a47462fe74b8294669b1d1535c70c9abb879c63b7a177f398b355e8f5c1d6782

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10/10/2023, 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a47462fe74b8294669b1d1535c70c9abb879c63b7a177f398b355e8f5c1d6782.exe
Size

2.5MB
MD5

86260e89b8a8f458292ccb045cae70d0
SHA1

3acf656e84ed7432db7b0ad7ce1faff3f650f335
SHA256

a47462fe74b8294669b1d1535c70c9abb879c63b7a177f398b355e8f5c1d6782
SHA512

1e6d6c7cae532ecc25eb0378353f56a28908d97c684134d6f28dfb8c8073130f1e60f544394fd50d958d53e5aaa29927392c64a4521691c4d68e09ae727a935a
SSDEEP

49152:1cGJbpgcOVmQ+ljS7yLfijfzQwMWjoFznhaJ9uPQDnpU6d:GGJbp4VmQ+ljS2LfijbQwMWTJgoDnV

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 34 IoCs

pid	Process
468	Process not Found
2092	alg.exe
2548	mscorsvw.exe
2504	mscorsvw.exe
1688	elevation_service.exe
1276	GROOVE.EXE
1372	mscorsvw.exe
808	maintenanceservice.exe
532	mscorsvw.exe
640	OSE.EXE
2360	OSPPSVC.EXE
1840	mscorsvw.exe
1736	mscorsvw.exe
460	mscorsvw.exe
2080	mscorsvw.exe
1768	mscorsvw.exe
1008	mscorsvw.exe
1500	mscorsvw.exe
1584	mscorsvw.exe
2712	mscorsvw.exe
2576	mscorsvw.exe
2312	mscorsvw.exe
2732	mscorsvw.exe
2608	mscorsvw.exe
2928	mscorsvw.exe
2028	mscorsvw.exe
2056	mscorsvw.exe
2024	mscorsvw.exe
2956	mscorsvw.exe
1620	mscorsvw.exe
1500	mscorsvw.exe
2524	mscorsvw.exe
2068	mscorsvw.exe
1000	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	a47462fe74b8294669b1d1535c70c9abb879c63b7a177f398b355e8f5c1d6782.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\60a4f18c99022096.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	a47462fe74b8294669b1d1535c70c9abb879c63b7a177f398b355e8f5c1d6782.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1532	a47462fe74b8294669b1d1535c70c9abb879c63b7a177f398b355e8f5c1d6782.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeDebugPrivilege	2092	alg.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1532	a47462fe74b8294669b1d1535c70c9abb879c63b7a177f398b355e8f5c1d6782.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 1372	2504	mscorsvw.exe	33
PID 2504 wrote to memory of 1372	2504	mscorsvw.exe	33
PID 2504 wrote to memory of 1372	2504	mscorsvw.exe	33
PID 2504 wrote to memory of 532	2504	mscorsvw.exe	37
PID 2504 wrote to memory of 532	2504	mscorsvw.exe	37
PID 2504 wrote to memory of 532	2504	mscorsvw.exe	37
PID 2548 wrote to memory of 1840	2548	mscorsvw.exe	40
PID 2548 wrote to memory of 1840	2548	mscorsvw.exe	40
PID 2548 wrote to memory of 1840	2548	mscorsvw.exe	40
PID 2548 wrote to memory of 1840	2548	mscorsvw.exe	40
PID 2548 wrote to memory of 1736	2548	mscorsvw.exe	41
PID 2548 wrote to memory of 1736	2548	mscorsvw.exe	41
PID 2548 wrote to memory of 1736	2548	mscorsvw.exe	41
PID 2548 wrote to memory of 1736	2548	mscorsvw.exe	41
PID 2548 wrote to memory of 460	2548	mscorsvw.exe	42
PID 2548 wrote to memory of 460	2548	mscorsvw.exe	42
PID 2548 wrote to memory of 460	2548	mscorsvw.exe	42
PID 2548 wrote to memory of 460	2548	mscorsvw.exe	42
PID 2548 wrote to memory of 2080	2548	mscorsvw.exe	43
PID 2548 wrote to memory of 2080	2548	mscorsvw.exe	43
PID 2548 wrote to memory of 2080	2548	mscorsvw.exe	43
PID 2548 wrote to memory of 2080	2548	mscorsvw.exe	43
PID 2548 wrote to memory of 1768	2548	mscorsvw.exe	44
PID 2548 wrote to memory of 1768	2548	mscorsvw.exe	44
PID 2548 wrote to memory of 1768	2548	mscorsvw.exe	44
PID 2548 wrote to memory of 1768	2548	mscorsvw.exe	44
PID 2548 wrote to memory of 1008	2548	mscorsvw.exe	45
PID 2548 wrote to memory of 1008	2548	mscorsvw.exe	45
PID 2548 wrote to memory of 1008	2548	mscorsvw.exe	45
PID 2548 wrote to memory of 1008	2548	mscorsvw.exe	45
PID 2548 wrote to memory of 1500	2548	mscorsvw.exe	46
PID 2548 wrote to memory of 1500	2548	mscorsvw.exe	46
PID 2548 wrote to memory of 1500	2548	mscorsvw.exe	46
