0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/04/2024, 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
Size

1.8MB
MD5

34c66788459de7bda0852bb9145a1b3e
SHA1

dadc2e8ce22086d70185ae7329243bdb63f02d31
SHA256

0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076
SHA512

38d2c60964b1f7d305af6ea80102e9ad0a8e4ff26b343a8be52a3e9d1e72bf1bc59084c58fda0c671d27fa8f5fd4ce199355bd4943791709db416efcb705ea8e
SSDEEP

49152:ax5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAVG05SEP+qJlS2:avbjVkjjCAzJWkEP+qJ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 30 IoCs

pid	Process
464	Process not Found
2464	alg.exe
1052	aspnet_state.exe
940	mscorsvw.exe
2680	mscorsvw.exe
2284	mscorsvw.exe
1664	mscorsvw.exe
1688	ehRecvr.exe
2468	ehsched.exe
2336	mscorsvw.exe
2168	mscorsvw.exe
1572	mscorsvw.exe
2728	mscorsvw.exe
2396	mscorsvw.exe
2952	mscorsvw.exe
2632	mscorsvw.exe
680	mscorsvw.exe
2984	mscorsvw.exe
2008	mscorsvw.exe
1544	mscorsvw.exe
1740	dllhost.exe
2708	elevation_service.exe
2456	mscorsvw.exe
2812	GROOVE.EXE
3048	maintenanceservice.exe
2856	OSE.EXE
2624	OSPPSVC.EXE
1364	mscorsvw.exe
932	mscorsvw.exe
2488	mscorsvw.exe

