c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b

Analysis

max time kernel
168s
max time network
201s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
Size

1.8MB
MD5

2fca3056fe70cf4b21120ee8633e29c3
SHA1

e1f0cf2a1e14242f855a89fe4e817d955fc4986e
SHA256

c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b
SHA512

19312c9a92dca0779fd915f87de3c37021cc9328cfa91b9f747f1ffdb84b9a5a488860f02422cb574db76385b930a1d6e830d3752aa9555edffebe45dc385f0d
SSDEEP

49152:MM9QPdxwfE7WlFwKAfzuTiDFUFkpAD0zO6LJnsvWyLA:M1PdVQFwKZCFgqAwzO6F

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 27 IoCs

pid	Process
468	Process not Found
2748	alg.exe
2840	aspnet_state.exe
632	mscorsvw.exe
588	mscorsvw.exe
2648	mscorsvw.exe
2532	mscorsvw.exe
2124	elevation_service.exe
2788	GROOVE.EXE
1936	maintenanceservice.exe
2720	OSE.EXE
2604	OSPPSVC.EXE
2588	mscorsvw.exe
2820	mscorsvw.exe
2136	mscorsvw.exe
2108	mscorsvw.exe
704	mscorsvw.exe
1712	mscorsvw.exe
1696	mscorsvw.exe
2772	mscorsvw.exe
2828	mscorsvw.exe
1628	mscorsvw.exe
3056	mscorsvw.exe
1988	mscorsvw.exe
1204	mscorsvw.exe
1656	mscorsvw.exe
1136	mscorsvw.exe