PID 2548 wrote to memory of 1500	2548	mscorsvw.exe	46
PID 2548 wrote to memory of 1584	2548	mscorsvw.exe	47
PID 2548 wrote to memory of 1584	2548	mscorsvw.exe	47
PID 2548 wrote to memory of 1584	2548	mscorsvw.exe	47
PID 2548 wrote to memory of 1584	2548	mscorsvw.exe	47
PID 2548 wrote to memory of 2712	2548	mscorsvw.exe	48
PID 2548 wrote to memory of 2712	2548	mscorsvw.exe	48
PID 2548 wrote to memory of 2712	2548	mscorsvw.exe	48
PID 2548 wrote to memory of 2712	2548	mscorsvw.exe	48
PID 2548 wrote to memory of 2576	2548	mscorsvw.exe	49
PID 2548 wrote to memory of 2576	2548	mscorsvw.exe	49
PID 2548 wrote to memory of 2576	2548	mscorsvw.exe	49
PID 2548 wrote to memory of 2576	2548	mscorsvw.exe	49
PID 2548 wrote to memory of 2312	2548	mscorsvw.exe	50
PID 2548 wrote to memory of 2312	2548	mscorsvw.exe	50
PID 2548 wrote to memory of 2312	2548	mscorsvw.exe	50
PID 2548 wrote to memory of 2312	2548	mscorsvw.exe	50
PID 2548 wrote to memory of 2732	2548	mscorsvw.exe	51
PID 2548 wrote to memory of 2732	2548	mscorsvw.exe	51
PID 2548 wrote to memory of 2732	2548	mscorsvw.exe	51
PID 2548 wrote to memory of 2732	2548	mscorsvw.exe	51
PID 2548 wrote to memory of 2608	2548	mscorsvw.exe	52
PID 2548 wrote to memory of 2608	2548	mscorsvw.exe	52
PID 2548 wrote to memory of 2608	2548	mscorsvw.exe	52
PID 2548 wrote to memory of 2608	2548	mscorsvw.exe	52
PID 2548 wrote to memory of 2928	2548	mscorsvw.exe	53
PID 2548 wrote to memory of 2928	2548	mscorsvw.exe	53
PID 2548 wrote to memory of 2928	2548	mscorsvw.exe	53
PID 2548 wrote to memory of 2928	2548	mscorsvw.exe	53
PID 2548 wrote to memory of 2028	2548	mscorsvw.exe	54
PID 2548 wrote to memory of 2028	2548	mscorsvw.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a47462fe74b8294669b1d1535c70c9abb879c63b7a177f398b355e8f5c1d6782.exe
"C:\Users\Admin\AppData\Local\Temp\a47462fe74b8294669b1d1535c70c9abb879c63b7a177f398b355e8f5c1d6782.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 23c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 260 -NGENProcess 25c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1f0 -NGENProcess 23c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1f0 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 240 -NGENProcess 23c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 240 -NGENProcess 1f0 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 24c -NGENProcess 23c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 258 -NGENProcess 26c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 288 -NGENProcess 250 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 250 -NGENProcess 258 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 290 -NGENProcess 278 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 288 -NGENProcess 298 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 28c -NGENProcess 29c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 278 -NGENProcess 240 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 298 -NGENProcess 25c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a4 -NGENProcess 240 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 29c -NGENProcess 28c -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 278 -NGENProcess 1f0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 290 -NGENProcess 2a4 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 27c -NGENProcess 2b4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1000

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:532

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1688

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1276

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:808

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:640

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
a4a7e651de3522ae6122f0c98f22f3ab

