352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988

Analysis

max time kernel
154s
max time network
166s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 06:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
Size

1.9MB
MD5

b50e4d74edebd107a9b49cc012a6a61e
SHA1

c68774d59d4b10c52ffbe613aab62c8652b20d4c
SHA256

352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988
SHA512

829d4ef08f2390382586fec686832d7150e25ff92b5316c2ddf2a30eb1c55451e15e9fad1f46041f1d87a91d52d1961c9502092068068e4e5b2727a148429005
SSDEEP

49152:ghOHsgLe4q+L0CninfXdLEThyV1kSqSvGgbqKt9tTjpJLPDNI:MOG4q+L0CafXxEVyV1kSqSvGgXDTjna

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 13 IoCs

pid	Process
464	Process not Found
2644	alg.exe
1756	aspnet_state.exe
2832	mscorsvw.exe
2344	mscorsvw.exe
2148	mscorsvw.exe
1040	elevation_service.exe
1716	GROOVE.EXE
1504	maintenanceservice.exe
1712	mscorsvw.exe
1732	OSE.EXE
2788	OSPPSVC.EXE
1720	mscorsvw.exe

Loads dropped DLL 1 IoCs

pid	Process
464	Process not Found

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\f9c90416cbc56ce8.bin	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	mscorsvw.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\BraveCrashHandler.exe	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\goopdateres_it.dll	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	mscorsvw.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\goopdateres_id.dll	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	mscorsvw.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\BraveCrashHandler64.exe	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\goopdateres_hi.dll	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\goopdateres_iw.dll	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\goopdateres_ro.dll	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\goopdateres_bn.dll	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\goopdateres_ru.dll	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\goopdateres_mr.dll	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\goopdateres_pt-BR.dll	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	mscorsvw.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\goopdateres_ca.dll	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\goopdateres_is.dll	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\goopdateres_ur.dll	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	mscorsvw.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\goopdateres_hu.dll	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\goopdateres_lt.dll	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\goopdateres_sk.dll	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\goopdateres_sr.dll	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\goopdateres_sv.dll	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	mscorsvw.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\psuser_arm64.dll	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	mscorsvw.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\goopdateres_pl.dll	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\BraveUpdate.exe	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\BraveUpdateOnDemand.exe	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\goopdateres_fa.dll	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\goopdateres_sw.dll	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\goopdateres_zh-TW.dll	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	mscorsvw.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\BraveUpdateComRegisterShell64.exe	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File opened for modification	C:\Program Files (x86)\BraveSoftware\Temp\GUMB5B8.tmp\BraveUpdateSetup.exe	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	mscorsvw.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2416	352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
Token: SeShutdownPrivilege	2148	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2148	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2148	mscorsvw.exe
Token: SeShutdownPrivilege	2148	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2148	mscorsvw.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 1712	2148	mscorsvw.exe	38
PID 2148 wrote to memory of 1712	2148	mscorsvw.exe	38
PID 2148 wrote to memory of 1712	2148	mscorsvw.exe	38
PID 2148 wrote to memory of 1720	2148	mscorsvw.exe	41
PID 2148 wrote to memory of 1720	2148	mscorsvw.exe	41
PID 2148 wrote to memory of 1720	2148	mscorsvw.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe
"C:\Users\Admin\AppData\Local\Temp\352f48b50585b0bc4a85fd8ca181b2f6391a8f89087b1964bfbdb8d97499a988.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2644

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 248 -NGENProcess 230 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1720

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1040

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1716

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1504

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1732

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
203a637db1a7e53a79187e2f5f98d1c8

SHA1
a1814a1808f6ff200024dbeecedb2d97e45a4004

SHA256
669d5af5adb0dbf56f16a2e275f847820f4fa802bc45db9b64ee33f42f2b4f28

SHA512
4d6895afe8db87589681b4e2f8a33b0a2af5bbf9bf9aef30f8e91ec4e39fbf91ef0d70cdf9f2faf1dd98107c6280bd1ca77aae90d9c1afaba05f19db6de581fb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
0dd10c02173713cfe35878e1ee5935a8

SHA1
5608c339b25dde069f21fd2708bd2c8353c66f28

SHA256
cf732daa932cd4fd1d3212e26521e98ff3fb6f7d7a068652b859828a405368cd

SHA512
ad4349f8937cf66705d891f48702b0318fca2de5d0bfc7c2dcab8365e7673d8b4d86618afa5e9636bd83f697b3b00694eb6830f781d22b53cd2d61d14dd0f534

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
3985a916a00b3b3b451deefc4ee0e115