Loads dropped DLL 5 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\24ebf0f5ae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM8D80.tmp\goopdateres_th.dll	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D80.tmp\goopdateres_sv.dll	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D80.tmp\goopdateres_id.dll	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D80.tmp\goopdateres_ja.dll	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D80.tmp\goopdateres_ml.dll	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D80.tmp\goopdateres_te.dll	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D80.tmp\goopdateres_ar.dll	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D80.tmp\goopdateres_pt-PT.dll	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D80.tmp\goopdateres_en.dll	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D80.tmp\goopdateres_da.dll	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D80.tmp\goopdate.dll	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D80.tmp\goopdateres_fr.dll	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT8D81.tmp	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D80.tmp\goopdateres_sw.dll	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D80.tmp\goopdateres_gu.dll	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D80.tmp\GoogleUpdateBroker.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D80.tmp\goopdateres_ca.dll	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D80.tmp\goopdateres_kn.dll	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8D80.tmp\goopdateres_hi.dll	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3D7BAB3E-61DD-4E2C-AB4E-D5322D23BDAA}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3D7BAB3E-61DD-4E2C-AB4E-D5322D23BDAA}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1708	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
Token: SeShutdownPrivilege	2284	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2284	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2284	mscorsvw.exe
Token: SeShutdownPrivilege	2284	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeDebugPrivilege	2464	alg.exe
Token: SeDebugPrivilege	2284	mscorsvw.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2336	2284	mscorsvw.exe	36
PID 2284 wrote to memory of 2336	2284	mscorsvw.exe	36
PID 2284 wrote to memory of 2336	2284	mscorsvw.exe	36
PID 2284 wrote to memory of 2336	2284	mscorsvw.exe	36
PID 2284 wrote to memory of 2168	2284	mscorsvw.exe	37
PID 2284 wrote to memory of 2168	2284	mscorsvw.exe	37
PID 2284 wrote to memory of 2168	2284	mscorsvw.exe	37
PID 2284 wrote to memory of 2168	2284	mscorsvw.exe	37
PID 2284 wrote to memory of 1572	2284	mscorsvw.exe	38
PID 2284 wrote to memory of 1572	2284	mscorsvw.exe	38
PID 2284 wrote to memory of 1572	2284	mscorsvw.exe	38
PID 2284 wrote to memory of 1572	2284	mscorsvw.exe	38
PID 2284 wrote to memory of 2728	2284	mscorsvw.exe	39
PID 2284 wrote to memory of 2728	2284	mscorsvw.exe	39
PID 2284 wrote to memory of 2728	2284	mscorsvw.exe	39
PID 2284 wrote to memory of 2728	2284	mscorsvw.exe	39
PID 2284 wrote to memory of 2396	2284	mscorsvw.exe	40
PID 2284 wrote to memory of 2396	2284	mscorsvw.exe	40
PID 2284 wrote to memory of 2396	2284	mscorsvw.exe	40
PID 2284 wrote to memory of 2396	2284	mscorsvw.exe	40
PID 2284 wrote to memory of 2952	2284	mscorsvw.exe	41
PID 2284 wrote to memory of 2952	2284	mscorsvw.exe	41
PID 2284 wrote to memory of 2952	2284	mscorsvw.exe	41
PID 2284 wrote to memory of 2952	2284	mscorsvw.exe	41
PID 2284 wrote to memory of 2632	2284	mscorsvw.exe	42
PID 2284 wrote to memory of 2632	2284	mscorsvw.exe	42
PID 2284 wrote to memory of 2632	2284	mscorsvw.exe	42
PID 2284 wrote to memory of 2632	2284	mscorsvw.exe	42
PID 2284 wrote to memory of 680	2284	mscorsvw.exe	44
PID 2284 wrote to memory of 680	2284	mscorsvw.exe	44
PID 2284 wrote to memory of 680	2284	mscorsvw.exe	44
PID 2284 wrote to memory of 680	2284	mscorsvw.exe	44
PID 2284 wrote to memory of 2984	2284	mscorsvw.exe	46
PID 2284 wrote to memory of 2984	2284	mscorsvw.exe	46
PID 2284 wrote to memory of 2984	2284	mscorsvw.exe	46
PID 2284 wrote to memory of 2984	2284	mscorsvw.exe	46
PID 2284 wrote to memory of 2008	2284	mscorsvw.exe	47
PID 2284 wrote to memory of 2008	2284	mscorsvw.exe	47
PID 2284 wrote to memory of 2008	2284	mscorsvw.exe	47
PID 2284 wrote to memory of 2008	2284	mscorsvw.exe	47
PID 2284 wrote to memory of 1544	2284	mscorsvw.exe	48
PID 2284 wrote to memory of 1544	2284	mscorsvw.exe	48
PID 2284 wrote to memory of 1544	2284	mscorsvw.exe	48
PID 2284 wrote to memory of 1544	2284	mscorsvw.exe	48
PID 2284 wrote to memory of 2456	2284	mscorsvw.exe	51
PID 2284 wrote to memory of 2456	2284	mscorsvw.exe	51
PID 2284 wrote to memory of 2456	2284	mscorsvw.exe	51
PID 2284 wrote to memory of 2456	2284	mscorsvw.exe	51
PID 2284 wrote to memory of 1364	2284	mscorsvw.exe	56
PID 2284 wrote to memory of 1364	2284	mscorsvw.exe	56
PID 2284 wrote to memory of 1364	2284	mscorsvw.exe	56
PID 2284 wrote to memory of 1364	2284	mscorsvw.exe	56
PID 2284 wrote to memory of 932	2284	mscorsvw.exe	57
PID 2284 wrote to memory of 932	2284	mscorsvw.exe	57
PID 2284 wrote to memory of 932	2284	mscorsvw.exe	57
PID 2284 wrote to memory of 932	2284	mscorsvw.exe	57
PID 2284 wrote to memory of 2488	2284	mscorsvw.exe	58
PID 2284 wrote to memory of 2488	2284	mscorsvw.exe	58
PID 2284 wrote to memory of 2488	2284	mscorsvw.exe	58
PID 2284 wrote to memory of 2488	2284	mscorsvw.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
"C:\Users\Admin\AppData\Local\Temp\0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1052

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:940

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 250 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 244 -NGENProcess 25c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d4 -NGENProcess 268 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 240 -NGENProcess 26c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 25c -NGENProcess 270 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 274 -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 24c -NGENProcess 278 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 27c -NGENProcess 26c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 27c -NGENProcess 24c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1d4 -NGENProcess 284 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 288 -NGENProcess 24c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 1d4 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2488

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1688

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2468

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1740

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2708

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2812

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3048

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2856

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
2b3884a61475827cb1acd40d159ecc0c

SHA1
c226b24361038abdc08a84baef48d988875d824d

SHA256
4fd02300f3e86cdbd99cab4405c4894683c29b7f834ef2832debdc751fd101c0

SHA512
640a69f8b26d9db88c651982a5212d7afe07cc976769589915e62249d2149cbae53dafdb98d452455b0f040a659c82f5681d22731fb398f2d8b407b39657bf4c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
6f65c3c62100c1d16f40b31dd32ca1fc

