c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1

Analysis

max time kernel
43s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
Size

1.8MB
MD5

4ad570ff98b0b909a11a721b61fea13a
SHA1

206fbef41b5d22d860062f2176caf44a2bad1a56
SHA256

c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1
SHA512

d6ce876642e9aa90a455677573900c5ee5eae5ff78074bdd4d02bab11e22222d62455e3bb01f4c20d65d0675f313da892dd15507d928322b3d92a3447c3254bb
SSDEEP

49152:gKJ0WR7AFPyyiSruXKpk3WFDL9zxnSr70jIpM3kiSBM29mhNq:gKlBAFPydSS6W6X9ln470uMhSBrkNq

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
468	Process not Found
1716	alg.exe
1948	aspnet_state.exe
2032	mscorsvw.exe
2376	mscorsvw.exe
1736	elevation_service.exe
1864	GROOVE.EXE
692	maintenanceservice.exe
572	OSE.EXE
868	OSPPSVC.EXE

Loads dropped DLL 1 IoCs

pid	Process
468	Process not Found

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4592145223c682a.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\GoogleUpdateCore.exe	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_bn.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_es.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_es-419.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_et.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_lv.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_sl.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\GoogleUpdateOnDemand.exe	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_lt.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\GoogleUpdateSetup.exe	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\GoogleCrashHandler.exe	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_ar.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_is.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_pt-BR.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_pt-PT.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_sk.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_am.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_ca.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_en-GB.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_mr.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_ms.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_nl.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\GoogleUpdateBroker.exe	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_fi.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_ja.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT4C9B.tmp	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\psuser_64.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_cs.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_fil.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_hu.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\GoogleUpdate.exe	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdate.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_iw.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\GoogleUpdateSetup.exe	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_de.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_gu.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_pl.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_ro.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_uk.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_da.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_kn.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_vi.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_en.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_hi.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_id.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_it.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_sv.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_ur.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_bg.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_tr.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\psmachine_64.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\GoogleCrashHandler64.exe	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_fa.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_zh-TW.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_fr.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_ru.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_te.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\psuser.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_hr.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4C9A.tmp\goopdateres_ta.dll	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1320	c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
Token: SeShutdownPrivilege	2032	mscorsvw.exe
Token: SeShutdownPrivilege	2376	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe
"C:\Users\Admin\AppData\Local\Temp\c969e926dfbd8a6a494661fd23b7de1566efe0d07651de31161e5a6aeb54e5e1.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1716

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  PID:1908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 254 -NGENProcess 25c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:1468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 250 -NGENProcess 1f8 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1e8 -NGENProcess 268 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:2368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 26c -NGENProcess 1f8 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 248 -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:2432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 274 -NGENProcess 1f0 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 278 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 27c -NGENProcess 1f0 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  PID:2900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1f0 -NGENProcess 264 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 274 -NGENProcess 1e0 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:1472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 284 -NGENProcess 26c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1f0 -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 264 -NGENProcess 290 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:1772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 294 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 28c -NGENProcess 298 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:1420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 28c -NGENProcess 258 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 27c -NGENProcess 2a0 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1f0 -NGENProcess 258 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 284 -NGENProcess 2a8 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2ac -NGENProcess 258 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2b0 -NGENProcess 2a0 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a8 -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:1104

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  PID:1696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 160 -NGENProcess 164 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  PID:1448

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1736

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1864

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:692

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:572

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
13KB

MD5
6830315cb0e0d38a53233e1fd18e466f

SHA1
5f1e811c17d7024d49475bbef38819c83281745f

SHA256
e1552ff6549fef311fb5df4fb411297e275184e5e859ea98ba0b15dd810c5661

SHA512
c42e8dae804e5d5452dea565dfbd6910a731491aa813c27e607128749331bdd9632432129f746abdc987c1239420b010950d8bbff197f284d7eb273a12ff2ed0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
87KB

MD5
459bd4a1342ffaf61618fff31cdee002

SHA1
81ba5ff65e9900e52b921a6df0727cfc093eb37a

SHA256
4f484b09045970c32da2cd1a91dc2b06175616bf01f64b1dd55322ab76f4901d

SHA512
0adc4d14341e01c1b4f8169e7f869a5666b53b969c9d35e1019679a41def09afdec0f57d9870c015290f00e0c7acfc64d06cc02e2005c252d32538f7598b7357

