79b7ee64c3d432eaeabed4c3eb58f44cd0197e12e7a080e41817a0b156a777fa

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-02-2024 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79b7ee64c3d432eaeabed4c3eb58f44cd0197e12e7a080e41817a0b156a777fa.exe
Size

1.8MB
MD5

2e0c62e1c0a492d738921b135c87ab7b
SHA1

eb3323e43052a961561f8e300741000c3138ffa1
SHA256

79b7ee64c3d432eaeabed4c3eb58f44cd0197e12e7a080e41817a0b156a777fa
SHA512

ac285c398f66d395520d53c79c7762808b9f9774eecd1c1df1f77c6559f623002bf1fe0292c849e18d505c7abca75fde380e264b90adb50086454293548fa0be
SSDEEP

49152:3x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAaDmg27RnWGj:3vbjVkjjCAzJLD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 38 IoCs

pid	Process
480	Process not Found
1988	alg.exe
2700	aspnet_state.exe
1456	mscorsvw.exe
1548	mscorsvw.exe
2612	mscorsvw.exe
1160	mscorsvw.exe
2024	dllhost.exe
1712	elevation_service.exe
2004	GROOVE.EXE
1628	maintenanceservice.exe
2992	mscorsvw.exe
2408	OSE.EXE
2520	OSPPSVC.EXE
2228	mscorsvw.exe
2792	mscorsvw.exe
1748	mscorsvw.exe
2384	mscorsvw.exe
2908	mscorsvw.exe
2660	mscorsvw.exe
1408	mscorsvw.exe
2788	mscorsvw.exe
1356	mscorsvw.exe
752	mscorsvw.exe
2868	mscorsvw.exe
2608	mscorsvw.exe
2516	mscorsvw.exe
836	mscorsvw.exe
1616	mscorsvw.exe
2532	mscorsvw.exe
2240	mscorsvw.exe
1280	mscorsvw.exe
1656	mscorsvw.exe
3012	mscorsvw.exe
2968	mscorsvw.exe
2380	mscorsvw.exe
2568	mscorsvw.exe
2548	mscorsvw.exe