Loads dropped DLL 2 IoCs

pid	Process
468	Process not Found
468	Process not Found

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8c7bd3ab99022096.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT455.tmp	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_en-GB.dll	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_iw.dll	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\GoogleUpdateOnDemand.exe	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_bn.dll	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\GoogleUpdateSetup.exe	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\GoogleCrashHandler.exe	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_ar.dll	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_no.dll	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdate.dll	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_fi.dll	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_lt.dll	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_gu.dll	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_es.dll	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_uk.dll	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_zh-TW.dll	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\psuser.dll	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_fa.dll	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_ca.dll	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_id.dll	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_sw.dll	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_el.dll	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_ko.dll	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\GoogleUpdateComRegisterShell64.exe	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_ro.dll	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_sk.dll	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2392	c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
Token: SeShutdownPrivilege	2648	mscorsvw.exe
Token: SeShutdownPrivilege	2532	mscorsvw.exe
Token: SeShutdownPrivilege	2648	mscorsvw.exe
Token: SeShutdownPrivilege	2532	mscorsvw.exe
Token: SeShutdownPrivilege	2648	mscorsvw.exe
Token: SeShutdownPrivilege	2648	mscorsvw.exe
Token: SeShutdownPrivilege	2532	mscorsvw.exe
Token: SeShutdownPrivilege	2532	mscorsvw.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2588	2648	mscorsvw.exe	40
PID 2648 wrote to memory of 2588	2648	mscorsvw.exe	40
PID 2648 wrote to memory of 2588	2648	mscorsvw.exe	40
PID 2648 wrote to memory of 2588	2648	mscorsvw.exe	40
PID 2648 wrote to memory of 2820	2648	mscorsvw.exe	41
PID 2648 wrote to memory of 2820	2648	mscorsvw.exe	41
PID 2648 wrote to memory of 2820	2648	mscorsvw.exe	41
PID 2648 wrote to memory of 2820	2648	mscorsvw.exe	41
PID 2648 wrote to memory of 2136	2648	mscorsvw.exe	42
PID 2648 wrote to memory of 2136	2648	mscorsvw.exe	42
PID 2648 wrote to memory of 2136	2648	mscorsvw.exe	42
PID 2648 wrote to memory of 2136	2648	mscorsvw.exe	42
PID 2648 wrote to memory of 2108	2648	mscorsvw.exe	43
PID 2648 wrote to memory of 2108	2648	mscorsvw.exe	43
PID 2648 wrote to memory of 2108	2648	mscorsvw.exe	43
PID 2648 wrote to memory of 2108	2648	mscorsvw.exe	43
PID 2648 wrote to memory of 704	2648	mscorsvw.exe	44
PID 2648 wrote to memory of 704	2648	mscorsvw.exe	44
PID 2648 wrote to memory of 704	2648	mscorsvw.exe	44
PID 2648 wrote to memory of 704	2648	mscorsvw.exe	44
PID 2648 wrote to memory of 1712	2648	mscorsvw.exe	45
PID 2648 wrote to memory of 1712	2648	mscorsvw.exe	45
PID 2648 wrote to memory of 1712	2648	mscorsvw.exe	45
PID 2648 wrote to memory of 1712	2648	mscorsvw.exe	45
PID 2648 wrote to memory of 1696	2648	mscorsvw.exe	46
PID 2648 wrote to memory of 1696	2648	mscorsvw.exe	46
PID 2648 wrote to memory of 1696	2648	mscorsvw.exe	46
PID 2648 wrote to memory of 1696	2648	mscorsvw.exe	46
PID 2648 wrote to memory of 2772	2648	mscorsvw.exe	47
PID 2648 wrote to memory of 2772	2648	mscorsvw.exe	47
PID 2648 wrote to memory of 2772	2648	mscorsvw.exe	47
PID 2648 wrote to memory of 2772	2648	mscorsvw.exe	47
PID 2648 wrote to memory of 2828	2648	mscorsvw.exe	48
PID 2648 wrote to memory of 2828	2648	mscorsvw.exe	48
PID 2648 wrote to memory of 2828	2648	mscorsvw.exe	48
PID 2648 wrote to memory of 2828	2648	mscorsvw.exe	48
PID 2648 wrote to memory of 1628	2648	mscorsvw.exe	49
PID 2648 wrote to memory of 1628	2648	mscorsvw.exe	49
PID 2648 wrote to memory of 1628	2648	mscorsvw.exe	49
PID 2648 wrote to memory of 1628	2648	mscorsvw.exe	49
PID 2648 wrote to memory of 3056	2648	mscorsvw.exe	50
PID 2648 wrote to memory of 3056	2648	mscorsvw.exe	50
PID 2648 wrote to memory of 3056	2648	mscorsvw.exe	50
PID 2648 wrote to memory of 3056	2648	mscorsvw.exe	50
PID 2648 wrote to memory of 1988	2648	mscorsvw.exe	51
PID 2648 wrote to memory of 1988	2648	mscorsvw.exe	51
PID 2648 wrote to memory of 1988	2648	mscorsvw.exe	51
PID 2648 wrote to memory of 1988	2648	mscorsvw.exe	51
PID 2648 wrote to memory of 1204	2648	mscorsvw.exe	52
PID 2648 wrote to memory of 1204	2648	mscorsvw.exe	52
PID 2648 wrote to memory of 1204	2648	mscorsvw.exe	52
PID 2648 wrote to memory of 1204	2648	mscorsvw.exe	52
PID 2648 wrote to memory of 1656	2648	mscorsvw.exe	53
PID 2648 wrote to memory of 1656	2648	mscorsvw.exe	53
PID 2648 wrote to memory of 1656	2648	mscorsvw.exe	53
PID 2648 wrote to memory of 1656	2648	mscorsvw.exe	53
PID 2648 wrote to memory of 1136	2648	mscorsvw.exe	54
PID 2648 wrote to memory of 1136	2648	mscorsvw.exe	54
PID 2648 wrote to memory of 1136	2648	mscorsvw.exe	54
PID 2648 wrote to memory of 1136	2648	mscorsvw.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe
"C:\Users\Admin\AppData\Local\Temp\c6898f6eddc05b0e71bd671f2cb68b6df3c6c4edacd464f0c927d41971ffad4b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2748

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:632

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 11c -NGENProcess 120 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 258 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 24c -NGENProcess 25c -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 244 -NGENProcess 240 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 260 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 248 -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 258 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 23c -NGENProcess 270 -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 274 -NGENProcess 26c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 258 -NGENProcess 270 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 280 -NGENProcess 264 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 278 -NGENProcess 284 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 278 -NGENProcess 170 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 28c -NGENProcess 284 -Pipe 120 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1136