SHA1
fc88c98fbf59f22fd0f5f2f9290182117ac5ae10

SHA256
7f3820df43095f7a07e44b4b574e9cc81582ed44eeb3e3eeb464234c55f0d57f

SHA512
191ec6fc888552a90af27ee0423a82f5f1fedef4ddb07ea9f765a9402fb1550b0b270bdddceffffdedcceb93baf65c23293324316b1f4ad98e5f20c0905fab39

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
8633cae3a8119442c762756297f1a1f6

SHA1
0bdb3becb5f837f7e02d9b46e3f470f29fbac935

SHA256
4e05fcbf88063bf2641cc3223a35fa682d2ad1c13d6a33497400b16d12ca95dd

SHA512
1051eff4638455b96acea16292dd27d1b3d8dae5e65ccab38085f14174f64e3983fcc0ddf233db7047443c335e0c5bf1ae27ad92e73c23aeb5a6c1311ab503e9

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
2fe0a12a2bc5b6146f0d8c38eeb6187d

SHA1
08ec4fb801b735f6429540b1bfc38522ec4bb8ed

SHA256
53e51f23b994c2b089964eaf152d2a5722d7dbd9a53efb91a7c1661ebfcbb3bf

SHA512
1a87e553d9179678a73a6edbadcb3208c7e5f6f287661044c0e6dcc423ed950892d7f889bb94c49f6da652e6d40d4498486c7a03c937a3c71d8a5ae32addaf97

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
0c5a54b6789e31ec02b5476b08dfb60d

SHA1
97dff1032dc48745ced58bf5163db05b4b6f5921

SHA256
f77cb3c9dc25cc948606a0676b4865d8a5638af1737973319c437f9c8fe7b226

SHA512
0b36c7af263538265605dbe211fc5066e75341cfe6c02387228439e581b39459ba70a1c0d0a4134579d6f1c68b9d2d98d34b9e5d946eeb1df10fcb90b3eb426f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
60942b1dc4c32b624336f661c744711f

SHA1
0d7d26dba9142cbc3bc397c0e14e9e13283031ac

SHA256
b5055e093e5c6e955ae06c4d89e16524e27d252a907129bef178e66c4ba4fcf0

SHA512
f16be7ed88544767e985134ccede1769e44c07acbc206577a6c7946539a94dc8ad1e0cf3dde2ebd135489abc64875522262537f22edbd94e47161bac79e9b2a4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
086a6f3017b8601bdf70b6205bece643

SHA1
f2468d7348772bb02decd6c8593b8d70ce915029

SHA256
fe03a34d7da1346880a06a2ec1001fa8e793f525ded23f706c33a018104f8251

SHA512
6f1c79b483c3e0e042e80d3d98252837c20de282c81453d1fc2ac4ae7e610aa1ebaa0469b101a970954982ef8e2f64b59b886b63408ceb07111262f3d51df4db

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
8938d550d730f0ef24d8ef5b404eda54

SHA1
57d617c50e01992a33c75f84d20071736cf1fd80

SHA256
a2b75bfab10ac725b3dbbab09491b9207c9e84a11e8b184a5def4e3b619c28b2

SHA512
7093e26cbcd5a928b0b72bfaee8062d7904a93822fc4df52fcae0c707f85a83863def558918f45c41f3db14d472bfb7523aeda8f00fed30e2a4706fc57edf28c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4d484f57a66965fcaf1b8853a6a4e6c6

SHA1
7f8dac31b9124d354c104568fa7d6d6974b15b49

SHA256
6693accf35da882fa02537ee7ed08756c7dbd9f6fa5abd793b08de748405c9c0

SHA512
ebfe39ccc633c606fddfc8e7c8901094e203314bd56ea39b0548d7a1f250b6334cca0e103b3a39f22f95fd77fe9047ae57067d39943b4e84adc34f1566c8ca6c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4b831fc669375a125022cd3dcc28ef88

SHA1
dff18664314613f6acdbe6065cd25cbaf82288fa

SHA256
2f9e749ed73685a179042aa260c4711f7e9ec817d5b0c2aa97c6cc8b415e1f76

SHA512
a9b9ca5cc293b4bc1be388f8ed3e59510882b56fa798fe03eba6b8cdda8283e49cf46fb042df836871dc6686e80a388e48842bd6ea980f37ad8449cb9f2ee271

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
21a63d4e9bbe5a6642d681cf13f249ac