SHA1
4758b94391fe44e777314eb4e1a22616e999d6ae

SHA256
e781d46f8b5f7b513d1f6460cd49f16fb196e03e6bdf7d442a29edc172638390

SHA512
25c495d1585d850fcd33c9e6fa263da11ed5d8b9701d777d75bb02c9407a2e9313077d117ed2edec240d075ec1a35b383c44b01dffadf93b74c130f77fde9a6d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
04753a8f8c73800ba39a59362845310c

SHA1
b363489cf66d7ee79971f33ecb7ecdd4326efd25

SHA256
421de063cd96f99621c1c01c6f63b876fb93fb1f1c7969f4173c152de252b48a

SHA512
1d3c6b83225eb183d07ffee4f7bb7b1c1ec4d89d9d7b486c085d42d54e307a069e3966cf339386990384752f5aeab1595df105f789d7ad284e29c99e0516e75a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
03abe391df905092af697f1adaf3475c

SHA1
0c473ba176fb5c9d7150cde841ee8f85690db346

SHA256
42d3f74afee3e22eb73e503a80a8b2b6c3b829e005c6f3f4f61505e9532ae30b

SHA512
4088255b96144b610f2eef131f120b22226e76d4b4af2d6200988a31840f8cea43e0acca9c1684a2d3287dd3a5c6619596f04d0bae5d4cfcd98731eb054520e5

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
f8b9886497be88663f5b344cf00c7379

SHA1
452ecb205f07e2969d60252bf9e1864043600fcc

SHA256
0bda7eddb08828d5e25d3f41336923757490954ef31194b467c9eee5bf1edb47

SHA512
1f1454f1cbb787eb3830292eef34f8bde4667f26ac546bf2fd530e29b93effd9b4dbdca997751b389e3a783f51e657c2c56e74b72f8cde3070ae8e8611d39cc6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
23c7f0796281f64997660fd59f71076c

SHA1
dbfd88b2472a27d006e0a668294f385d9be042e5

SHA256
449779f417362ebea1b462221917c0178adb8bac138f8331162d0b7e76898b1c

SHA512
082ec4ae0c7f4203a0de9019ce11dfbafd9d5f91bc511d8b0c680a2165c13b857127d123078d9eab8cbe7867c7b106ee4e3ad8a7e8f8962f6e720bc029ae726f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
bacfa14373f6573674d879c0de8a9c12

SHA1
7d3fad47707a93d77f6a6d8f419d8655e36f72d1

SHA256
f76a846effe23a4bc4f702e806237c021a4c8b8788af2a2d5cb6578227264f1f

SHA512
8a5590fa1654bec24077c5cf00ad215d7f297111eeac85ed2520fc7ea5a9d7cbf4ceccff0dc4ab5952735a38f540318a905a7b9ed7d186396f725a8478dc96ee

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
c4e3af18384e4b59fced861665505682

SHA1
fac4bef4aa7f5f4eca1eeb3d7f7651c380a370a4

SHA256
5cde385de622f2b8e7ed4d39311caf93b422ec2070a35463c3be77abd77c567e

SHA512
9d8fbba2d7f779d49302cdc78385b5fe5ab7508e0d6bc74f12ab501e0c03e6aa12f44c3311e500cd4e246ee43d6a6cdbb0689aeafc3e394ba53dfaf8125136f7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
c4e3af18384e4b59fced861665505682

SHA1
fac4bef4aa7f5f4eca1eeb3d7f7651c380a370a4

SHA256
5cde385de622f2b8e7ed4d39311caf93b422ec2070a35463c3be77abd77c567e

SHA512
9d8fbba2d7f779d49302cdc78385b5fe5ab7508e0d6bc74f12ab501e0c03e6aa12f44c3311e500cd4e246ee43d6a6cdbb0689aeafc3e394ba53dfaf8125136f7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
c4e3af18384e4b59fced861665505682

SHA1
fac4bef4aa7f5f4eca1eeb3d7f7651c380a370a4

SHA256
5cde385de622f2b8e7ed4d39311caf93b422ec2070a35463c3be77abd77c567e

SHA512
9d8fbba2d7f779d49302cdc78385b5fe5ab7508e0d6bc74f12ab501e0c03e6aa12f44c3311e500cd4e246ee43d6a6cdbb0689aeafc3e394ba53dfaf8125136f7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
c4e3af18384e4b59fced861665505682