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
152KB

MD5
10edaf9bd9f554e388d57b1f4454a753

SHA1
52445f6ab3dd51d6c11fda90e802235a0313f359

SHA256
3616b037751829efbb8ca0d132b0b07219a4c9a5cbc35c9b103cbbc41f2521b9

SHA512
37736fd3f397f0a93375d58ca559a5a15d1109acf47d97cc902860a91f7f54ffd2efad52437a3ef9c876492c0bd86c2f7e16968c6ea3e0126f0d65ca6bd57c66

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
172KB

MD5
318f74ef8256fd6ef55685ad491f6936

SHA1
54470f04fa31bb3e8725a36a2be81761cfe3fb65

SHA256
4a5c2dd83e5d98b5a3f559edbf4aa47e4bea839931c1dc66b42d5a03d865df38

SHA512
a96228391780b55c598d4f8ecc10b1d172902142d65d81e080fb06dc25861d8f1732020c00292cda49443f8c8e8014cae47d92699a7702a05a6521ee61f16215

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
101KB

MD5
ed02f6312e3762351cf90ae96152f1f9

SHA1
6a013a85b7636c184f7ee0839b3d1fa7c65004c5

SHA256
c7ae339e554de78131c8c739951719d37f6ec62d470c9e8c4c6e7438a6f5cdeb

SHA512
b9d9955f4d9ee7f2e87a0bf895d9c974709d3b4599da99d53ff8e62fcf86fa5b216ed72ada742507b652a98e2bff09732c027025663728b26ffce0b00dad5f03

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
82KB

MD5
0453366370839f603bcf6693b67737b1

SHA1
6b3de85f1239b005f8930918ad570daf2da9024d

SHA256
6c8d90dea1726217e2a4116fff68099eec08c006fe3032a70397bfd2860084de

SHA512
a29ee13672f6c3636ece873b2ce391daa320827b0b9608c643a45bdc74905be05b9f6328c4c22734eb6a8d50a915acdabce728cb7b16900ef06a520f75519d1e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
67KB

MD5
98a9ce5707970a15f56e6602fe2c97df

SHA1
8e603eb9e9a48b912a8e97003102a1b0c215ed55

SHA256
26955a5076c9102208f05cecb27c51ab2d36acf524088ce7ea3c2026710d4999

SHA512
6e95a846ac3fd7707e8b6cbfa9c3011c6cc6bde1fafe59af46406e96c18a3a02f2ab2bce213bcba280d7b6737a9fb268f9627e6ffccca2c2a59b62200e8893a0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
127KB

MD5
c759a3f571de48e0397d14bb51a55592

SHA1
d64b4ba712a5650cc06db2233829820adcca1a71

SHA256
eed1b844b451c8dbbb08b5be1170e8a43f3129ed9e44470b070d32ef304c9511

SHA512
564e07cf569b4eac1a066467f06c5db265e68910eccea695a37dded28834b88d2d8e5930eab023f543f64e161a234386112dcd08ea88728900dc8a741eef04f3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
113KB

MD5
49a68cfa8c4e86a392c50ea2008b3d80

SHA1
fe85863cb8bbdeddb76b8df40559b76d66a23d32

SHA256
b74d22c77c889170a428014f7d6c5e1b623f3453c03047866c5958b4df36a67b

SHA512
38fe6dc8fdcbf47d21a6255e4cad35434ac1ed5c72e481ba4c80a085b12580420d34b65a7119dfa01e327583487aa4a5e2ab7f82295e4d24d67291e97a274fbd

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
109KB

MD5
6e966a796a850bf01fdf10d2f84b87ba

SHA1
74eb48fd0d098847872f8b56e77df63fd6c10445

SHA256
5724199b5e1faad1f93172f104a98fe9aaf337aedfd1aae7ee9ab2147e1f6e18

SHA512
7d68438ff0c6b5454da9c4883e2b794517f6863904bab0d5b403c25aa1b56f2cb0f624013e212b7314e01704ce552cdaad339556abcf002614a3c89ffa77439b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
136KB

MD5
7f88933d373db34a6a26e3e1b5191425

SHA1
3ebf20cd5b4a4a05f68f0bb6a0f1f33a7b0eb13c

SHA256
80358243d9ba31c37bac6e67e07129915d740a13177572cd77d616ffb1b830f7

SHA512
4f480db5b6bd680f20160663115494caa5b3de2fd86a70aa3b72007d1f7dc504d58a7acfc669e452eeb98d4eeccf0eeca717db82759ed3a1baa3c8a1657e0eb0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
80KB