Loads dropped DLL 3 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	79b7ee64c3d432eaeabed4c3eb58f44cd0197e12e7a080e41817a0b156a777fa.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\27aeb5d3aad3ae89.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	79b7ee64c3d432eaeabed4c3eb58f44cd0197e12e7a080e41817a0b156a777fa.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2942.tmp\goopdateres_sr.dll	79b7ee64c3d432eaeabed4c3eb58f44cd0197e12e7a080e41817a0b156a777fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2942.tmp\goopdateres_zh-TW.dll	79b7ee64c3d432eaeabed4c3eb58f44cd0197e12e7a080e41817a0b156a777fa.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT2943.tmp	79b7ee64c3d432eaeabed4c3eb58f44cd0197e12e7a080e41817a0b156a777fa.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2942.tmp\GoogleUpdateBroker.exe	79b7ee64c3d432eaeabed4c3eb58f44cd0197e12e7a080e41817a0b156a777fa.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2942.tmp\goopdateres_bg.dll	79b7ee64c3d432eaeabed4c3eb58f44cd0197e12e7a080e41817a0b156a777fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2942.tmp\goopdateres_ko.dll	79b7ee64c3d432eaeabed4c3eb58f44cd0197e12e7a080e41817a0b156a777fa.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2942.tmp\goopdateres_sl.dll	79b7ee64c3d432eaeabed4c3eb58f44cd0197e12e7a080e41817a0b156a777fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2942.tmp\goopdateres_es.dll	79b7ee64c3d432eaeabed4c3eb58f44cd0197e12e7a080e41817a0b156a777fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	mscorsvw.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	79b7ee64c3d432eaeabed4c3eb58f44cd0197e12e7a080e41817a0b156a777fa.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{77A18915-1CDD-4AFF-8DFB-E5C89059A4FA}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	79b7ee64c3d432eaeabed4c3eb58f44cd0197e12e7a080e41817a0b156a777fa.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	79b7ee64c3d432eaeabed4c3eb58f44cd0197e12e7a080e41817a0b156a777fa.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	79b7ee64c3d432eaeabed4c3eb58f44cd0197e12e7a080e41817a0b156a777fa.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{77A18915-1CDD-4AFF-8DFB-E5C89059A4FA}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	79b7ee64c3d432eaeabed4c3eb58f44cd0197e12e7a080e41817a0b156a777fa.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	79b7ee64c3d432eaeabed4c3eb58f44cd0197e12e7a080e41817a0b156a777fa.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2868	79b7ee64c3d432eaeabed4c3eb58f44cd0197e12e7a080e41817a0b156a777fa.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	1160	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	1160	mscorsvw.exe
Token: SeShutdownPrivilege	1160	mscorsvw.exe
Token: SeShutdownPrivilege	1160	mscorsvw.exe
Token: SeDebugPrivilege	1988	alg.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	1160	mscorsvw.exe
Token: SeDebugPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	1160	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2992	2612	mscorsvw.exe	38
PID 2612 wrote to memory of 2992	2612	mscorsvw.exe	38
PID 2612 wrote to memory of 2992	2612	mscorsvw.exe	38
PID 2612 wrote to memory of 2992	2612	mscorsvw.exe	38
PID 2612 wrote to memory of 2228	2612	mscorsvw.exe	41
PID 2612 wrote to memory of 2228	2612	mscorsvw.exe	41
PID 2612 wrote to memory of 2228	2612	mscorsvw.exe	41
PID 2612 wrote to memory of 2228	2612	mscorsvw.exe	41
PID 2612 wrote to memory of 2792	2612	mscorsvw.exe	42
PID 2612 wrote to memory of 2792	2612	mscorsvw.exe	42
PID 2612 wrote to memory of 2792	2612	mscorsvw.exe	42
PID 2612 wrote to memory of 2792	2612	mscorsvw.exe	42
PID 2612 wrote to memory of 1748	2612	mscorsvw.exe	43
PID 2612 wrote to memory of 1748	2612	mscorsvw.exe	43
PID 2612 wrote to memory of 1748	2612	mscorsvw.exe	43
PID 2612 wrote to memory of 1748	2612	mscorsvw.exe	43
PID 2612 wrote to memory of 2384	2612	mscorsvw.exe	44
PID 2612 wrote to memory of 2384	2612	mscorsvw.exe	44
PID 2612 wrote to memory of 2384	2612	mscorsvw.exe	44
PID 2612 wrote to memory of 2384	2612	mscorsvw.exe	44
PID 2612 wrote to memory of 2908	2612	mscorsvw.exe	45
PID 2612 wrote to memory of 2908	2612	mscorsvw.exe	45
PID 2612 wrote to memory of 2908	2612	mscorsvw.exe	45
PID 2612 wrote to memory of 2908	2612	mscorsvw.exe	45
PID 2612 wrote to memory of 2660	2612	mscorsvw.exe	46
PID 2612 wrote to memory of 2660	2612	mscorsvw.exe	46
PID 2612 wrote to memory of 2660	2612	mscorsvw.exe	46
PID 2612 wrote to memory of 2660	2612	mscorsvw.exe	46
PID 2612 wrote to memory of 1408	2612	mscorsvw.exe	49
PID 2612 wrote to memory of 1408	2612	mscorsvw.exe	49
PID 2612 wrote to memory of 1408	2612	mscorsvw.exe	49
PID 2612 wrote to memory of 1408	2612	mscorsvw.exe	49
PID 2612 wrote to memory of 2788	2612	mscorsvw.exe	50
PID 2612 wrote to memory of 2788	2612	mscorsvw.exe	50
PID 2612 wrote to memory of 2788	2612	mscorsvw.exe	50
PID 2612 wrote to memory of 2788	2612	mscorsvw.exe	50
PID 2612 wrote to memory of 1356	2612	mscorsvw.exe	51
PID 2612 wrote to memory of 1356	2612	mscorsvw.exe	51
PID 2612 wrote to memory of 1356	2612	mscorsvw.exe	51
PID 2612 wrote to memory of 1356	2612	mscorsvw.exe	51
PID 2612 wrote to memory of 752	2612	mscorsvw.exe	52
PID 2612 wrote to memory of 752	2612	mscorsvw.exe	52
PID 2612 wrote to memory of 752	2612	mscorsvw.exe	52
PID 2612 wrote to memory of 752	2612	mscorsvw.exe	52
PID 2612 wrote to memory of 2868	2612	mscorsvw.exe	53
PID 2612 wrote to memory of 2868	2612	mscorsvw.exe	53
PID 2612 wrote to memory of 2868	2612	mscorsvw.exe	53
PID 2612 wrote to memory of 2868	2612	mscorsvw.exe	53
PID 2612 wrote to memory of 2608	2612	mscorsvw.exe	54
PID 2612 wrote to memory of 2608	2612	mscorsvw.exe	54
PID 2612 wrote to memory of 2608	2612	mscorsvw.exe	54
PID 2612 wrote to memory of 2608	2612	mscorsvw.exe	54
PID 2612 wrote to memory of 2516	2612	mscorsvw.exe	55
PID 2612 wrote to memory of 2516	2612	mscorsvw.exe	55
PID 2612 wrote to memory of 2516	2612	mscorsvw.exe	55
PID 2612 wrote to memory of 2516	2612	mscorsvw.exe	55
PID 2612 wrote to memory of 836	2612	mscorsvw.exe	56
PID 2612 wrote to memory of 836	2612	mscorsvw.exe	56
PID 2612 wrote to memory of 836	2612	mscorsvw.exe	56
PID 2612 wrote to memory of 836	2612	mscorsvw.exe	56
PID 2612 wrote to memory of 1616	2612	mscorsvw.exe	57
PID 2612 wrote to memory of 1616	2612	mscorsvw.exe	57
PID 2612 wrote to memory of 1616	2612	mscorsvw.exe	57
PID 2612 wrote to memory of 1616	2612	mscorsvw.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\79b7ee64c3d432eaeabed4c3eb58f44cd0197e12e7a080e41817a0b156a777fa.exe
"C:\Users\Admin\AppData\Local\Temp\79b7ee64c3d432eaeabed4c3eb58f44cd0197e12e7a080e41817a0b156a777fa.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2700