SHA1
fac4bef4aa7f5f4eca1eeb3d7f7651c380a370a4

SHA256
5cde385de622f2b8e7ed4d39311caf93b422ec2070a35463c3be77abd77c567e

SHA512
9d8fbba2d7f779d49302cdc78385b5fe5ab7508e0d6bc74f12ab501e0c03e6aa12f44c3311e500cd4e246ee43d6a6cdbb0689aeafc3e394ba53dfaf8125136f7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
66b45d86b893062dfed288a66d141452

SHA1
531de485f3254d7eeea372e7dafed17fff60eb47

SHA256
58a3ddc52687de5630b0b77e22906e241fee8bc03f7dcc4ed15f79f7fb40190d

SHA512
54105a1395cfdb78a6d2604e9a4812488360a39885aa94987c74e25ab4dc0d163ae41a4dfcd1cf0bd813e784fb322c9a05ef543baea3f891e764cf98663ca891

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
66b45d86b893062dfed288a66d141452

SHA1
531de485f3254d7eeea372e7dafed17fff60eb47

SHA256
58a3ddc52687de5630b0b77e22906e241fee8bc03f7dcc4ed15f79f7fb40190d

SHA512
54105a1395cfdb78a6d2604e9a4812488360a39885aa94987c74e25ab4dc0d163ae41a4dfcd1cf0bd813e784fb322c9a05ef543baea3f891e764cf98663ca891

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
66b45d86b893062dfed288a66d141452

SHA1
531de485f3254d7eeea372e7dafed17fff60eb47

SHA256
58a3ddc52687de5630b0b77e22906e241fee8bc03f7dcc4ed15f79f7fb40190d

SHA512
54105a1395cfdb78a6d2604e9a4812488360a39885aa94987c74e25ab4dc0d163ae41a4dfcd1cf0bd813e784fb322c9a05ef543baea3f891e764cf98663ca891

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
66b45d86b893062dfed288a66d141452

SHA1
531de485f3254d7eeea372e7dafed17fff60eb47

SHA256
58a3ddc52687de5630b0b77e22906e241fee8bc03f7dcc4ed15f79f7fb40190d

SHA512
54105a1395cfdb78a6d2604e9a4812488360a39885aa94987c74e25ab4dc0d163ae41a4dfcd1cf0bd813e784fb322c9a05ef543baea3f891e764cf98663ca891

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
66b45d86b893062dfed288a66d141452

SHA1
531de485f3254d7eeea372e7dafed17fff60eb47

SHA256
58a3ddc52687de5630b0b77e22906e241fee8bc03f7dcc4ed15f79f7fb40190d

SHA512
54105a1395cfdb78a6d2604e9a4812488360a39885aa94987c74e25ab4dc0d163ae41a4dfcd1cf0bd813e784fb322c9a05ef543baea3f891e764cf98663ca891

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
66b45d86b893062dfed288a66d141452

SHA1
531de485f3254d7eeea372e7dafed17fff60eb47

SHA256
58a3ddc52687de5630b0b77e22906e241fee8bc03f7dcc4ed15f79f7fb40190d

SHA512
54105a1395cfdb78a6d2604e9a4812488360a39885aa94987c74e25ab4dc0d163ae41a4dfcd1cf0bd813e784fb322c9a05ef543baea3f891e764cf98663ca891

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
66b45d86b893062dfed288a66d141452

SHA1
531de485f3254d7eeea372e7dafed17fff60eb47

SHA256
58a3ddc52687de5630b0b77e22906e241fee8bc03f7dcc4ed15f79f7fb40190d

SHA512
54105a1395cfdb78a6d2604e9a4812488360a39885aa94987c74e25ab4dc0d163ae41a4dfcd1cf0bd813e784fb322c9a05ef543baea3f891e764cf98663ca891

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
66b45d86b893062dfed288a66d141452

SHA1
531de485f3254d7eeea372e7dafed17fff60eb47

SHA256
58a3ddc52687de5630b0b77e22906e241fee8bc03f7dcc4ed15f79f7fb40190d

SHA512
54105a1395cfdb78a6d2604e9a4812488360a39885aa94987c74e25ab4dc0d163ae41a4dfcd1cf0bd813e784fb322c9a05ef543baea3f891e764cf98663ca891

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
66b45d86b893062dfed288a66d141452