MD5
c4f19edd1e6d70c9ed7426189aebe0c9

SHA1
a814465d646eff2bc76cbf7252bd94428c883f90

SHA256
2b39cd73433fb3af0aa11fe633ef106f10ee2859fb5b3b28c69763ab12d0645a

SHA512
62acd092de55950273b09a1545799a8bbf610d42d67ed9a88dcb43596685e0830e224d15e93e2e46036f23baf3692cfe66585b251e0cce09d8a2d1b2ec928757

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
107KB

MD5
9ac5509d42b8be8a6a9bca2361cbeea5

SHA1
334edb122cdd0688c4ab1a8c2c0ba36668da99cc

SHA256
51aab155dbc3c2df995e92f1afa3c113902b61bfa17f134b4695f1bff1bd6514

SHA512
74911ee5e7e6ffaf225ebe24a45ad52df088bde7b210cec2a823c43fdeedabc111887bc5cefc4789559fcdd110f42d83497387d84bfbe296eed17d08f3330d81

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
123KB

MD5
80adf4682f47f582daacbdbdd31f80b6

SHA1
7b0857a02d5792a0db2bd85daf4569d1f7a3ad6d

SHA256
f1bd66e8d0c7eb64443660aa0686ead7fa42fbcbcee4a233bce1606fb75506ba

SHA512
a4ce55b3b059ccf2708d933e0cb11043ea6a8759b34d9199d7f16826d143c0bd8cf137fb0464fb8320e241da882c36ad96a58b13ef27220c7838926fa38699b5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
99KB

MD5
2c74b186bb9d325e304e460065ea50de

SHA1
da21870f9e1b0f823189b5bcee0a12e91fc543d5

SHA256
851f19cd90ea629dff3cff84b98ed062da7cb7b16c4094d106f30f720b49f32a

SHA512
99b0d86d2d32649c5487f592ea56f5b637a37816e3587bbc946d213933fa12e38e3e51dc24de4eb8d33b1a01cfe4581c030739943d50fe2b7a912ed1655b85c1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
170KB

MD5
c06db0833f11a1c07b5b90dfc9f861c6

SHA1
347596c0d650fc944e1485bd4a6042def3176391

SHA256
67818c5b08615ff643fbf7f7916e42150dca7d9a98fdcf472f1e7a2ff49e2a45

SHA512
cec935b41c107d569fad51854841a73eab4e76c01dfcd90b1eea4b4c2b898b2ac9df45acd9f90866ea05f06c2208be58e880294f0f5fdc9615726927c5c9e34b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
136KB

MD5
a9e5ebad1700230824808a9781c7d9c9

SHA1
d9eca4ed17087eb82facc6be76c2b1b05d69b9d9

SHA256
ac47a73d5ce7a2a6a48f7bb39166b464b50de89ec84a0492b177392c1dce471d

SHA512
30a1350706d1a5e91107f5731ecb2eda2f03257577a4b2909450f7798ad5b2c9d2b6b6fd0fa737be71b0f5006229c0c1457cf771079c8bc90226ddaf8cb8598e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
60KB

MD5
ed58bae456ac07e1c39230c5f954713b

SHA1
4a4a39701e2f4c1eabb3d6bdd6042bb74d624e2a

SHA256
f45b9f6a8752b3517627ac2eb9bb730f99167c3a1f032202945f5781c4d80ccb

SHA512
3bfbae3da59c3f6d5353946365c6644581420f50e261704101911091b9669cc07203c1aac27589f2ac54ed5d614102ad8e9cc4e003e5c0843df09bb9cdfdf35d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
175KB

MD5
ff5fd420433da86ae2b5e1982cb6909f

SHA1
0363de2783dceeb8ba98d19e7fc4a00a32b4889c

SHA256
0e7d2c0b99b0004c2675a7ec8e4a83a93a59ce3d950f0e72b28cfcb401cc1792

SHA512
e8f3316a589236f88a0f6fe047825a2d486f807df5a08e1c093630d065d6be45d7f72e6caf33ea6b409564c14f997f3a5d4b9c9898f9045ec81b744efd52823a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
131KB