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2124

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2788

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1936

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2720

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.2MB

MD5
26e1b5c658c7c3726056373b37c467d0

SHA1
ae19ce347eb3755500daf6df2fd2eeb555bd7256

SHA256
3bc8166b965d70f453022491244682e83ccfffdee4f88acf806123792828d07b

SHA512
29d97a12b42c61d2232ef144e5fac5c7a25f8b7adbd7001a5b52eff0b49d20229544bfa85b87c5c21ef3804d465eab3e826bc4f15b9bf108378e65f7bf7a91cf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
e06a09da136c2a6c39e76bfcb72cd54e

SHA1
024413e2015eee70baf80dde0da0c670e1786277

SHA256
d8c7c0973612fce97906c40a0879c88aa1ff432b2142477c3b19963e3a780996

SHA512
0587feea5c7cc2a72fb8240f726b74a9409b57d014a1af9c280e5edd4318f728d94836c21555174c49467f2723002783be9f3ccbf240365e8cc2873d5fdc5f97

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
1bcc5ff03cb9cc0e3ea0c2831b6ec997

SHA1
e6a10fa70668a6e07d7eb9f7542718a0be017c85

SHA256
8f1d3c713acdf0c9595940d6e18185a6bb7d2f10945c189f9af422721e3c7b47

SHA512
e55b20be6dfaa9104d5c10d556386085706b085eeb8dba10cf43a6f7036cd4b6c32aa0622db3c7870bb8c04bb00f3b4421e3604cb79b847431f23152d70ab9c8

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
f7b60110d28b6f1a6a8e7aa8d0fe653a

SHA1
772d4ffa93f0ad1f46231f05646a3218e2ff798b

SHA256
251621bf4da4ae5953a2fc6c45e8a746360a4a815fae19275f324a164aa904a1

SHA512
e28190151ef37347e5dc73b64cea79b2021990f895feebf932726be33b8ec70f0dabefbcaf189265e9ddf1a70d02627d219867df28f4dde4b70eed1ebd1c5372

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
4e06d9a87e35ca6fd12b37b45e8c3290

SHA1
edbf310dacac045e9321ee518f8210e2abab7f76

SHA256
668d7cba15a82cdcdb480e57fe479a8b1fff5569c24a7badf50a85d0bcd68032

SHA512
5f22259022625afb22c37647b4fbf8e679934e3af1dfefd5af5f4dd18e11e0f42a4030aa85df01888fcf8c7f1b98c6918318c1f0a4d552c33abac47a8c339983

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
c56de6b28f0e53b30e6963159f7da138

SHA1
9650e2da266e7ed708b50dd2259d808bd41e3751

SHA256
4a07e0175d631c7252c2084ac5a1cbf441ae02c1fc2ebdbd34f1f3033266c67b

SHA512
d03af1f2121a57fedee715b6f30b5df4b54cb24b6af9d24cec979692dc6cd54ab84b064baa25b9fb9759cd20b86ad864e7d3786d62d8a112f28e8afd5717a2bf

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
c56de6b28f0e53b30e6963159f7da138

SHA1
9650e2da266e7ed708b50dd2259d808bd41e3751

SHA256
4a07e0175d631c7252c2084ac5a1cbf441ae02c1fc2ebdbd34f1f3033266c67b

SHA512
d03af1f2121a57fedee715b6f30b5df4b54cb24b6af9d24cec979692dc6cd54ab84b064baa25b9fb9759cd20b86ad864e7d3786d62d8a112f28e8afd5717a2bf

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
f3a4d4356f924e3b1b687cf0066c14cb

SHA1
b4f0373a17f433bd5c427becc0565ab2615a9183

SHA256
8bd7c31705560ee3e8fce220795f53fe1d2ca3094fb6a1f805301fcd43cd29bf

SHA512
379e3a39534d2c5ae90cd1571e323c2d809826489fe4f8d9a1ae3c2ee436f982938fba476024e9091c953bdea1ae9a426b02e106b850c4cb22dc0e35f66c3a80

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.1MB

MD5
bdd08007ef9b16206e22076dc1a0b58f

SHA1
1c181a1b96cd70f50b9a262eb1c733f5623d81d6

SHA256
414ba389d76bcdfdc82d1ee53ad95c2d80c386a4129a3954bf04d6eb5e71e0a3

SHA512
9ef83b82658c4053fa24e92afc7cc6821a6b1048bd5a048c1ed855a8e31c68a5f5c15906367cdb0d7498dadcb5c8ea9f88b6fdb695650c763db611c08e3b39cb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
22e5368a9cc6c8496e46856229c5b14a