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1456

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 244 -NGENProcess 248 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 25c -NGENProcess 1ec -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 25c -NGENProcess 244 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 23c -NGENProcess 1ec -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 26c -NGENProcess 1d0 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 270 -NGENProcess 260 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 270 -NGENProcess 248 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 270 -NGENProcess 244 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 244 -NGENProcess 278 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 24c -NGENProcess 280 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 24c -NGENProcess 238 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 238 -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 248 -NGENProcess 28c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 248 -NGENProcess 26c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 248 -NGENProcess 1ec -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1a8 -NGENProcess 298 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1a8 -NGENProcess 294 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1a8 -NGENProcess 280 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 29c -NGENProcess 294 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 29c -NGENProcess 1a8 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 274 -NGENProcess 2a4 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2380

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b4 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 22c -NGENProcess 234 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2548

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2024

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1712

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2004

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1628

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2408

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.3MB

MD5
1220bcbfc5048f9567c037cc9a5c4da1

SHA1
ee5492cf72c810b834e4e8895421161349b3760d

SHA256
6321228e8bcfdf6897ccb2b5e1cb8c321ea0e07cffb3a997f585ad421ba423a6

SHA512
14fc877d8bfba97353306ca0e9da9db3540b04834da0857f6ec0ac16c8c419386989e4132528c2613fe8e51a7650736665fef3398be1beb26f7d37cb8f5963df

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
193f2afd2cc9f1e71a346774428a771a

SHA1
b90029ea0bb899eec347b157960f42be10e7028b

SHA256
16f88b2932dc1eb649c84fbeec22573a2ef84cc028a1e31be5e2343297eb2899

SHA512
d63c27051aaf2afe6118bbafe56dc990f941246e4fb40eda3f42c503c288e8dc5e4adb73c149bb22c494f4197e933b508abfbfbd30c398ff1d17ab252f10034a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.2MB

MD5
cc4748dcc930fc6d32c96a4e759d3044

SHA1
1bbf36b0a4b263cd4288e5f05bb79ab4776defea

SHA256
1e0f9c0337a8b70d178efd101fe1b9b045921c05ec367ba2d7a3a55bd0b6c2cf

SHA512
daaf163e4049ab9ef07e91e06e8ffffa1131bcf421e192680d2c11e5bb078a7754a0903313ab01b4e5e11e9b9f0a493b43291ea0b1bfb6ecee21bee563cf7b15

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.4MB

MD5
b5c7843b9f828a5a7e8bd8f2e73cf842

SHA1
ec6c3291626e3984ea17aa355fb90fc01ca20f95

SHA256
68075bc6d1e9119a91b25f5985e091db5847897dc43abe49face748a5ab06bb5

SHA512
786c30c2efc960c940749515149e210a9c95e729ad4bdb91d9db13fe4940d7eee8fd82993db02291d821dffd1357aaa05d7bed97eb46bde38344f9b7362425e1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
12.2MB

MD5
439cb536930bf483a5b2275f64b53fb8

SHA1
89d1f7dd83636678f3e752e510672ea5545d493b

SHA256
86760236b3e52f7a52575fc33447ef42807e0d612a82ed35ed6b81a9ea8b45bc

SHA512
7fef1a6924e9828dd8d803a2e20ba4a38ea937cc96c353b14c63291d01a3e76a02b8ddac89fb7af5132eba3b86db8e86cedf0516396d0d593287b2ff8350f274