MD5
cdad9d30a30b1d446cb6718f84cfcba4

SHA1
dcd40f2f93736d51ea5ce8a461fea8197d0e31e4

SHA256
14f79dc51e0ff69bb3f3f7303cd7c0e8c8fee254c700ab4d170b944d93b96761

SHA512
2654469f1a15fcaa2bcd24cd2b2805858e865b9c961cf5630c39090f99e1d82c19581be76be08bed1ae27bb145a526baf99f6006fc4f75f86b12f8206cb01b21

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
99KB

MD5
8d504852f30e4faf252d33b1e4c7330f

SHA1
a0be6b2afb609ac7b4360a645b304794ba85fd2f

SHA256
cb05f3e6ef0a5b1af387fcfb5bc7c9c3697ef3890aa416c80f415d8c0456c929

SHA512
7bde4617198b74c21ea3f6190d88a0e8a847ad1347c03b28676d30bf18c3b09132b1f11806319d43b23c040c2b615b4589b460708231e614a6e1016cd8d8d7c2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
117KB

MD5
3aa20a9166c4fab430c4ef66edcc5f52

SHA1
699ac1fbb11bbdafd41f87267f132333d45fb5dd

SHA256
dddb0bc853a61181826a52f3b8299fee1e61429d5a9c1cc12dd3f323c1761d0d

SHA512
c948252319a9eee29edce454686ce80312bc70c031a6c740888a030f25d3bdd3ed0af52d997ede199661d25cd766ccd414e6ceb2ea288d786607d64a44d60cad

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

Filesize
130KB

MD5
c97882d094f10475866f7896bbb9b56a

SHA1
d90a255634e0c13ea39059843052ca5bba03a177

SHA256
ede45c8b96d15554858be837f05f121830ea4e6cb21e7c43985887ca0833749c

SHA512
9d5b5d72c1ce0ff8189b5d98a291243a0df0980eb78f591e98cb320036f05ad8c8c3a46cacaacfbd9ac6a3f3d33092312e55047cd4a7ad0f12361957e7368b6e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe

Filesize
30KB

MD5
0a530dd85a28833fca59773a5020e7e6

SHA1
24b9bf2491df449b4f0f7eb1aa302c7535036441

SHA256
972361228cd173bac4ed832d453a9784d34cdc77912d8b936a5f99c9da6788f0

SHA512
a824b524ff27c37725a65ebb6575a6ac9e52bd83a8a6570faa4e17a508e72058900347b539a06d42bde7d51d3c5b8d832146d4ce7758490dbf921cb8413a94a7

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe

Filesize
72KB

MD5
d4989004a82ffc0e4df3751e3e0b7bc9

SHA1
ff4f4fcb6783e69dc4b413ad28d3776521044d1c

SHA256
d3e2e5a7f7fde060111dce8f2622c6f9168704f33dde708ae7280106e0c7cb8a

SHA512
b4efed83cc2891e2b24854f63b346adbe5470271fabab8bc596959df13a7a76a87d3b81c51a9af1ecaffaa98855e930766b2097195ff24974b97bc663805fc0d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java.exe

Filesize
124KB

MD5
f7e5231d16f28c462ecd89e1828170ce

SHA1
d5ae232d6e0a36dcc3911324c6de29683f8d0dd8

SHA256
1d74ea1408af9af88a6dd6f7d020960aece285096061b4aa5ac5a195358bb8c2

SHA512
403d2a7b7c3ad35659e9986fe6beb60ae91a46cd656035e99180b586c42e3118520d3767d3e67cb3e1ad8fb172db7afb6295c5507aabeeac9152b926049b828d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe

Filesize
124KB

MD5
8878f09551731a7b4104d4ce052cbc1f

SHA1
6460e55d3016c473ba0178716c91fbf00da5d917

SHA256
4207fb84498f68f74adcf5a747ab548dd8f9f1b8c0d70fe87c4678b8f2b1de1a

SHA512
76ce12d575c38e006f4c3a44dd584398bf331c9fd36bbc1e437edf0774540c74773c8dfd4e8fb97f634ffc87b94c5e1752405362195079f2a8c6ebf13f0760c6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe

Filesize
109KB

MD5
6a8d15cfe280e01ab7c678e9c325f084

SHA1
67026d7b5bf7aef4c12ba96527022d8ec43577d9

SHA256
5627995ce894abd38b0764777644bae24819bb6c6c8a69f86cc2020ff83cf913

SHA512
0b76276dc22a54f1ac57be04ac9ee0050fe57a2a111677d4c8a12a616b547c8a82865008176eb230943046d4c14e36ee34c25c0ac852d9aaf8be6d979e66a10a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe

Filesize
80KB

MD5
17970f391234145f0fbc01d85eec8eae

SHA1
f523a4a1e92c1e75d39e1a86eefe233334cd54f5

SHA256
807c5d0fcedbbf4a35ed104bf8f186a1c8133bb2632327cda205d8234c46d992

SHA512
ed8b256686a447ac8f39bf59544d62895ca0f099aac29aa08de5dd7f020dd5baee1e3a0dd86a3665d8809743c5264ace43eaaf194dbd71dbfc56b8287572bd68

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
92KB

MD5
08f0551affc0fd4590310ec110eb546d

SHA1
0da4a021d486e3e13c1a9643df6345da48ce6f09

SHA256
c38c5f35f077320701978182671d5c6379edee9cb1033657456263a79e834de6

SHA512
342e738b1674a3f6904aa8611cfac8da5720bc9873ba2d8fa9f1f8b21cf0f1bc4c18f67f6b781da6ec709b73e354b456a92092671e39b380ee86e3b76fbd170c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
405KB

MD5
d1c40a59b70ab625e3ea600619c2cc82

SHA1
1e895813a1d5d75ad1e63226c321485f32a7c892

SHA256
9d1b5d98be2ae30e431f43f04c240be2f186fd02d47f5caa1dac1e7dbc230b7d

SHA512
b153281399ca4b1ccc08546855df020b2652c94b8645b9d5b4d97ef3ed30634f9b376891505c389e6c60e93b3b0bbc47716cd1e7a516526f7602f1bb59d7d402

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
37KB

MD5
8458b75faace83c3780a4f74f42fad1c

SHA1
434a9e52c14d43177c4b50a8a310cb828741d775

SHA256
2a794d01451e820d7009fa3fe9507aa3c809f858166a57d6ad779d3d5bf7c048

SHA512
fe906b20872fb619d0a02d12f3553ffc8f466981a96224a35c70d8f5328a97ab2ce254fb8115467248e71b0dcd76ffd935696b47574979b7838272dc5090faa9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
43c405d0e18358e458836d54bba99ac3

SHA1
bf78ea383ea7d612c76b2715af44310a88291f12

SHA256
5be31acca2a3ee865fbad19961793b48104abd9bf838ad961571fec440da7e1f

SHA512
3b86d97b3ff10e0e61ff46e8939b2f8f23c0d9e962be7075d05b159cfde343e32e34154dc75e3101da491cd56e3c2f002852b42451425429130ff7e68ddd0717

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
75KB

MD5
d0b14f8ef116a03f4cd16db185a369fc

SHA1
429ab9b3cc1c19ab8163c8300b86f282d1c79d9b

SHA256
72a16b47790fa9cad9f4c1df07be3917cb70b89c2ef39600e20f34104d48ead7

SHA512
a61229b947c22971d8ae9edb7c8a71e3658edd160dd78ac453b4aa97a7dfca24a40be352483c684286658e5191cfc003cb539abf0fc09156b493801f1c3101f3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
46KB

MD5
53e4e0d466c7d7dc1d5764fefda71427

SHA1
e9e1f159330b391b2914c18f0125df36a5ff65a7

SHA256
84b52dbee1e6fc20456b12c5b64331716caaa389a451c3c13fb88387a19cce36

SHA512
dd913c5ec395a1838933fcb43ec255aa851d957cd99e6e98eefa93c5e97010f174a33aea20660343eaa95b880284f5cd7e43c6530b9fe2795f138b0a5f7a11f7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
127KB

MD5
4a36d6998d2f4e94c549ba7ae1a5ee89

SHA1
343629f60c58b1be608d503e13a98858d0fc51d3

SHA256
8b6535d84cf84b3ced31cba9990f6087973f3827c181326ee7d339d39b537625

SHA512
233471ff99561f3868aa5539eb57c8acf637041c747ae49da31ed87f01bbb81d8f26e0b34400293b80c66d29d387612521f3193881a5f7a4d109f4b74f14e6c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
85KB