SHA1
1126ba3085388c3498ada17d198be3fa7a7f5f62

SHA256
4222b9d0d3f5701ea4b5c0bdb64e1e3d5602a107436e42d6fb3a7d32dc196dae

SHA512
9564fc8e0bfa0f95d0b88ffa1f443a0c82d00035b056c705c1f33a09595f349c611910183cc21d158ab55997483390826599e596b70114c2862ca40c1c8c5db3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
22e5368a9cc6c8496e46856229c5b14a

SHA1
1126ba3085388c3498ada17d198be3fa7a7f5f62

SHA256
4222b9d0d3f5701ea4b5c0bdb64e1e3d5602a107436e42d6fb3a7d32dc196dae

SHA512
9564fc8e0bfa0f95d0b88ffa1f443a0c82d00035b056c705c1f33a09595f349c611910183cc21d158ab55997483390826599e596b70114c2862ca40c1c8c5db3

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
9600d99f8593c8a5e83e4a3ef6696aac

SHA1
7d3aa5d24a5039637227e7e29dbeac15baa3b99f

SHA256
39cabea637c82a1de17db52ed189b491738b9a3c01c84e210fa4937c96417c28

SHA512
e3a7a3af7616db11680cc73931c69736658aa4f51616790ac0ea1493e8f8785a5fc20305bd2319543ba8326740814026c16b50deb14898c2ddd6f5b31660b7a0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
9600d99f8593c8a5e83e4a3ef6696aac

SHA1
7d3aa5d24a5039637227e7e29dbeac15baa3b99f

SHA256
39cabea637c82a1de17db52ed189b491738b9a3c01c84e210fa4937c96417c28

SHA512
e3a7a3af7616db11680cc73931c69736658aa4f51616790ac0ea1493e8f8785a5fc20305bd2319543ba8326740814026c16b50deb14898c2ddd6f5b31660b7a0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
3a0ec59254e4c668113cb690e78d505d

SHA1
bf8357fa95c17d1c126baba876ff02684ed5dbe3

SHA256
0968c40ab9ba45b898cd25a7947b42e0cb810cc8f2618371ca32b0c1356a9873

SHA512
e917532a5efc31c6bf479905a296a4327c23789c4167a62c494d7c2d1fd94252be45ddba750cd9685aac3e9e3a685f2ec63a6a30b55b5307cd525bb6e4e95cae

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
6b49a34c75144cba6ebf739092bd398c

SHA1
6388090ea94313b41dce159c72544e990bd0bfc0

SHA256
3233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f

SHA512
10d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
6b49a34c75144cba6ebf739092bd398c

SHA1
6388090ea94313b41dce159c72544e990bd0bfc0

SHA256
3233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f

SHA512
10d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
6b49a34c75144cba6ebf739092bd398c

SHA1
6388090ea94313b41dce159c72544e990bd0bfc0

SHA256
3233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f

SHA512
10d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
6b49a34c75144cba6ebf739092bd398c

SHA1
6388090ea94313b41dce159c72544e990bd0bfc0

SHA256
3233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f

SHA512
10d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
6b49a34c75144cba6ebf739092bd398c

SHA1
6388090ea94313b41dce159c72544e990bd0bfc0

SHA256
3233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f

SHA512
10d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
6b49a34c75144cba6ebf739092bd398c

SHA1
6388090ea94313b41dce159c72544e990bd0bfc0

SHA256
3233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f

SHA512
10d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
6b49a34c75144cba6ebf739092bd398c

SHA1
6388090ea94313b41dce159c72544e990bd0bfc0

SHA256
3233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f

SHA512
10d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
6b49a34c75144cba6ebf739092bd398c

SHA1
6388090ea94313b41dce159c72544e990bd0bfc0

SHA256
3233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f

SHA512
10d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
6b49a34c75144cba6ebf739092bd398c

SHA1
6388090ea94313b41dce159c72544e990bd0bfc0

SHA256
3233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f

SHA512
10d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
6b49a34c75144cba6ebf739092bd398c

SHA1
6388090ea94313b41dce159c72544e990bd0bfc0

SHA256
3233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f

SHA512
10d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
6b49a34c75144cba6ebf739092bd398c

