-57-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/280-56-0x0000000000E30000-0x0000000001104000-memory.dmp

Filesize
2.8MB

Download
memory/280-55-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/280-122-0x00000000003D0000-0x00000000003FC000-memory.dmp

Filesize
176KB

Download
memory/460-158-0x0000000001E50000-0x0000000001E60000-memory.dmp

Filesize
64KB

Download
memory/460-164-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/460-156-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/460-157-0x000007FEFB1F1000-0x000007FEFB1F3000-memory.dmp

Filesize
8KB

Download
memory/1100-102-0x0000000001EF0000-0x0000000001F1C000-memory.dmp

Filesize
176KB

Download
memory/1100-101-0x0000000001EF0000-0x0000000001F1C000-memory.dmp

Filesize
176KB

Download
memory/1100-103-0x0000000001EF0000-0x0000000001F1C000-memory.dmp

Filesize
176KB

Download
memory/1100-98-0x0000000001EF0000-0x0000000001F1C000-memory.dmp

Filesize
176KB

Download
memory/1100-100-0x0000000001EF0000-0x0000000001F1C000-memory.dmp

Filesize
176KB

Download
memory/1144-143-0x0000000000050000-0x000000000007C000-memory.dmp

Filesize
176KB

Download
memory/1144-171-0x0000000000050000-0x000000000007C000-memory.dmp

Filesize
176KB

Download
memory/1144-148-0x0000000000050000-0x000000000007C000-memory.dmp

Filesize
176KB

Download
memory/1144-145-0x0000000000050000-0x000000000007C000-memory.dmp

Filesize
176KB

Download
memory/1144-154-0x0000000000050000-0x000000000007C000-memory.dmp

Filesize
176KB

Download
memory/1144-149-0x0000000000050000-0x000000000007C000-memory.dmp

Filesize
176KB

Download
memory/1144-147-0x0000000000050000-0x000000000007C000-memory.dmp

Filesize
176KB

Download
memory/1144-146-0x0000000000050000-0x000000000007C000-memory.dmp

Filesize
176KB

Download
memory/1172-106-0x0000000001DE0000-0x0000000001E0C000-memory.dmp

Filesize
176KB

Download
memory/1172-111-0x0000000001DE0000-0x0000000001E0C000-memory.dmp

Filesize
176KB

Download
memory/1172-110-0x0000000001DE0000-0x0000000001E0C000-memory.dmp

Filesize
176KB

Download
memory/1172-109-0x0000000001DE0000-0x0000000001E0C000-memory.dmp

Filesize
176KB

Download
memory/1172-108-0x0000000001DE0000-0x0000000001E0C000-memory.dmp

Filesize
176KB

Download
memory/1200-119-0x0000000002960000-0x000000000298C000-memory.dmp

Filesize
176KB

Download
memory/1200-118-0x0000000002960000-0x000000000298C000-memory.dmp

Filesize
176KB

Download
memory/1200-117-0x0000000002960000-0x000000000298C000-memory.dmp

Filesize
176KB

Download
memory/1200-116-0x0000000002960000-0x000000000298C000-memory.dmp

Filesize
176KB

Download
memory/1200-114-0x0000000002960000-0x000000000298C000-memory.dmp

Filesize
176KB

Download
memory/1468-78-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/1468-79-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/1468-76-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/1468-155-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/1468-135-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/1468-80-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/1468-82-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/1468-81-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/1468-95-0x0000000074AC1000-0x0000000074AC3000-memory.dmp

Filesize
8KB

Download
memory/1468-83-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/1504-138-0x0000000010000000-0x000000001029A000-memory.dmp

Filesize
2.6MB

Download
memory/1504-84-0x0000000010000000-0x000000001029A000-memory.dmp

Filesize
2.6MB

Download
memory/1504-136-0x0000000010000000-0x000000001029A000-memory.dmp

Filesize
2.6MB

Download
memory/1860-70-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/1860-139-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/1860-131-0x0000000000B40000-0x0000000000E14000-memory.dmp

Filesize
2.8MB

Download
memory/1860-130-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/1860-72-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/1860-71-0x0000000000B40000-0x0000000000E14000-memory.dmp

Filesize
2.8MB

Download
memory/1988-137-0x0000000010000000-0x0000000010266000-memory.dmp

Filesize
2.4MB

Download
memory/1988-93-0x0000000010000000-0x0000000010266000-memory.dmp

Filesize
2.4MB

Download
memory/1988-61-0x0000000010000000-0x0000000010266000-memory.dmp

Filesize
2.4MB

Download