SHA1
7059e9d31f62b2b545808da61473c80ac7be85ca

SHA256
825f853e179f59f5835136d3c3e7a3cb4bc0b8ae9ef15add8717e2a37cf59672

SHA512
fb82ec912b33954d75455e7585da69ec3cae102908a072a1fea306960864d5d58f7824020a650198169848a5e2d5db60617c1de42a7a460e42cff73d3d1a0dd5

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
594bdfa5c561e46a4b979e846ffe0544

SHA1
24573716c5bddda7ef9821365b1d5400258f44c3

SHA256
d95d431ed4e09f7b5fc36ccfa650b4940ec3579686bd7890ea6abcd223dad8a1

SHA512
610752469fb0ce6fb7204f21c660be31e2983d5983675a4e1b890c38813a695d17bf95b9b28de3ab7801cbf77092967f48f3c9a043fb5bbd5eefdd6b3e0b243d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
00c9e838e95246ad32931c7fb3066b01

SHA1
671cc63ce77b9301707ae4067653ffccee2df3ea

SHA256
139d52e7dcfe87a12a19de4190f30848cbe03100fd30ffb50100a6e0cc996695

SHA512
0130b08e3b6495c8cd210e1465d314b470227eee5a1ea6f64bc1f3232d29aa800219dcc10836e45d98be6a06adddd926a894de321cf587913056a91c6b5852d9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
7591b703a7aa0fd68d88f300cc7140ac

SHA1
a902e63e7121be63eaa4afc437398eec55d4bd7f

SHA256
4c6c0ca8823bcbc6732bf9a23e3c0776e640fee8e8ceb430728b97426b6d2a25

SHA512
034af6ec8f27976e22a03dfb07a2fe3d9d3db12233561cd73792d4ac274b827995f8fb46c5c41962f4fbf7cd52e38a7027bca8788a22f20be0e10133ab664eda

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
7bd3ea41b74b898395ff8be2bad4306a

SHA1
a640d07bd7041658cbc53bb94431560da24563a3

SHA256
20405c6449fdc94e27d40042b8f17f17b51da60f88ee4eae541135ce038156c5

SHA512
f4388fa1fffd5d0fc7ad520bb377c9e1615041866e5d0c12a6184d1cb30a23ec1160b9c28e818931f4f1c190046a9fcb84c2cc82979fe6a3e71190db734d510d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
47f34ca03552be2d4a11ad114355f6df

SHA1
122463b2e8d312507d32e2e07337151b3cbdbefe

SHA256
7cb59db5df31149d62cc644688b19a8fe271d8b97f08f93db15bbb3fc8ebbafd

SHA512
7a89998ab7f8dc10205a18b3216a8b690fd59320541d13f2d849684522a96f62f4de1dc5dee7aab680d35e3a9fd3f47e2c7905152615ebac2a4cf13c97fca817

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
d30452fe004c3620060fd8f7d3cf0beb

SHA1
ce94126570ae5cc0e95f4dd41a5dfc42042c3991

SHA256
3c68e372dd0852c573f4413b286511609aa507b16c6d0d5667046dbeac6c2c81

SHA512
3db3633202bec44b299c88f90cd6332478b66e5ab5c4d1354142220194137970986ca6084839b95f41e8b0aeb466770e91ff3cb71665d1a6727f3d24010b856a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
c3df70e1bcd9f981a4664c4d89f33517

SHA1
dd1dd6bb35307ecda38c17e0f48ca1553b3b8f41

SHA256
e7341374c640143c4d8d3dcd794b6f4d8e4871f5577bb50cad753fdd3ebdbbc6

SHA512
ed251501a754acc73ee7e300ecd2ad3df0599501b64f57003888639c83e4a661c5a4e84dbb9f85de42357a529a286b2a63fc8dd8127d2bed588ee08c2bc3cbfd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
577KB

MD5
b2105b3614cc66cb8833e376d0ce3ac7

SHA1
509bda71c31aca79cec61c3fd7bccd4cee2fe3e2

SHA256
868a4144668a408ef0e7bba1dc57e51a81f0cf142be2deb38a060e501d09c473

SHA512
812e5bafa8a5252ce16005697f1f7c06f7e3e7bea9873908f6e97172a9007534d9ce5726e2dd4938d22072c18239c94c953ee34ea0cc17c3f96534d62e1a0115