MD5
6b24a40ac59f548c5227fe33dd15d131

SHA1
ad33eb965561aba5c91dc2a2cf1a37974705c0bd

SHA256
71eef434abacef2afed4b97c504e3f6f27bcc4aff2ad7fb2c0267675af46e865

SHA512
99fdea4efee0baa80e8ed9ca36460feb190813634780306847c18084a5667720df39dea6d1205e89cd016fc0f8b2ec3d2fa8105256a0b1d5cd2b79c576bbf3d0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
176KB

MD5
e348380c8addc065a5c07609cc016a9d

SHA1
8d65eef7d4ce91297a5c1b20d194ef924a7fe92e

SHA256
e1457be34eb1703832ae88f6220d7bd776d2b7ebae611db09bbb75df215ad0a3

SHA512
b68f77886c9299291fc8c2cad45920f58c27ee8236f1f67001a52c9d1c4c30c4e19f4c551a4fe24b3b23101476c7bc3b0ac7fd08032b1182a1f5f72fe1b4a3b3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
69KB

MD5
f446868e166a95e49d1d171b25c15c86

SHA1
aa527540f9fe60fa47846f0759aceb5ff6abed77

SHA256
b5da9a01ddaaa26cf6ccd1182f785e28c21b7f3cb292ab3d8d26a4e339e0d1f3

SHA512
dde1bc864db08e6d9da4d6f6f50a3861965896488971d5a85d34beb63bef3e34f5d2e0dc999e4982b3d9537d727f1b9c10ff58abeaba1d07afa7c433df9b881f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
45KB

MD5
a99c2ea1c6ab2f804ef4c22f7cc0b728

SHA1
24be4ffd7203c8b91082c09f432ccc7be071651e

SHA256
878dd848381b752f2a82a2474547ef8716663d9c41676910aa92227eb94e1794

SHA512
cef6e56c2c13f3e8b0a13308717c043288c7ea8ef56b77659bb0b134b265f725a0ab89f5c52a588c99cf6641ffa52c6831588cd36ed8ba014f71d0e4e2156ca8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
92KB

MD5
e4a2ad5f8dd411c86ce4a3b749392fd8

SHA1
c501643e3367565caadd62b7a02fbb2c4adf7c97

SHA256
1e30e3182128c2655376f0a2c4ac0003bb9d32a0188c0930807ae03081776300

SHA512
fbc54c0904efd3889814c0b85dbbfa5ace5d66b691d26a773a9d1fe12d02d901561e0a006d4372fc492d3912f2ed4cbb3d6a73b060d3715d9923c4fe4440c064

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
123KB

MD5
320135e983d2f49c52ab1e941a8d0ae7

SHA1
b81cf4b31d0a6a6113a8e5ef50f5d2c6be35f3a0

SHA256
be55b186367fe33f0755f537514db1aecc6a93f2be4580ab183210d2f52fd609

SHA512
a47003b179759ef1f00d495482e92eb240d1f94a3b2268cdc4fea2f261d9d3b46043b6c795374dc9c5d811c32feb753b12c0bc0a103a93b9754e5da2970d2356

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
97KB

MD5
ffcf9302be5e42af74eeba3921edda52

SHA1
368da09868baf3d13ed342066534f04f75491710

SHA256
aea9c788b6f232f38a289ff678b9d3996523b7fd0a9a6b346d06293b11c12d49

SHA512
9d797373a87d351afdc457ecaa635565288188a8bbf2a298e89e55b5f6d92e5db9c5c759cd50508f5f1c3e984e7e89c1b35d139bbd42c57b680abe272f018d9b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
103KB

MD5
985de50e95665f21c1df2366d6d0b16e

SHA1
931db971e4931cc50d0bf2f7d91575e71f4d1043

SHA256
e5dab5dea68813302a327447cd07bde558fcb8ae7d49a6e40183fa87376d1ff9

SHA512
03cfa8d4a210fe54e31eeb5bac31b2b8ce5ce21628b86508ea74e01be98a400bf8b2913e5a2d83ae9ca3ea107afd7d855389df61e1856c359f1832ef491b8111