SHA1
b0cab686ce8bf226cbb9427a4c4383e954a3e2f8

SHA256
1b8335697b1377e7b6168895db1ed6df0c10a0b87cfe5c87ffe680f139bbb821

SHA512
1cb6604074433e738eccd4395b5ce934b9c9908c0ef8ac6d6da9c87edd3e3f991898d4ae02ef566f456580aef6af84d305f2688ab6815adbe47da65f8adc6b1e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
0121c03c5111f5a8822d1210c66c524d

SHA1
117dfac5128063f815911d0449f7b4e13ac41b21

SHA256
ebc752053859713ff601577aaa7dae93da58df931077a3e669ba6ae3a8ea2526

SHA512
a1d0ff0a17b6d64c27ac6c9944b356de0aa00f5bae8f1a5f6fc5620d1e147356fbe430cd84b405873b43c2badd1a5c60d6910c5453b5acc4f5bf753f2dade13c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
0087a36c68e6fd009745f5066ac86181

SHA1
9acee62d0e9c9b23f75e4312e5586c2af6548948

SHA256
f7f6133dfd310637f061c71c01db4156206f15798ba03547e745eba15f1b6dc9

SHA512
72c0adda72e984ffc92f0953d7e5a289ba82131697ad2279d8adaf7c7ae99e7fcbda1260d87ca52658b99ed71cb40d2f7f3855611d1437eeb01de64066a5b179

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
1a5456047d42dbe4a4f04b2cace300f4

SHA1
35ff5d5da5a10a56e90a0a4c1a8eb69d3eb91a75

SHA256
0a701a4616793c2bab60e7362b03922f3e429d0a928db419cc7ddbf3072b95d7

SHA512
c96d7455c6f771933c6de0fe5daa61a40ff0e8ac9bf1d82260a5e75e14a74ea5ee38b01650daa09dcd589a5a66dc3e69082014c8a1f1d1a5d8b44011c3629f48

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
39b2a895ebceef6739f3d1356627f565

SHA1
5f7074449113dbbf71d07fca1e79ecff79016f1a

SHA256
7d609d2c81d5631057ed7e919ce35845101eeafe7c7a3bd6d3181042b008f701

SHA512
4c6d76b7667c0e558e53396f99bc29e430fb391421664ac8fc4a378e9a6f5ac6248ec392d0ecdf9a7f1bbbf304757617b231adb8a1749011173508451d220b6f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
39b2a895ebceef6739f3d1356627f565

SHA1
5f7074449113dbbf71d07fca1e79ecff79016f1a

SHA256
7d609d2c81d5631057ed7e919ce35845101eeafe7c7a3bd6d3181042b008f701

SHA512
4c6d76b7667c0e558e53396f99bc29e430fb391421664ac8fc4a378e9a6f5ac6248ec392d0ecdf9a7f1bbbf304757617b231adb8a1749011173508451d220b6f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
39b2a895ebceef6739f3d1356627f565

SHA1
5f7074449113dbbf71d07fca1e79ecff79016f1a

SHA256
7d609d2c81d5631057ed7e919ce35845101eeafe7c7a3bd6d3181042b008f701

SHA512
4c6d76b7667c0e558e53396f99bc29e430fb391421664ac8fc4a378e9a6f5ac6248ec392d0ecdf9a7f1bbbf304757617b231adb8a1749011173508451d220b6f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
39b2a895ebceef6739f3d1356627f565

SHA1
5f7074449113dbbf71d07fca1e79ecff79016f1a

SHA256
7d609d2c81d5631057ed7e919ce35845101eeafe7c7a3bd6d3181042b008f701

SHA512
4c6d76b7667c0e558e53396f99bc29e430fb391421664ac8fc4a378e9a6f5ac6248ec392d0ecdf9a7f1bbbf304757617b231adb8a1749011173508451d220b6f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
99b3209701d3cacee721865a265baba9

SHA1
4d4c8ffae3cd8b43649ac77897bd99199b9f7824

SHA256
b08761c41d87006152b7cc51c2c7e7ecc2272505a4967c5dc7248522029a5132

SHA512
ec2fb30f2223960a36e38e2778d45fdd365cc9005789b0f5f1f2dd567d1fbf00b9db0e6d45f8436e270234f64a3d4f2b104405d051f74e3b43c7a036f43f317f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
99b3209701d3cacee721865a265baba9

SHA1
4d4c8ffae3cd8b43649ac77897bd99199b9f7824

SHA256
b08761c41d87006152b7cc51c2c7e7ecc2272505a4967c5dc7248522029a5132

SHA512
ec2fb30f2223960a36e38e2778d45fdd365cc9005789b0f5f1f2dd567d1fbf00b9db0e6d45f8436e270234f64a3d4f2b104405d051f74e3b43c7a036f43f317f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
4cf11a0b5046b6be05349a5bd2373a7b