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
256KB

MD5
7c91409734dc1f67fa33c43b406950e3

SHA1
3523de397756e5d4e2954d04fdc293931b5ae96f

SHA256
3161105ffb4e847af5805a93287d74d04472cb3073a75e4b21995aefca1cb7ac

SHA512
792dd52df2bf3d1865ff7599c6a229d55f20603883156c86650f2166cc71cb3ddc93ffa7e6f60589268186266c082762207cf732f9501735af8794f0442609e4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9d8b72af2772dddeef942b6868ebae7d

SHA1
7e0004fde916438e3a8c3b0e12c8cd195c582744

SHA256
5a2882947ceb3fc367452fafed3e56bfaf37baa554d6d69f33943dd66f815a9a

SHA512
42430e580cf3b78bfa0365e83169e74b8ca3f8cd7eaf287a041692be016c03530e31e9583b10850c7bbd9ad3c82087e345446e444fb8ba69f6223c37d00bc7c0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
b250f01f2e74cc9a13650396df375ccb

SHA1
94713d9c1141d9e613d55e779870fabc922660d1

SHA256
ee2241d6dab431b60b9e0197bdab5328c53e289f1d9a5c281d1df24ad8f547c0

SHA512
e8a7b24f61c012e99c3f2f6365319c0f9c4c624153fd70c8e967db8821b3e743e44ec361e0ff9016b4f3db7c25af2f7849b849214308de70c1cdeb3b0df19857

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.0MB

MD5
76d6a54cd3abecf783d17a26cf5a3bfb

SHA1
c915b3a80f9c5002895352b2b101bfd89ccd7be0

SHA256
b535c9d79ad409bbe30f26e74dcf862c20c910a1653bbd5e816c60cfe015ec6c

SHA512
849cc8abf476b43e23ffea04cd78543a94b31c78e6b3d1a8e2a4345133d4ac25068c73218c69b8a630e01143f53e5c9bc524ef65f36dd6d0adfc3363c508647d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.0MB

MD5
bf97382a14f8965a0dbf46188723de15

SHA1
93eae93162aeedbc94d1a7e04b6e9aea11454eae

SHA256
ad4ff39d03b684c4375098389fccba7111717dcf56e2f10f5bf40f98a2a0c54a

SHA512
84b720289fbfa56186a3da170a2be6dd1bda513219ee3f535e36a295065a02b12aed87e8813701c004fdeb8e93464bf3c6502707e5e688799e908724c37d009d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
d54d5bda0f7a19539fb89bb758172330

SHA1
ca665956bd8a51159ecec6062c834dee375ee914

SHA256
cba11345efad1a1f2d3c44c15c1e36a189020637c22f4c56b897f5657bdc7475

SHA512
efa73ac50860e28775604b39c01e663489f4099fe0760a6f3df8ca991de38e86a03aad5ef549a7dc8a465f9dec27c66018b5ca2174aa733f39dedabc45bc65d5

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
1.3MB

MD5
744e9bc21794dc5ee54715abf5f29615

SHA1
652165272342479ed829f921e7c4a63c44cfaca0

SHA256
b8c4b5fbd3ca1235c485353f52d53ce07ca999f34b1c6c6d2448f8989ad54d7c

SHA512
99cdb2ac41b8b0fd7c8d44561babf6c12333d4487a3082e2d9908755e7fd4ca2f4da8acdee9936f9387b20ed7e1a79d6c0653cd22de44e0a8dbca2fed1c6b866

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
d7c345cc7ba1d3902e43cec5865a397b

SHA1
5459638672e8f882f18b2a562a3811da63adfff8

SHA256
5569e5d83af087c39e8e67dccec7094e6a51b81b80593e0f5a9d2bee0a1ef592

SHA512
881e50d2f4f0a45cee6e591ab797d4ce9eb0777cf94d15a212335643d858352ef2c8be226b0f911a0796ded3dcb6bfab90930a6e6f16bf3499461910bba25461

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
900ff60c71cf2a9708a260ff1224aee7

SHA1
09eb4f2e6b6513cd5c5cf503050fbb2a87af2b57

SHA256
1124ed8458106e880a18a0634639f69bf785d9fd21c1ce6c06315b354477efd9

SHA512
a8d0e754605389712a29e5d868294119c83646a51639eba6cdf976c07e175905bba9dc5ea9ac0f00f17147d2f94931e5158a86e2a0728c325caec01432afac11

