2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428

Analysis

max time kernel
123s
max time network
162s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
Size

1.9MB
MD5

c1d494b871f12f77b8e58b583cd5017c
SHA1

2d2575195d2a932ec636d60d8e6049f6835e6d7f
SHA256

2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428
SHA512

d62a80993375df5de723b11e519b26c3ffa89ca20c98632fdff3d1e39abf8c16ee935e2624e7b2541bed8b002afede561a4f92587dee52a0e26baacd175acae1
SSDEEP

49152:ZhOHsgLe4q+L0CninfXdLEThyV1kSqSvGgbkarh7P9inm4uLZOkZ:POG4q+L0CafXxEVyV1kSqSvGgwa97P97

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 13 IoCs

pid	Process
472	Process not Found
2532	alg.exe
1488	aspnet_state.exe
1732	mscorsvw.exe
2916	mscorsvw.exe
1284	elevation_service.exe
1636	GROOVE.EXE
2928	mscorsvw.exe
388	maintenanceservice.exe
2960	OSE.EXE
2724	OSPPSVC.EXE
2784	mscorsvw.exe
2796	mscorsvw.exe

Loads dropped DLL 1 IoCs

pid	Process
472	Process not Found

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6fea830cbc56ce8.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\BraveUpdateCore.exe	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\goopdateres_et.dll	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\goopdateres_gu.dll	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\goopdateres_iw.dll	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\goopdateres_uk.dll	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\goopdateres_ja.dll	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\goopdateres_lv.dll	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\goopdateres_is.dll	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\goopdateres_lt.dll	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\goopdateres_sr.dll	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\goopdateres_nl.dll	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\goopdateres_ko.dll	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\psuser_arm64.dll	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\goopdateres_no.dll	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\goopdateres_ta.dll	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\BraveCrashHandlerArm64.exe	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\goopdateres_en-GB.dll	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\BraveUpdateBroker.exe	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\psmachine_arm64.dll	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files (x86)\BraveSoftware\Temp\GUT82D7.tmp	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\goopdateres_ro.dll	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\goopdateres_te.dll	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\BraveUpdateComRegisterShellArm64.exe	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\goopdateres_ml.dll	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\goopdateres_tr.dll	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File opened for modification	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\BraveUpdateSetup.exe	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\goopdateres_bg.dll	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\goopdateres_de.dll	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM82D6.tmp\goopdateres_sv.dll	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2808	2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
Token: SeShutdownPrivilege	2916	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	2916	mscorsvw.exe
Token: SeShutdownPrivilege	2916	mscorsvw.exe
Token: SeShutdownPrivilege	2916	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	2916	mscorsvw.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2928	2916	mscorsvw.exe	36
PID 2916 wrote to memory of 2928	2916	mscorsvw.exe	36
PID 2916 wrote to memory of 2928	2916	mscorsvw.exe	36
PID 2916 wrote to memory of 2784	2916	mscorsvw.exe	40
PID 2916 wrote to memory of 2784	2916	mscorsvw.exe	40
PID 2916 wrote to memory of 2784	2916	mscorsvw.exe	40
PID 1732 wrote to memory of 2796	1732	mscorsvw.exe	41
PID 1732 wrote to memory of 2796	1732	mscorsvw.exe	41
PID 1732 wrote to memory of 2796	1732	mscorsvw.exe	41
PID 1732 wrote to memory of 2796	1732	mscorsvw.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe
"C:\Users\Admin\AppData\Local\Temp\2d4d22bd553372a29f6e155ebfc8e76f148a56ddf847c4bec65cb45dfeda3428.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2532

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 1e0 -NGENProcess 1dc -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 25c -NGENProcess 248 -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  PID:2288

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2784

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1284

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1636

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:388

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2960

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
2d9be981d1d77194195152e51ed57c16

SHA1
3857c7c637715df1e49ed021bb5f3d32923806cb

SHA256
b8280045cf5354e13bf42eedbb9f0be6b0caff71e2f0ed18e42c0df11b8f90bb

SHA512
672df9a6c1f8783e9ca41a9ab43a2cc9bb36e324687d20211fe772c0b88a89480853869abfc520969c0e77a2a82986ac5a153708a1171237bf66dd1a98f779fa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
4545f0fe40bf18f1870b7a82f0883228

SHA1
fe20024d33f09782ec25b3545a2cb22905958e6e

SHA256
cdc056a9409ebe53e4869b503f9d0cc63d3734532337f9f7c2127f28689b5697

SHA512
74e96c0c57f4c636e904a5651596c014b0f5b34a580525c593f099e5ee4f07993f3734e17f0308fa8fcc97391cf1ac13f91ad93148e4933523c5c529d11bd741