SHA1
92edfb0c0d2ea29068619ebdcce494e84a6dec08

SHA256
2d8cc18deea0bcc6efafa9270220b4242bf2b0673980b11b3d22a1e0f111311e

SHA512
73cf42c4250fd9050fb49ba165eb0fc8ecd3b42560ee5c62f862adf7639b590037122c6dc1bfd4ac5df13202672c3ee92c2206d7097490a538c0660f579777a5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5d4624d4bb78a0d9420c4607c4aea011

SHA1
b8d6833ea2bce3d3f549aa098a34ed8a85f699d4

SHA256
8357101289cc86a96665d3a76e178037923e060c61fa016fceabec08475af6ad

SHA512
c076880acd070601330cca655ad43ecf682fbd26b43df69dd2df6552f3333a36860e547b88dc88973142aaf8f86af0cdce0bfc05dfc6b90cd9b6a6c30911ce78

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5d4624d4bb78a0d9420c4607c4aea011

SHA1
b8d6833ea2bce3d3f549aa098a34ed8a85f699d4

SHA256
8357101289cc86a96665d3a76e178037923e060c61fa016fceabec08475af6ad

SHA512
c076880acd070601330cca655ad43ecf682fbd26b43df69dd2df6552f3333a36860e547b88dc88973142aaf8f86af0cdce0bfc05dfc6b90cd9b6a6c30911ce78

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\f9c90416cbc56ce8.bin

Filesize
12KB

MD5
557d2b5fc6b516284820a2f14e28a6d8

SHA1
2e240a42e8c92f177ddf4a8d00cea576aed7329d

SHA256
d93e650c04c8626f74521d9791bba5f214737a7f7f506e8c81d2e975516db633

SHA512
f64e0de9b8c81f14b2d6d4d5218f147648c1dacd13a9570c1c1b9cacf79f4958f67f68c927b7f2d7c059727308d54ed3b8ba7830d2e0f1ef92165c551e87c2da

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
4d86c715270d8c604af753d31349025e

SHA1
0d9f49a9b29cc368b3c58cf87acae84316708f9c

SHA256
f0f979dd1aae017f261601e3136e524ae0e373cd24928f45c9be7fb5cf91bab8

SHA512
97d44f7c09fb22bb7da8314dbb81320cdd8d68eed53f78317a5a5a14d38c3e13ea3cfa7f7ebf4572a97c701a7a30513a8b9826649de0112c76024e196c3221c5

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
1a5456047d42dbe4a4f04b2cace300f4

SHA1
35ff5d5da5a10a56e90a0a4c1a8eb69d3eb91a75

SHA256
0a701a4616793c2bab60e7362b03922f3e429d0a928db419cc7ddbf3072b95d7

SHA512
c96d7455c6f771933c6de0fe5daa61a40ff0e8ac9bf1d82260a5e75e14a74ea5ee38b01650daa09dcd589a5a66dc3e69082014c8a1f1d1a5d8b44011c3629f48

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
4d86c715270d8c604af753d31349025e

SHA1
0d9f49a9b29cc368b3c58cf87acae84316708f9c

SHA256
f0f979dd1aae017f261601e3136e524ae0e373cd24928f45c9be7fb5cf91bab8

SHA512
97d44f7c09fb22bb7da8314dbb81320cdd8d68eed53f78317a5a5a14d38c3e13ea3cfa7f7ebf4572a97c701a7a30513a8b9826649de0112c76024e196c3221c5

Download Submit
memory/1040-249-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1040-228-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/1040-220-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/1040-221-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1504-253-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1504-263-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/1504-251-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/1504-259-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/1504-264-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1712-330-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1712-329-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1712-300-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/1712-312-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/1712-307-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1712-266-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1712-331-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/1712-268-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1712-276-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1716-238-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1716-246-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/1716-275-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1716-241-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/1720-413-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1720-414-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/1720-316-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1720-339-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/1720-336-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1720-326-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/1720-324-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/1720-415-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/1732-304-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/1732-311-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/1732-279-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/1756-69-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/1756-178-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2148-209-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2148-237-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2148-201-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2148-203-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2344-186-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2344-185-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2344-235-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2344-192-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2416-34-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2416-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2416-0-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2416-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2416-7-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2416-170-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2644-26-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2644-171-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2788-314-0x00000000741C8000-0x00000000741DD000-memory.dmp

Filesize
84KB

Download
memory/2788-313-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2788-301-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2788-303-0x00000000741C8000-0x00000000741DD000-memory.dmp

Filesize
84KB

Download
memory/2788-302-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2832-172-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2832-177-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2832-96-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2832-200-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download