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
ef8a0c046240faf5a62786498df08dad

SHA1
cfb55df68e26f7eff7c8dd314dd2570b8183b771

SHA256
65f4001a9e7e3f0c165a3032fac4f8a9316a7e1eba437e31fec898167a4db6a7

SHA512
b89eb30e0d7178980d013d4c96a3242c46298f2949a7fb2ba089c03046b42fe91fadeeb96c93a6fb2daa95f1534bfc205d01f25e8e4f051f97c86f2238717e0e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
7ae3694a4e8dd624e81a7024721cc400

SHA1
797c3a5ccdee0dba46e574c8d2c2f5f76b1cf1bf

SHA256
b961be3c196f2d08725e3ec903cf756e38e49fe9d14dbf7a52cf542c05fac50d

SHA512
60a7d9fb5ddf9a7362093d1dd5bccedf71c83b87f19567678a150124b39accf5d0e9c9a1b80470d4dcef0e598302236867f40fafd3dd73913f68dfee1ce6a2c2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
3c1e642c792e37adc356ccde8a6193ed

SHA1
199d3a7150e28165faf04b1b0c56d82f4e764965

SHA256
adad98dc295f75c1fb6affbc0acb278b113abc6ea1a0974d853f3e118c2e4f30

SHA512
c3c4e2ada7217a3f5222d9d798a4ffc212adcbc024a0df4acfaaadd8a0f8330098b04499c59c89c91be8c063af6ccca3d6972a3a920dd44fd1c252a3b13f9d03

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
97053344703a3c25db42aad9cc1621ed

SHA1
b70fd761f2b2274db520c521a2bfcf77c08f7f27

SHA256
68ba8b9379e766e2e037255391e866ff3cfdeb1ed8142a597543b748fa512362

SHA512
ee908f5ae6cf6bb4ed990b76e70e3907978f443da528a14e1a4a625d7c1b900249540ec1395e178b90b63b150fdc88786fe5e5f52a2fd6794c7933922cedd38a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
1.2MB

MD5
515e44963a39009c861955bc35610f1a

SHA1
fc92d623df9a9b3edda1fc93870d930435a8f5c0

SHA256
920a68839fac32c83b0f7366258f17170a10bbd17bb62f4e25ffa6ac2ba2df18

SHA512
bbc2c5bcc05dd91c63b7049cb28e35f9efd8954d1274e573533c0d56cdb019fd1c2153059a11a969debe5d37838bd1e7048fbbb31f29cf7bb5924bc37a6e4986

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
1.2MB

MD5
f99ac6dd0b15f8695ba2655131e96873

SHA1
419e3c9bfd0290daa8b331371be86a8eeb7635ce

SHA256
cbccb94739dd435561bd83713c9e090670be7f026bfdb150dabda7202d74eae0

SHA512
e202738e44cf283514a7c1edc217bc2e54c6879ba2fee63facac20585f539f12edd755e1dba6a0bd2bc8291050e37dffeaa1a1d9493100450c10c3473dca29e0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
1.2MB

MD5
24dec8f6b3d1fca4466b0ffe42cd0e1b

SHA1
29c237afc158498f7a2eb38daffcb3b53863abab

SHA256
04dc40d9170054aab19457dbf7ee030d1039ac79d7e1ebbf8a02a27e0516563f

SHA512
e8710c12cbc94f5a74656d0d404cb17384c9056144efdbb2b2fe249314b7319bbb59a24a5cb8026664ab5a8860eba2aba69a7812b1929eb84b36a2743f564c5e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
1.2MB

MD5
585181568d55896682d4407a0f93fcd9

SHA1
ba6150a4b34f608fb32ec4b0e095430aefebbadd

SHA256
cecdad5a182b27ea175ec9822d39850b9fa121282bc56262bf7a790e4a15b2a2

SHA512
156c091191ad8fb84918f6395c131c78cd9064b0f0423486e8e800e8ae70338ac90ee90153e85b6988a407dfbbc0d52fab92370a90f059a8f2b5ad03d0bbbad7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
f37511bd440d03117383b4342fd8f54d

SHA1
f52e0e1673372f4b89efe284aa73b88a2e4bd025

SHA256
a689fa86b4bb0b0380bbfb4297a2c75e553604699a067db62febc8021787fb5c

SHA512
19c8c6aa36b857cca59be476efd77f0f282102cb55413113b65d40ef46112212ca601c611d3bf28670880b9214f0da0835352e2f99754fdc800219d5be91a684

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
675a5aaa27cfcf8c946e09c653b21379