SHA1
6388090ea94313b41dce159c72544e990bd0bfc0

SHA256
3233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f

SHA512
10d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
6b49a34c75144cba6ebf739092bd398c

SHA1
6388090ea94313b41dce159c72544e990bd0bfc0

SHA256
3233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f

SHA512
10d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
6b49a34c75144cba6ebf739092bd398c

SHA1
6388090ea94313b41dce159c72544e990bd0bfc0

SHA256
3233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f

SHA512
10d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
6b49a34c75144cba6ebf739092bd398c

SHA1
6388090ea94313b41dce159c72544e990bd0bfc0

SHA256
3233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f

SHA512
10d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
6b49a34c75144cba6ebf739092bd398c

SHA1
6388090ea94313b41dce159c72544e990bd0bfc0

SHA256
3233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f

SHA512
10d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
6b49a34c75144cba6ebf739092bd398c

SHA1
6388090ea94313b41dce159c72544e990bd0bfc0

SHA256
3233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f

SHA512
10d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
6b49a34c75144cba6ebf739092bd398c

SHA1
6388090ea94313b41dce159c72544e990bd0bfc0

SHA256
3233a92695d65ef92be1b6a114ee212b9f0a60169ab959783029d3383830258f

SHA512
10d9c00633294eea3d23bf3bc94db101bd78e2a2540dfc80c450dc18affd06cb7e072733e42692a8bbe6cacf06ec6e5e1092068a9402cc6c5403888182f36e37

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.1MB

MD5
facce527e7dcf0ed7f894f76315a5404

SHA1
32ed85dcab8a49a2f2ce4b5ed0f2f11b61d4f281

SHA256
3b4145adf13417a2e0b3ca6784f2b3c0999001ab940eece46ff02e45ff0706ca

SHA512
3f82f5fb47fef09252a98cfab75b98553880e937a59b76584e2208f0b30923965733a3ccdbbeefbc5f02f6705ce1b518bc3296ac233cf79f0bb309672b16390c

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
c56de6b28f0e53b30e6963159f7da138

SHA1
9650e2da266e7ed708b50dd2259d808bd41e3751

SHA256
4a07e0175d631c7252c2084ac5a1cbf441ae02c1fc2ebdbd34f1f3033266c67b

SHA512
d03af1f2121a57fedee715b6f30b5df4b54cb24b6af9d24cec979692dc6cd54ab84b064baa25b9fb9759cd20b86ad864e7d3786d62d8a112f28e8afd5717a2bf

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.1MB

MD5
bdd08007ef9b16206e22076dc1a0b58f

SHA1
1c181a1b96cd70f50b9a262eb1c733f5623d81d6

SHA256
414ba389d76bcdfdc82d1ee53ad95c2d80c386a4129a3954bf04d6eb5e71e0a3

SHA512
9ef83b82658c4053fa24e92afc7cc6821a6b1048bd5a048c1ed855a8e31c68a5f5c15906367cdb0d7498dadcb5c8ea9f88b6fdb695650c763db611c08e3b39cb

Download Submit
\Windows\System32\alg.exe

Filesize
1.1MB

MD5
facce527e7dcf0ed7f894f76315a5404

SHA1
32ed85dcab8a49a2f2ce4b5ed0f2f11b61d4f281

SHA256
3b4145adf13417a2e0b3ca6784f2b3c0999001ab940eece46ff02e45ff0706ca

SHA512
3f82f5fb47fef09252a98cfab75b98553880e937a59b76584e2208f0b30923965733a3ccdbbeefbc5f02f6705ce1b518bc3296ac233cf79f0bb309672b16390c

Download Submit
memory/588-137-0x0000000010000000-0x000000001012C000-memory.dmp

Filesize
1.2MB

Download
memory/588-113-0x0000000010000000-0x000000001012C000-memory.dmp

Filesize
1.2MB

Download
memory/632-104-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/632-134-0x0000000010000000-0x0000000010124000-memory.dmp

Filesize
1.1MB

Download
memory/632-98-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/632-97-0x0000000010000000-0x0000000010124000-memory.dmp

Filesize
1.1MB

Download
memory/704-432-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/704-444-0x00000000725E0000-0x0000000072CCE000-memory.dmp

Filesize
6.9MB

Download
memory/704-477-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/704-439-0x0000000000A00000-0x0000000000A67000-memory.dmp