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
73KB

MD5
932186e87f445ef74290d64b8937d440

SHA1
dd51612079012fd79ce35cee6a02dbc9ec0e3e76

SHA256
404d7a4be1fe334293ce6e66a855725838d6ef7f4ad36d0970f2e64f7fd996ce

SHA512
f5013440abb528d6f1051d64cecdb793d3a3853c98760075cd3001e2a2e126a4986d6222edc6a00d7cee0ea3500f6b3ed232742837e6ed076a0d966d9d4d1f54

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
48KB

MD5
d4a01e486d1ff9d2dd65269909abb89d

SHA1
54b306f03f141a89f6a30bae7c0d561b69706a6b

SHA256
9e5ef76d15903231692ffd726d7a3c9cd2f555647ea9001be250c7fe0cb389e9

SHA512
d79e8274ee3f70991a44cbadacc2735c8714bf25404ede2a911a8c13308f72a2d17bb9ecc6bb36f9bfcc803451a838457df74e1ee1d624363340e59d2f7198d6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
22KB

MD5
8628ae5179e1681255ade85ccede4720

SHA1
28c3d119b8e2e9adbf58b7d8877b8a59ee3b4397

SHA256
e71e52143ccf9220d8615ee60b5346e63703369b6d680b2db325c6a7032fd6a5

SHA512
d55c085b37b5a611e9ec869d42febbd87404f87a05e67e44ca98b0661694af0c33100045d36e814eaf6b54cbaa338aae41408c8c20081708707037e567dabd22

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
89KB

MD5
e5ef93ae340a52fe70f41c9df269964b

SHA1
5844900503da0f4c7e536975284afbf2ff0a09a5

SHA256
83b0a777d6691d7ee5fa406eba38a9bb117b14b8f19060a1f038c117c93d7c22

SHA512
caf6d81930bdcf53c2ee3c120e130211ad63cdf650850b5f080e6b93bd1a59a4f279d7e3fd168158f529af534acca09dccb0865deb2e3b51897727370c704daa

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
102KB

MD5
599e76e84ac7ae9723d3fff10323b143

SHA1
f853f9b1112eeceb8bd39841a2d5bc32665289a1

SHA256
e1e77b190abb2f640071f4a185d0d815b7b8fd6a654ac023f22addda35e201f9

SHA512
e4d5338230e1931d9db4e78d8a0bc8fb31c4b2131a5d3993654661cd09f9e61d73439cd5f70975fdeb3b235a7254d83dae0c22fcc7a57f33aa64d5d28a54adc5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
14KB

MD5
31a29d41a1ef8182b01c338a7438ac9f

SHA1
838bb0e75a9e189e12678d69e6b66f8d4ca9d2ac

SHA256
ede19057d642df983b128264193d9185f176344b2816f55fad00d203e337a48d

SHA512
33802b7a524dfaf2424f1d46549fc9524f7fd79e44609d11d5222f6886df2801d8d9f762abaeb0a61b28a7f1026e5bbebaef14f0c4fcea81de3012a86a7c1581

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
137KB

MD5
49dd868ab17ef85833c62194aaf0ab75

SHA1
ba75f308f10ab25c3b7ced0d29da7cbe864a2317

SHA256
b971773ee5e11752453b536d981552ffb7831b6795c1c5041897046ddb2e6414

SHA512
542e1f3990766091ce6148210c3285e1f1b9bee15d29f41821242e90afeb47e33fa862deea7685cd98b5344bad12170b959c3d4bfe6d17a8bfbe2f24996d7838

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
73KB

MD5
16be344a85787998715a4a14201a818a

SHA1
21035edf69cd3a225662e7172b14310e7f1a2344

SHA256
bbf2c48f19690e39b249830ea78f6eca5ce73a1f80e2b2e09d03e69ac9509e3d

SHA512
360be3ab59d673a9ebf73f578b7eb1d8dadb56c3a887186d0271b4a29f89f2b1dc80a860174035161ca90489364d8563a54615456623df0053945bac49b28cfd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
41KB

MD5
610c6abc0eded55c15cacc45f00e1599

SHA1
932aafd3875de5dc6a9ebe1931c061db3472b40c

SHA256
dfeeff0290855fea5aec71412f9141dfbbdef285cb5cb9da6c0f1cb8d43ee75e

SHA512
b8f3bd161a837e8955b86b900589db91f3b0ac546d93f0fc3faf3f0d5233b36715b4741bbca47b6342d21c699cc55848e509c38d1067d376fc044731e8745522