SHA1
e82332ebd398c7c45f4cf10e8ab6cae686007bf6

SHA256
9d5a511780b9ed6c7b45dbd906b724f464f7d46542d1b8a8aab8a777d14da6e5

SHA512
066efeacb895a326c4e9d3161b9b41cfef298c6a8fbc24442b2180592a864f7d77386859c500f70a31db9df2a4f3cbb9a948b1d16b7bb07dcc6c9a293709dc85

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
512KB

MD5
6b121eb103a6e71981eab7c30456dbc0

SHA1
1d954da8dcab13c91223c91266891385365de2a8

SHA256
82340e620b689b21b034c319cd1e708cb1adeb6bda8c267306848f3ed49e940c

SHA512
d6726f058d759633f7b61fd6f9325b9b3855c7f853acab8b7fb0727a19c3aadeb6fdf17cf8d1b80aabdcca4d12b11365c26de54dbe2bc7da72d5687745d6692b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b92282450948a54e9e35c022291dd81e

SHA1
11fd5f84ac45c7ab643cb64fedd2449490401b51

SHA256
79b368dfa8b24798bd46e43c38db5393e160fc422414a1f3d861f1044040a634

SHA512
f8d80bf51c90ec17eda8967215c1dd39ea739008dbf635c3340606b451f2c77c57096eb750e91ed289d9d98855173136b41251ae8d6e819e4cc201073883d9fa

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
64KB

MD5
64bf9939e3c06ba8fc4e18f95881be16

SHA1
88d9643ed7175f1860d912ba2ae08f17b0335d9d

SHA256
642385db3a3a68094560cb137b55a43563bbd4b1ab916929d9342c03b4320f44

SHA512
f1c9b640228baaaf8dde8d40e7c09cade67bf801f66b08347d2cae03e2fbf7cfbfaae8c1247f2833eae4e1608c142ff8270645c9d3291fa6635d7adc5ea45433

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
8aa8e3d287fcfb4f103623c69022fc3a

SHA1
d8016fd3bd138ee27c5ad4604935ca0ca73d01e3

SHA256
7dbd544b386e68131f828ce01ea8130476195302c1b9903f54838e0b555606ac

SHA512
70b89739b828ebba8ab92e3989f50b37b92cc8a2c47e63d4aa1edcc84e0c1c02668d198bedddf630f703942cfc7d0c1bde2f48bf3a923e5d622c5bef994b156c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
994ec126fd8c79d6f77b294c2571b27d

SHA1
a575fd367f23754c86b1c3afd6078c0b949efac4

SHA256
dd6f97365c61e781d1947b9e474a61c04789e13b0b74d57cc3545e5ffefa1d26

SHA512
8858b4d0dcc0a817031ae783aa4815015940709213bdaf15232685b0c87b5848e9913e779316e90f56319144faa701e3793161e90744f7c867b898983fd710a7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
b419dccf729278c1f881642a1464fa02

SHA1
2faefaeb0c6e0402a71036e2d911999f4a163e29

SHA256
909436393261985a9811a46179330d689f2c70e6a9cc59dadb5463c0f92d3843

SHA512
dff6128db7780706ef101259f272e692e7eb8676739fb30b58a842a86cf8f01706d96816299d6ec9e7c5c5afc90aaee6147bca8d581ff08b0f37c1d8ca5adb5f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
256KB

MD5
b1fe3c58c16978f111aac617ccd59ddf

SHA1
7ef07e2568c0b0242e098fba689c7de35311a6eb

SHA256
706b6de9d8331b32f52650f1c068c3429ff2a688e53bc919d7ad08970fa722e0

SHA512
7b220260f27c1253a068bac4b143c57544a28f9366fb5d3e7dc26a849d43d770da8c78f12ffb8794c97f8fd2c9ac0a03f2489fbcfb897e6d8be46afd7572ce39

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
960KB

MD5
8e98cf0cce173f69dfa57021f3a231f8

SHA1
8b8012500379ab332d7b0a137b2818757ccc7684

SHA256
5e9499dc4683d53e50c8f494dc7dfa658b28c430a500acf5a0f8e0d9473006a3

SHA512
f41566e99f672d521534ec6b67832c6fb8de4837adb3befcd4041863930f070cf800a03180e4140a57ebdb8f38f1adf5843572906c7974bdd0bf1d0bdddbe0d9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
192KB