SHA1
531de485f3254d7eeea372e7dafed17fff60eb47

SHA256
58a3ddc52687de5630b0b77e22906e241fee8bc03f7dcc4ed15f79f7fb40190d

SHA512
54105a1395cfdb78a6d2604e9a4812488360a39885aa94987c74e25ab4dc0d163ae41a4dfcd1cf0bd813e784fb322c9a05ef543baea3f891e764cf98663ca891

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
66b45d86b893062dfed288a66d141452

SHA1
531de485f3254d7eeea372e7dafed17fff60eb47

SHA256
58a3ddc52687de5630b0b77e22906e241fee8bc03f7dcc4ed15f79f7fb40190d

SHA512
54105a1395cfdb78a6d2604e9a4812488360a39885aa94987c74e25ab4dc0d163ae41a4dfcd1cf0bd813e784fb322c9a05ef543baea3f891e764cf98663ca891

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
66b45d86b893062dfed288a66d141452

SHA1
531de485f3254d7eeea372e7dafed17fff60eb47

SHA256
58a3ddc52687de5630b0b77e22906e241fee8bc03f7dcc4ed15f79f7fb40190d

SHA512
54105a1395cfdb78a6d2604e9a4812488360a39885aa94987c74e25ab4dc0d163ae41a4dfcd1cf0bd813e784fb322c9a05ef543baea3f891e764cf98663ca891

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
66b45d86b893062dfed288a66d141452

SHA1
531de485f3254d7eeea372e7dafed17fff60eb47

SHA256
58a3ddc52687de5630b0b77e22906e241fee8bc03f7dcc4ed15f79f7fb40190d

SHA512
54105a1395cfdb78a6d2604e9a4812488360a39885aa94987c74e25ab4dc0d163ae41a4dfcd1cf0bd813e784fb322c9a05ef543baea3f891e764cf98663ca891

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
66b45d86b893062dfed288a66d141452

SHA1
531de485f3254d7eeea372e7dafed17fff60eb47

SHA256
58a3ddc52687de5630b0b77e22906e241fee8bc03f7dcc4ed15f79f7fb40190d

SHA512
54105a1395cfdb78a6d2604e9a4812488360a39885aa94987c74e25ab4dc0d163ae41a4dfcd1cf0bd813e784fb322c9a05ef543baea3f891e764cf98663ca891

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
66b45d86b893062dfed288a66d141452

SHA1
531de485f3254d7eeea372e7dafed17fff60eb47

SHA256
58a3ddc52687de5630b0b77e22906e241fee8bc03f7dcc4ed15f79f7fb40190d

SHA512
54105a1395cfdb78a6d2604e9a4812488360a39885aa94987c74e25ab4dc0d163ae41a4dfcd1cf0bd813e784fb322c9a05ef543baea3f891e764cf98663ca891

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
66b45d86b893062dfed288a66d141452

SHA1
531de485f3254d7eeea372e7dafed17fff60eb47

SHA256
58a3ddc52687de5630b0b77e22906e241fee8bc03f7dcc4ed15f79f7fb40190d

SHA512
54105a1395cfdb78a6d2604e9a4812488360a39885aa94987c74e25ab4dc0d163ae41a4dfcd1cf0bd813e784fb322c9a05ef543baea3f891e764cf98663ca891

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
66b45d86b893062dfed288a66d141452

SHA1
531de485f3254d7eeea372e7dafed17fff60eb47

SHA256
58a3ddc52687de5630b0b77e22906e241fee8bc03f7dcc4ed15f79f7fb40190d

SHA512
54105a1395cfdb78a6d2604e9a4812488360a39885aa94987c74e25ab4dc0d163ae41a4dfcd1cf0bd813e784fb322c9a05ef543baea3f891e764cf98663ca891

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
66b45d86b893062dfed288a66d141452

SHA1
531de485f3254d7eeea372e7dafed17fff60eb47

SHA256
58a3ddc52687de5630b0b77e22906e241fee8bc03f7dcc4ed15f79f7fb40190d

SHA512
54105a1395cfdb78a6d2604e9a4812488360a39885aa94987c74e25ab4dc0d163ae41a4dfcd1cf0bd813e784fb322c9a05ef543baea3f891e764cf98663ca891

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
66b45d86b893062dfed288a66d141452

SHA1
531de485f3254d7eeea372e7dafed17fff60eb47

SHA256
58a3ddc52687de5630b0b77e22906e241fee8bc03f7dcc4ed15f79f7fb40190d

SHA512
54105a1395cfdb78a6d2604e9a4812488360a39885aa94987c74e25ab4dc0d163ae41a4dfcd1cf0bd813e784fb322c9a05ef543baea3f891e764cf98663ca891