Filesize
412KB

Download
memory/704-476-0x00000000725E0000-0x0000000072CCE000-memory.dmp

Filesize
6.9MB

Download
memory/1712-480-0x00000000725E0000-0x0000000072CCE000-memory.dmp

Filesize
6.9MB

Download
memory/1712-479-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1712-474-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download
memory/1712-478-0x00000000725E0000-0x0000000072CCE000-memory.dmp

Filesize
6.9MB

Download
memory/1936-264-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1936-250-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1936-249-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/1936-257-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/1936-262-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/2108-440-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2108-442-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2108-443-0x00000000725E0000-0x0000000072CCE000-memory.dmp

Filesize
6.9MB

Download
memory/2108-428-0x00000000725E0000-0x0000000072CCE000-memory.dmp

Filesize
6.9MB

Download
memory/2108-424-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2124-267-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2124-234-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2124-226-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2124-227-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2136-395-0x00000000725E0000-0x0000000072CCE000-memory.dmp

Filesize
6.9MB

Download
memory/2136-390-0x0000000000610000-0x0000000000677000-memory.dmp

Filesize
412KB

Download
memory/2136-420-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2136-421-0x00000000725E0000-0x0000000072CCE000-memory.dmp

Filesize
6.9MB

Download
memory/2392-1-0x00000000005D0000-0x0000000000637000-memory.dmp

Filesize
412KB

Download
memory/2392-0-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2392-6-0x00000000005D0000-0x0000000000637000-memory.dmp

Filesize
412KB

Download
memory/2392-129-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2392-208-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2532-266-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2532-219-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2588-354-0x00000000725E0000-0x0000000072CCE000-memory.dmp

Filesize
6.9MB

Download
memory/2588-308-0x00000000725E0000-0x0000000072CCE000-memory.dmp

Filesize
6.9MB

Download
memory/2588-289-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2588-349-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2588-353-0x00000000005A0000-0x0000000000607000-memory.dmp

Filesize
412KB

Download
memory/2588-301-0x00000000005A0000-0x0000000000607000-memory.dmp

Filesize
412KB

Download
memory/2604-276-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2604-372-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2604-388-0x0000000073C88000-0x0000000073C9D000-memory.dmp

Filesize
84KB

Download
memory/2604-286-0x0000000073C88000-0x0000000073C9D000-memory.dmp

Filesize
84KB

Download
memory/2604-284-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2604-280-0x0000000000360000-0x00000000003C0000-memory.dmp

Filesize
384KB

Download
memory/2604-376-0x0000000000360000-0x00000000003C0000-memory.dmp

Filesize
384KB

Download
memory/2604-273-0x0000000000360000-0x00000000003C0000-memory.dmp

Filesize
384KB

Download
memory/2648-122-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2648-138-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2648-123-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/2648-128-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/2720-270-0x000000002E000000-0x000000002E13A000-memory.dmp

Filesize
1.2MB

Download
memory/2720-356-0x000000002E000000-0x000000002E13A000-memory.dmp

Filesize
1.2MB

Download
memory/2748-57-0x0000000000480000-0x00000000004E0000-memory.dmp

Filesize
384KB

Download
memory/2748-131-0x0000000100000000-0x0000000100129000-memory.dmp

Filesize
1.2MB

Download
memory/2748-29-0x0000000100000000-0x0000000100129000-memory.dmp

Filesize
1.2MB

Download
memory/2748-31-0x0000000000480000-0x00000000004E0000-memory.dmp

Filesize
384KB

Download
memory/2788-239-0x0000000000270000-0x00000000002D7000-memory.dmp

Filesize
412KB

Download
memory/2788-238-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2788-268-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2788-245-0x0000000000270000-0x00000000002D7000-memory.dmp

Filesize
412KB

Download
memory/2820-358-0x00000000725E0000-0x0000000072CCE000-memory.dmp

Filesize
6.9MB

Download
memory/2820-379-0x00000000725E0000-0x0000000072CCE000-memory.dmp

Filesize
6.9MB

Download
memory/2820-384-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2820-373-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/2820-350-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/2840-94-0x0000000140000000-0x0000000140122000-memory.dmp

Filesize
1.1MB

Download
memory/2840-133-0x0000000140000000-0x0000000140122000-memory.dmp

Filesize
1.1MB

Download