MD5
46016712fc5382c3f94eedddbef2fd7d

SHA1
e87a4a776cd36c1aa390bd34eecec6357a427530

SHA256
1e4b5568cdf3967e236dac54b3cbee5016ad7df8d44fd7286e427f697667a3c2

SHA512
0b3e8b93f08e430c53f2fd00005fa16180fcb9076a17f4421fd2579bd530ff05de615b364ef2f6679c1d10a91a8c59da767dba1eccd2d90cf40256d97668992b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
64KB

MD5
afce61e127c25931ba743658671d1a29

SHA1
4fa32c01c31f157ffc66912f5d46acb13e720a01

SHA256
563bbb6bc0184ed29325e269aa0aa9d5cd6b40e956a205368fa816a7fc4ab86d

SHA512
7233c1bb6dcb3b2d532886a0d31b588731e7d9415e54dc918b962397be7c62525c9227147194cb7afdbbfd5b8a9c8e6362b37cc987fc0fa1562b2117933ac59a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
768KB

MD5
e8565f1035f24be20f5d249b16b858fd

SHA1
f2b2bc094dae711fa55329134c714ede5adf6ab9

SHA256
fee7053030d491c3eb2b87000ab8e8b4899d69c7791fc0427a412b46beb8fb48

SHA512
a1a1d3d4a970f0768c0d4d9f4709cfdd61a38493c098ef097cefb216a76098638cd0a15eb735e70c1c4956a70faef927bea7e9d2f332011c112ad96e694cd557

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
832KB

MD5
7ede2952431090e99d021889fd2c31bc

SHA1
04b00e86ae340a9bdb3a461567ae5f63b1c9003a

SHA256
e80a40c312c391ff285b83e4bee2768917f2a4aff33292628c778464c738c35d

SHA512
a373101cafcff07ab3ec694784e1d3e72f3e5bdf7cff5c18b844d869dab85c02b5cdc63d261ef4f1d156b73630df885a33e61e209150d43c59272eaed3b5908a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
603KB

MD5
9fc3fd24014545368b8f84bedb1086e8

SHA1
7904a3dbc19bfed08f47a4792ad93bd6dd7caa8c

SHA256
f75a9af790a71e6314132f5bfa2c5de593a665237129727210cd33b0543a0fd6

SHA512
a9d04c790f151ead255635d58a39a26ec05432d9a948a33673278fc23d54250b052cb90405e25c26d4e1bc0f322c50f493d8ef766c2f28aec452d3ae6dbe7b13

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
482KB

MD5
4e679f3f187558d921b92e2d0fce991e

SHA1
97f4e8a75ba1c757cc6aa47253ea01f3b9cc8ed1

SHA256
9dbf40626b6921cc6d3c9ca54ef198bda040a5e2d905cb4446a76cd8d1a0f519

SHA512
c1ddc8718431605b5a7dcee9a4da8239f0b17a945d63d4eb5348f09de6370014708559d93eb3bf9343bb7002c3b6e079e9b04c9747ca1918c815979908c78c5a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
69e5035a4aaa810ee6c19d1a46a69dc9

SHA1
ca35440827cdc42489fe21553e688413f25d6f06

SHA256
4b41b4c87ba9c0138f4d46086a3c719466a6dc6ba402b3ef11d4f4b654b38a89

SHA512
dc60db0be01039f9bb58668f90d5f2ad903ea19142dc067bdee01b6cf9fe0a6f4209ac356eb1df68d7d46ce9c01ea42b51df0e13eb51b6201be8cf135c39c35b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
394931e00c345e5032d89dad5d928745

SHA1
064a97c032b3a623b8fbf532a10c0cdfc864cf4f

SHA256
3ee261e253cb0806b06d638e1b97e0a0512fb26ebb6da9a4e335bde7f02d4f02

SHA512
b07c0c08f739252121237544b2cab083eaaa288a37e123d102ef84bcc3b830700e142f6a2bcbaace0360fd1dc1874efba5674306b44178650106cb424eefac72

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
ed2041678774c14e3ca42fbec5f26b02

SHA1
3bfa95798df46d493083af03fd69fdaa5d8b3976

SHA256
6443e34f77b595af0d848869f0358869a9c9519bb028365bb2e51a275f5473d4

SHA512
75914ea24cb703812c91de3ab531ae5bf584e7528763040292cde80a4b8e8d6c71734313e0efdc8f195a44162fe0cc88204abd83f71e2db6e55b7d8be4078ccb

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
0a4a4ca6df506a09a438539717868f58