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
7bdf353d77f3e19f7d54cdd31c028556

SHA1
6dc366b9216ca7cecf643de430418a6d56272419

SHA256
34e74dfbe0b0b9fa04979ae5cf02bc177d032bf3d993b6690976c9d3656a7a76

SHA512
9969f6cf31a5d05f126795c3e9aab7c684e08214e7ce67e9baa7fdbe3e07e844eecbef6962f4a740dd3217aa225720dc5b29e9b3ec81077d2e1a891d663bd167

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
a5cc5f442aebf3208a1284072b8ccc62

SHA1
0faac44bc39ecae594be20e3800dcba4463474be

SHA256
94e0818a1a0eadb3c7d648d1bbee32163e42885d7ae5df3b0f1a176a8ddd73d5

SHA512
0cda7d85a2a8b38b5e02204ef48390d80062d49ba1eeabeef215c188782cc41e58eb241042b9b92730bf4b9fce4b922d282e08f4810d7b76954b139933dec2b3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
3c6d525d1c99ecda9789a15f06aa9a64

SHA1
0eba45e1dab3ce0f0c45c7803f41956dcc20422e

SHA256
a935240728f33541ac5f4a6e7d885f237f4ccd3db5e23d352948fc46c2971c7a

SHA512
7de6da9ef1181644a269a4ad40c1d1722079afda939cba1aaa419863cc2d259ac2534676e56690454dedaeaf52fe007b696f03fa997ff34cf941e5c5dc441330

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
ab92f121cf19fda37691ce9f48f21605

SHA1
c050f2e1adc4d201f288e0fc5b5361829f107ed7

SHA256
cc281d33baa2ede31434b4cec5f402bbef80bb460d43732a1102a83b96e84693

SHA512
5d8761c10999f585f597a142c3d80cffbe7f60544a83ed4602fa6e16755c1af5025d1d4a002cd98df46bb89aae3ce175329c398adc56cb17a4ea2216e4c07917

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
30c14cbedbb1162f3819d28bc42a4a04

SHA1
41a80d1b59005a6fb9a12e77fc73e0b84d547b15

SHA256
d4148616756be19e1e205eaeb09a58bc3e40dc2913372123bb666d7a987e3757

SHA512
515ea2ead1389c49313b8b6ddfafd5adb391b29928355b4a673f45ba6f0059c1e3e0565f8c24e11d5f250ab5a7a07e84421cc620c0abca13b00ccf6e45a3e248

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
30c14cbedbb1162f3819d28bc42a4a04

SHA1
41a80d1b59005a6fb9a12e77fc73e0b84d547b15

SHA256
d4148616756be19e1e205eaeb09a58bc3e40dc2913372123bb666d7a987e3757

SHA512
515ea2ead1389c49313b8b6ddfafd5adb391b29928355b4a673f45ba6f0059c1e3e0565f8c24e11d5f250ab5a7a07e84421cc620c0abca13b00ccf6e45a3e248

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
30c14cbedbb1162f3819d28bc42a4a04

SHA1
41a80d1b59005a6fb9a12e77fc73e0b84d547b15

SHA256
d4148616756be19e1e205eaeb09a58bc3e40dc2913372123bb666d7a987e3757

SHA512
515ea2ead1389c49313b8b6ddfafd5adb391b29928355b4a673f45ba6f0059c1e3e0565f8c24e11d5f250ab5a7a07e84421cc620c0abca13b00ccf6e45a3e248

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
30c14cbedbb1162f3819d28bc42a4a04

SHA1
41a80d1b59005a6fb9a12e77fc73e0b84d547b15

SHA256
d4148616756be19e1e205eaeb09a58bc3e40dc2913372123bb666d7a987e3757

SHA512
515ea2ead1389c49313b8b6ddfafd5adb391b29928355b4a673f45ba6f0059c1e3e0565f8c24e11d5f250ab5a7a07e84421cc620c0abca13b00ccf6e45a3e248

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0a4204c6164993592fab290809e20410

SHA1
ce6160adb7b520d5abe660eb3edbc2612b25f68e

SHA256
270020566b6e2966106b9ca1a3cbe28922089acdca851060d34941e0ab685370

SHA512
cb0feea8c745c75487e3a1b02b01eed2203ea6ee13157771d13887657f8400cde30a85cfd299261a815e432b1f9ff737d74862ecd29578bc80d0fe18bddd9997

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0a4204c6164993592fab290809e20410