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
66b45d86b893062dfed288a66d141452

SHA1
531de485f3254d7eeea372e7dafed17fff60eb47

SHA256
58a3ddc52687de5630b0b77e22906e241fee8bc03f7dcc4ed15f79f7fb40190d

SHA512
54105a1395cfdb78a6d2604e9a4812488360a39885aa94987c74e25ab4dc0d163ae41a4dfcd1cf0bd813e784fb322c9a05ef543baea3f891e764cf98663ca891

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
66b45d86b893062dfed288a66d141452

SHA1
531de485f3254d7eeea372e7dafed17fff60eb47

SHA256
58a3ddc52687de5630b0b77e22906e241fee8bc03f7dcc4ed15f79f7fb40190d

SHA512
54105a1395cfdb78a6d2604e9a4812488360a39885aa94987c74e25ab4dc0d163ae41a4dfcd1cf0bd813e784fb322c9a05ef543baea3f891e764cf98663ca891

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
66b45d86b893062dfed288a66d141452

SHA1
531de485f3254d7eeea372e7dafed17fff60eb47

SHA256
58a3ddc52687de5630b0b77e22906e241fee8bc03f7dcc4ed15f79f7fb40190d

SHA512
54105a1395cfdb78a6d2604e9a4812488360a39885aa94987c74e25ab4dc0d163ae41a4dfcd1cf0bd813e784fb322c9a05ef543baea3f891e764cf98663ca891

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
66b45d86b893062dfed288a66d141452

SHA1
531de485f3254d7eeea372e7dafed17fff60eb47

SHA256
58a3ddc52687de5630b0b77e22906e241fee8bc03f7dcc4ed15f79f7fb40190d

SHA512
54105a1395cfdb78a6d2604e9a4812488360a39885aa94987c74e25ab4dc0d163ae41a4dfcd1cf0bd813e784fb322c9a05ef543baea3f891e764cf98663ca891

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
66b45d86b893062dfed288a66d141452

SHA1
531de485f3254d7eeea372e7dafed17fff60eb47

SHA256
58a3ddc52687de5630b0b77e22906e241fee8bc03f7dcc4ed15f79f7fb40190d

SHA512
54105a1395cfdb78a6d2604e9a4812488360a39885aa94987c74e25ab4dc0d163ae41a4dfcd1cf0bd813e784fb322c9a05ef543baea3f891e764cf98663ca891

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
66b45d86b893062dfed288a66d141452

SHA1
531de485f3254d7eeea372e7dafed17fff60eb47

SHA256
58a3ddc52687de5630b0b77e22906e241fee8bc03f7dcc4ed15f79f7fb40190d

SHA512
54105a1395cfdb78a6d2604e9a4812488360a39885aa94987c74e25ab4dc0d163ae41a4dfcd1cf0bd813e784fb322c9a05ef543baea3f891e764cf98663ca891

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
66b45d86b893062dfed288a66d141452

SHA1
531de485f3254d7eeea372e7dafed17fff60eb47

SHA256
58a3ddc52687de5630b0b77e22906e241fee8bc03f7dcc4ed15f79f7fb40190d

SHA512
54105a1395cfdb78a6d2604e9a4812488360a39885aa94987c74e25ab4dc0d163ae41a4dfcd1cf0bd813e784fb322c9a05ef543baea3f891e764cf98663ca891

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.4MB

MD5
b59b27964b2679edcf0c204d11a892f1

SHA1
c484b4aa42b3f636f5e720888790b0634e5b94a9

SHA256
94e52bbc621842c187383f9bf4d09214d532984baf250b042839ec03c8d131e7

SHA512
f94f7fa46f709507ca8950aa7d0c22e1d65b4a0a81528dfbadc3ed6f209f26d24d0afa6cd8a1dffefe80e244bdf71547c943449e20102a72c637f44339501a6a

Download Submit
\Windows\System32\alg.exe

Filesize
1.4MB

MD5
b59b27964b2679edcf0c204d11a892f1

SHA1
c484b4aa42b3f636f5e720888790b0634e5b94a9

SHA256
94e52bbc621842c187383f9bf4d09214d532984baf250b042839ec03c8d131e7

SHA512
f94f7fa46f709507ca8950aa7d0c22e1d65b4a0a81528dfbadc3ed6f209f26d24d0afa6cd8a1dffefe80e244bdf71547c943449e20102a72c637f44339501a6a