SHA1
d93da50f4807893bc75f1e5b62b51a5254233ff8

SHA256
3998d3e774e2c5e24b458493bf0cdc0be17821cc4d9fa3a4142c164a70678e56

SHA512
028a69effa47bdaebd23b1910d212dfb0e2a8f7f045d446807ddce2ef1860d206139d069baf3b9a60e43f6acdf3f4b70c2f49a1fdbab9d74cf4153a011fc2afb

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
c581abba7e686124dd051397d8894dba

SHA1
5ed62affee4bca3150e20f261025becbe3ca5e55

SHA256
8f2b3e4513b84b3f6c692f0f6d3f1206cca2cfdb8ef74ae5584eb738fb3d824e

SHA512
2a3adfdc5741722c847533e419a0bdd1d444a50600dd64e9667e0049a25c2b8ff8e6d7eb8242cbd6622244da7cdc872f6b1e54a1472ee5e74862c219d62c526f

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
36605ecfdbdf38da1b59bc1faf325cc1

SHA1
99f5eee7fe64ad276577eb4895adfb026676c924

SHA256
7eb6037c94509246a95d7e76d471f1c23d90a598bb6940d1a47d9ff34fe0bad5

SHA512
f5743c864ff9e46ae7a046ebaef9a2884194711321b7894e7d8b81118fe17107f363235d7e47a98ed59e721f95cdc57bbf61baed54ad4021e7edf1f7ea361caf

Download Submit
memory/1160-143-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/1160-146-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1160-289-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1160-151-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/1160-152-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/1456-98-0x0000000010000000-0x0000000010139000-memory.dmp

Filesize
1.2MB

Download
memory/1456-99-0x0000000000690000-0x00000000006F7000-memory.dmp

Filesize
412KB

Download
memory/1456-105-0x0000000000690000-0x00000000006F7000-memory.dmp

Filesize
412KB

Download
memory/1456-123-0x0000000010000000-0x0000000010139000-memory.dmp

Filesize
1.2MB

Download
memory/1548-116-0x0000000010000000-0x0000000010141000-memory.dmp

Filesize
1.3MB

Download
memory/1548-154-0x0000000010000000-0x0000000010141000-memory.dmp

Filesize
1.3MB

Download
memory/1628-311-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/1628-292-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/1628-310-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1628-277-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1712-259-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1712-321-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1712-250-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1712-251-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1748-548-0x0000000072CA0000-0x000000007338E000-memory.dmp

Filesize
6.9MB

Download
memory/1748-521-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1748-549-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1748-529-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/1748-533-0x0000000072CA0000-0x000000007338E000-memory.dmp

Filesize
6.9MB

Download
memory/1988-19-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1988-161-0x0000000100000000-0x000000010013D000-memory.dmp

Filesize
1.2MB

Download
memory/1988-89-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1988-13-0x0000000100000000-0x000000010013D000-memory.dmp

Filesize
1.2MB

Download
memory/2004-331-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2004-264-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2004-263-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2004-270-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2024-163-0x0000000100000000-0x000000010012E000-memory.dmp

Filesize
1.2MB

Download
memory/2024-169-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2024-304-0x0000000100000000-0x000000010012E000-memory.dmp

Filesize
1.2MB

Download
memory/2024-170-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2024-162-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2228-458-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2228-439-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2228-493-0x0000000072CA0000-0x000000007338E000-memory.dmp

Filesize
6.9MB

Download
memory/2228-545-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2384-546-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2384-540-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2408-306-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2408-488-0x000000002E000000-0x000000002E14F000-memory.dmp

Filesize
1.3MB

Download
memory/2408-297-0x000000002E000000-0x000000002E14F000-memory.dmp

Filesize
1.3MB

Download
memory/2520-324-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/2520-513-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2520-538-0x0000000074238000-0x000000007424D000-memory.dmp

Filesize
84KB

Download
memory/2520-397-0x0000000074238000-0x000000007424D000-memory.dmp

Filesize
84KB

Download
memory/2520-337-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2520-315-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2612-132-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2612-275-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2612-125-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2612-126-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2700-253-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2700-95-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2792-516-0x0000000072CA0000-0x000000007338E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-531-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2792-532-0x0000000072CA0000-0x000000007338E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-515-0x0000000000270000-0x00000000002D7000-memory.dmp

Filesize
412KB

Download
memory/2792-507-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2868-246-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2868-144-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2868-1-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2868-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2868-0-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2992-326-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2992-285-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2992-358-0x0000000072CA0000-0x000000007338E000-memory.dmp

Filesize
6.9MB

Download
memory/2992-421-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2992-448-0x0000000072CA0000-0x000000007338E000-memory.dmp

Filesize
6.9MB

Download
memory/2992-446-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download