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
97KB

MD5
ad71a770730ad6af06ceefaf334e20d0

SHA1
c3acdc5297eff4c11765a2f97c6ac6a15dfc9368

SHA256
04ec13e2a424ae0b7cbafb20f4b9a90ce6fde220835d3b24f58bc934e383eb58

SHA512
9b8f37e0e2e93462722f7aaf206aa660d4d42a76884f1b255b7911ef2101c38113115bf1940f1f2d096013635dd7400781f901da1daabf66d246c96d7e558615

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
35KB

MD5
4448a5f30928a83d0cfb9ecfce7b6021

SHA1
d8d68a7cb0fee5f86891ec34cbc5bab0fa78d536

SHA256
42a809a278b6ff855d9147fcf127cccec8dd4b60e059e9d03a9502302f9a3263

SHA512
2b65a7f775fc40521a402590e0709d88d753160c8e22964b68ac68f06fb6e674db674bbfaa3ab028f6a3b7ef549958edf84c273f6781baac3f302c22dbcadd66

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
09e730f11df51c30a2e8e84e79fb7e5b

SHA1
fdccb03c6e350b9e5c02cb0e4c273ed987a57654

SHA256
4c17350ebb102823e1fc0c8848910015a72852a4bd6b55d82d9877c441f0ecba

SHA512
a94f030267f70173e610fcbd0bc35a3c3e1b2b114a717b40143f8c09a4d30b5bb67e7bfbb01812085db4e6ef819aacd13f188cb5506c5b9d701a82be098e0734

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
4affb0858f24c82b6cde96b40ede313f

SHA1
3129c8343536a18a614ec2b8dc73bc4b69c5e3d9

SHA256
8af42cbc4329d4f5f02ba17292d27c50d74e75fea3804143be828dd54bda355f

SHA512
d1e1ed251e56580e2c5c5237e8854cfbd494ea6bf45e2b690a76be685e0e73405929d2c8094d9e66c77fd55eb040edf42a1e9d0e47171aec52f48345b3f59cd4

Download Submit
memory/572-231-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/692-228-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/692-216-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/692-227-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/692-215-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/692-222-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/868-253-0x0000000073D68000-0x0000000073D7D000-memory.dmp

Filesize
84KB

Download
memory/868-438-0x0000000073D68000-0x0000000073D7D000-memory.dmp

Filesize
84KB

Download
memory/868-423-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/868-248-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/868-243-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/868-238-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/868-235-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1320-68-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1320-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1320-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1320-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1320-169-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1468-422-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1468-415-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1468-439-0x00000000726C0000-0x0000000072DAE000-memory.dmp

Filesize
6.9MB

Download
memory/1468-437-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1468-424-0x00000000726C0000-0x0000000072DAE000-memory.dmp

Filesize
6.9MB

Download
memory/1716-53-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1716-92-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1716-61-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1716-55-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1736-199-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1736-200-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1736-251-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1736-192-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1736-193-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1864-211-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/1864-207-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1864-204-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/1864-394-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1908-404-0x00000000726C0000-0x0000000072DAE000-memory.dmp

Filesize
6.9MB

Download
memory/1908-384-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/1908-443-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1908-395-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/1908-396-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1908-444-0x00000000726C0000-0x0000000072DAE000-memory.dmp

Filesize
6.9MB

Download
memory/1948-95-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1948-230-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2032-234-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2032-172-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2032-171-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2032-177-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2056-427-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2056-471-0x00000000726C0000-0x0000000072DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2056-440-0x00000000726C0000-0x0000000072DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2056-434-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/2056-455-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2368-457-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2368-472-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2368-450-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2368-463-0x00000000726C0000-0x0000000072DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2376-245-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2376-185-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2432-502-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2432-479-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2432-484-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/2432-486-0x00000000726C0000-0x0000000072DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2432-501-0x00000000726C0000-0x0000000072DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2480-499-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/2480-516-0x00000000726C0000-0x0000000072DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2480-503-0x00000000726C0000-0x0000000072DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2480-517-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2484-488-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2484-469-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/2484-465-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2484-473-0x00000000726C0000-0x0000000072DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2484-487-0x00000000726C0000-0x0000000072DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2740-528-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2740-509-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2740-515-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2740-518-0x00000000726C0000-0x0000000072DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2740-527-0x00000000726C0000-0x0000000072DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2900-524-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download