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
577KB

MD5
15693bd437cadb60befeea148efb3520

SHA1
883896e85bc6b27cda4e210b077d179193afb71f

SHA256
534b637ec1ac50dc728c082997d9553faf96cabbe6eb91b67c8c8ba9c11012f2

SHA512
fed053643c0bc5fc9fa103b9f96aa391834d82b9497904da0e277b8422e935c406c95b4914849bfd9eb7a80375b633adf18d78d2cad4054e2c0d6a1122a48509

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
577KB

MD5
9103d77f86dddde6b215dce8d6b2f6f9

SHA1
a878f1ecd4d11d4792fb91c2d740661b926aba68

SHA256
d28c491bc1553f048ffcf02d8e1b17eca74214abcaf5bce2d63a775709751f84

SHA512
c63fc720ff2455766f6691627489c306e4b22ba7ec86ad6807755afaf16dcc8995375f665bb01b32e776f6e7341c54a1a0848d13b99e0da769e08103a9585343

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
577KB

MD5
413d9c25e1fb1ef4aa31fc52d0695ffc

SHA1
460e9a577223389499cb5fc4766238cbd6f6e6b4

SHA256
35a9c7a1838a530f5921ed522481a6fb00c266267763aae3bdd0532c7859d385

SHA512
c697b2fc5f82be58fa395a69cd83e4fa9c026bbe1844a53ac7ab51b6318971a23359cb6fa16ab85b399a951a825afaa2547aab2676e620f3d3a343dd0a744bf9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
615KB

MD5
4212cc45c1d496a1d9a3701844c550b8

SHA1
d37307dd78b212be18bd294ebc4ecc8243e21a7d

SHA256
9987cc95e700af0b237e3d9a520aba4a123aa2bba17c3e6e8af9e2cc373a26fb

SHA512
3c9dbcf6eca57a1a7948d09ae6d5e0c29319d1b4504c2c8823abc2f0267783d7ad528dd318f032005f5c222f22f3fd78f74f5e8fcd01165e1bed9e99c5d90ec7

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

Filesize
577KB

MD5
c748db4139983169ca49fb2e0e1b2398

SHA1
7f4956daa21ff988e8baad4295b149c60e56ffbe

SHA256
96edf13bcef07a38fe93956bfd9f298bf1d7d3978b9b453e39a4acee223acf43

SHA512
466c8e673ac52c80faba3aa7524e51aa6962bc20b5138371c3abb7e5b620da216b40638cc8d656165b535fca5cade3f1202f89eca2de8ea545a126233a9b2be0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe

Filesize
577KB

MD5
b6aff6224d53aaea081227d0fa62bf8d

SHA1
8ae2c0eafe1a67a015728cdaf2dc20953a48cf4b

SHA256
6acea9b34e6da4ae3373405f7b07538be94d50f66c8229a07826a1425b1ce143

SHA512
f910c00337b979e2296eaa76e838f8c0150f962250e89f2de753f7573c1fd22d82da632c403d89f8f91bf9c44d68fa8f1121d0f34945da05d819398b3442639b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe

Filesize
577KB

MD5
42f2be205e644550deb2b0655c77c23e

SHA1
c76f2b0cce521b00bb1305ce1347f8e2988488d1

SHA256
206a7b75ffb9a682c8d8da39d3580e76eaf0d629c06bbda09d61103dd53bd322

SHA512
d415c174ab29356bb337e5410ea59f6716f31fcae3c5ade8af9e17f7662865027130aba6fdb6ab85730dfe3d0fd51d201d7ee29b31a3c2a556357d2bb1efd678

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java.exe

Filesize
745KB

MD5
ceb26ddb7ffa29c530c9a95e6e5acf36

SHA1
42e15ddfc080a686dcf568fc8191ccbdf21392cb

SHA256
3f672372c1176183baa177492d5b2162057e9d8a3b85ace7f3aebf1bb8ea805d

SHA512
f929555e275852afb81f0c77d8a9c13cd1e414dab06f4913c840e4afa806b739ba36f16b1b03c60d8b8830c8a8a307f56c1d4a8c150aa03a359cfcb871546026

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
1aff25ba656124b756320be2e3f275c3

SHA1
d324d4aca8df8ae77d6fca0fb016cdfe7cb2d3fb

SHA256
245eb32e858ae3f31b837d0f83e4c47f4305bbda816dc7ffaed37e533be60ac8

SHA512
fa9af8789bf4113687aa3e0d660538b985c7551951d32aa99fc0f2572a671170c1aa05ce92aa334e65fe1eef6ff73d18f0ba6355322ea1dc5dc040c0745aa243