Download Submit
memory/460-360-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/460-358-0x0000000072DA0000-0x000000007348E000-memory.dmp

Filesize
6.9MB

Download
memory/460-366-0x0000000072DA0000-0x000000007348E000-memory.dmp

Filesize
6.9MB

Download
memory/460-376-0x0000000072DA0000-0x000000007348E000-memory.dmp

Filesize
6.9MB

Download
memory/460-361-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/460-353-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/460-377-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/532-173-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/532-172-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/532-132-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/532-171-0x0000000140000000-0x0000000140223000-memory.dmp

Filesize
2.1MB

Download
memory/532-137-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/532-140-0x0000000140000000-0x0000000140223000-memory.dmp

Filesize
2.1MB

Download
memory/640-212-0x000000002E000000-0x000000002E22A000-memory.dmp

Filesize
2.2MB

Download
memory/640-141-0x00000000003E0000-0x0000000000447000-memory.dmp

Filesize
412KB

Download
memory/640-139-0x000000002E000000-0x000000002E22A000-memory.dmp

Filesize
2.2MB

Download
memory/808-125-0x0000000140000000-0x000000014023F000-memory.dmp

Filesize
2.2MB

Download
memory/808-101-0x0000000140000000-0x000000014023F000-memory.dmp

Filesize
2.2MB

Download
memory/808-126-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/808-99-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/1276-87-0x0000000000A50000-0x0000000000AB7000-memory.dmp

Filesize
412KB

Download
memory/1276-159-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1276-78-0x0000000000A50000-0x0000000000AB7000-memory.dmp

Filesize
412KB

Download
memory/1276-90-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1372-93-0x0000000140000000-0x0000000140223000-memory.dmp

Filesize
2.1MB

Download
memory/1372-95-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/1372-122-0x0000000140000000-0x0000000140223000-memory.dmp

Filesize
2.1MB

Download
memory/1372-130-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/1372-197-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/1372-83-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/1372-121-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/1532-26-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/1532-6-0x0000000001F50000-0x0000000001FB7000-memory.dmp

Filesize
412KB

Download
memory/1532-1-0x0000000001F50000-0x0000000001FB7000-memory.dmp

Filesize
412KB

Download
memory/1532-0-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/1688-73-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/1688-66-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1688-67-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/1688-74-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/1688-134-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1736-218-0x0000000000750000-0x00000000007B7000-memory.dmp

Filesize
412KB

Download
memory/1736-342-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/1736-344-0x0000000072DA0000-0x000000007348E000-memory.dmp

Filesize
6.9MB

Download
memory/1736-336-0x0000000072DA0000-0x000000007348E000-memory.dmp

Filesize
6.9MB

Download
memory/1736-355-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/1736-356-0x0000000072DA0000-0x000000007348E000-memory.dmp

Filesize
6.9MB

Download
memory/1768-389-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/1840-341-0x0000000072DA0000-0x000000007348E000-memory.dmp

Filesize
6.9MB

Download
memory/1840-170-0x0000000000690000-0x00000000006F7000-memory.dmp

Filesize
412KB

Download
memory/1840-168-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/1840-339-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/1840-185-0x0000000072DA0000-0x000000007348E000-memory.dmp

Filesize
6.9MB

Download
memory/2080-390-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2080-374-0x0000000000620000-0x0000000000687000-memory.dmp

Filesize
412KB

Download
memory/2080-379-0x0000000072DA0000-0x000000007348E000-memory.dmp

Filesize
6.9MB

Download
memory/2080-391-0x0000000072DA0000-0x000000007348E000-memory.dmp

Filesize
6.9MB

Download
memory/2092-20-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2092-43-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2092-19-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2092-12-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2092-13-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2360-340-0x00000000743F8000-0x000000007440D000-memory.dmp

Filesize
84KB

Download
memory/2360-144-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2360-334-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2360-317-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2360-177-0x00000000743F8000-0x000000007440D000-memory.dmp

Filesize
84KB

Download
memory/2360-166-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2360-151-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2504-65-0x0000000140000000-0x0000000140223000-memory.dmp

Filesize
2.1MB

Download
memory/2504-54-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2504-55-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2504-48-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2504-47-0x0000000140000000-0x0000000140223000-memory.dmp

Filesize
2.1MB

Download
memory/2548-44-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2548-30-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2548-31-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/2548-37-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download