SHA1
ce6160adb7b520d5abe660eb3edbc2612b25f68e

SHA256
270020566b6e2966106b9ca1a3cbe28922089acdca851060d34941e0ab685370

SHA512
cb0feea8c745c75487e3a1b02b01eed2203ea6ee13157771d13887657f8400cde30a85cfd299261a815e432b1f9ff737d74862ecd29578bc80d0fe18bddd9997

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0a4204c6164993592fab290809e20410

SHA1
ce6160adb7b520d5abe660eb3edbc2612b25f68e

SHA256
270020566b6e2966106b9ca1a3cbe28922089acdca851060d34941e0ab685370

SHA512
cb0feea8c745c75487e3a1b02b01eed2203ea6ee13157771d13887657f8400cde30a85cfd299261a815e432b1f9ff737d74862ecd29578bc80d0fe18bddd9997

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0a4204c6164993592fab290809e20410

SHA1
ce6160adb7b520d5abe660eb3edbc2612b25f68e

SHA256
270020566b6e2966106b9ca1a3cbe28922089acdca851060d34941e0ab685370

SHA512
cb0feea8c745c75487e3a1b02b01eed2203ea6ee13157771d13887657f8400cde30a85cfd299261a815e432b1f9ff737d74862ecd29578bc80d0fe18bddd9997

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0a4204c6164993592fab290809e20410

SHA1
ce6160adb7b520d5abe660eb3edbc2612b25f68e

SHA256
270020566b6e2966106b9ca1a3cbe28922089acdca851060d34941e0ab685370

SHA512
cb0feea8c745c75487e3a1b02b01eed2203ea6ee13157771d13887657f8400cde30a85cfd299261a815e432b1f9ff737d74862ecd29578bc80d0fe18bddd9997

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
dec814198f5c4ed7758410b767201fff

SHA1
874e89773c25f2e9c47e074759f928296f9fcf6c

SHA256
2f0ecfe68b4bb3e448b8d099c69f84c357a8ce9eb388d862b000c5bc6765db80

SHA512
3ad2de66bac79e62fba0c427e8fd4c1e6ddd3a33123be8112485f880fc663b07992cfafca2ce6b1c15a2f171c422938af456a9deaffc22b222a663a21cde9d4d

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
ab92f121cf19fda37691ce9f48f21605

SHA1
c050f2e1adc4d201f288e0fc5b5361829f107ed7

SHA256
cc281d33baa2ede31434b4cec5f402bbef80bb460d43732a1102a83b96e84693

SHA512
5d8761c10999f585f597a142c3d80cffbe7f60544a83ed4602fa6e16755c1af5025d1d4a002cd98df46bb89aae3ce175329c398adc56cb17a4ea2216e4c07917

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
dec814198f5c4ed7758410b767201fff

SHA1
874e89773c25f2e9c47e074759f928296f9fcf6c

SHA256
2f0ecfe68b4bb3e448b8d099c69f84c357a8ce9eb388d862b000c5bc6765db80

SHA512
3ad2de66bac79e62fba0c427e8fd4c1e6ddd3a33123be8112485f880fc663b07992cfafca2ce6b1c15a2f171c422938af456a9deaffc22b222a663a21cde9d4d

Download Submit
memory/388-252-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/388-259-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/388-260-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/388-261-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/388-264-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/388-266-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1284-215-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1284-214-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1284-222-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1284-221-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1284-230-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1488-100-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/1488-180-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/1636-229-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1636-257-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1636-237-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1636-231-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1732-212-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1732-188-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/1732-182-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1732-189-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/1732-183-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/2164-454-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/2164-448-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2164-456-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/2164-477-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/2164-480-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/2164-476-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2288-481-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2288-474-0x00000000007E0000-0x0000000000847000-memory.dmp

Filesize
412KB

Download
memory/2288-468-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2288-479-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/2532-48-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2532-51-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2532-58-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2532-132-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2724-305-0x00000000747D8000-0x00000000747ED000-memory.dmp

Filesize
84KB

Download
memory/2724-303-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2724-299-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2724-295-0x00000000747D8000-0x00000000747ED000-memory.dmp

Filesize
84KB

Download
memory/2724-283-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2724-290-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/2724-292-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2784-334-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download
memory/2784-318-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/2784-395-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download
memory/2784-393-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2784-392-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/2784-327-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2784-321-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download
memory/2796-417-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/2796-458-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/2796-457-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2796-440-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/2796-436-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/2796-432-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2808-178-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2808-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2808-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2808-7-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2808-99-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2808-0-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2916-225-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2916-203-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2916-193-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2916-197-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2916-204-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2928-311-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2928-312-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2928-320-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download
memory/2928-242-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2928-241-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2928-276-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download
memory/2928-294-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download
memory/2928-249-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2928-280-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2960-278-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2960-277-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download