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
125c514719af22919de84c7cf1f2b2e2

SHA1
fcf4aa412765b9fe1fb094b6469cdf7e5bc4705f

SHA256
466a062093d9ab99670e4995b2fb16e054a8cab9356fd08c6811e39f80c6bcf4

SHA512
40c6848748ff3ba53423879399938ae2e16c15153cc283109e1ce11fb50ba9ba4978b5cbe9b2e187a567ee3720dea94c2b64b2a321393f55e2b22223f3424da5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
e8416b32dade0c1681cb18b67a89f260

SHA1
43494e2f64f8886a744abdde118980899bc688b0

SHA256
c840c5dec3b43633871d56d91a6bd4f4f297a03d15f8476d73360f38798a7619

SHA512
814403e73b88a351a180c5bc9c602cb161acae9f4b41db66739fd4c6ed53c271f00612bba02a3e68e7e8636ae24eabc5a1a36cc7e41260aca37708abbc3adcba

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
ccdd1504b2c1778c1573a5bc65963caf

SHA1
aec3e936924e9ec4d676a019c15111a297c9cd12

SHA256
8153353903591666be4e44279c7ed456ba399ef1710add3b7c00c209954bd63d

SHA512
d2fc5da83279cab2d8f580f1f5282ae93392c2313ed8c171411b9713f151b30ec61c5828a3b2467af23a40b80eaee6de024db382f1f260af3b91d2cdafc460e3

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
208ca7ad78b65da1ea705ca7eb6a7754

SHA1
5147d3b429e219ae0c57ee6ac6ba2b4aae1a1da9

SHA256
e581d237a5975362084a252950c9ee11adf0c3344d621a476a3de96b94202c1f

SHA512
fa9d64fd78523254597c0d3fb4a9c44846fa9740c2da1acd455fbb08c84867b67a781bcb2889c74ac8c79b49769e624ab1d3a11c73eca8f246b062bef5955cce

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
375d256c5763f5affcee1ddf9efff16e

SHA1
c69ac4a37fb6bbc6935335850ca6582b29498b33

SHA256
765383bd5b955efe0efd431ef6bf2f094dbdfc1edad83923077b717a5d2763b8

SHA512
90074dd64432c1d515042d455547f5d4a5653fc703d7faf2626424966ae19f560e6803f4c8ed39b9024f604986438636561f18e463101b543cb68312653319cb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
94037a339e5af90f5a1eef8bc5ec00f2

SHA1
36915442853901265dd56acb29ffe8ff79ba3ee8

SHA256
5d4dc65ae66e94f3efb27bee5d57fccf16d51c4a054724b0eef54b59aabab8d1

SHA512
a704823d0983d4a6d5a0f41b7b1b70686d280b0b10ff6b8068ded4c4e060044319cd9c840af2dadf6a4dd6b536d750de6fcfb0629d2a7d5405fe13fedf774a24

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
d67a53c0d4d7b6dc2c1217b37624bd9b

SHA1
b6d543aa88b2d6dee154a5c550e240f9ae7e5dd7

SHA256
c45698d8c45ef6be9829438940cd44d0b7d32f3479fbef06527d892d3d77e7e8

SHA512
7fa2ae64bb73320f47b2e379b786b4e4131a531f6eea824365b5092864aff53f3c6f0f9f46fb7e5951b0502d105ba824e0bdaf383663cb31f3f87481f1dd5aeb

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
5f4bfe9f6094bb4e0e0731d6d2674e84

SHA1
57ec90915499d74d161eb400cb8118286ac06132

SHA256
be4b018761f69f98d8b255baae8fabf59022b50e92471b2f1a06b7a66353f448

SHA512
76f511476b6b276a367a92f20508bc521b7f22ffb1a3275501b1e78753a03aea09c7aa914610bfde99a1ae37080b5f128b2393755b8e7c0d3a6af6fb412c0b68

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
7293f7a7e8b64462e33a277bd67d055b

SHA1
81a0492fbaaacf63b4ac79c3475ad5f7ba92092e

SHA256
40544a59ac08e83dee29f604c8dc73875247a190df87de7748a868f06c0fe4b3

SHA512
e5c5923bf2e88483972929eef7e1e4c149ecff6085d00a5effd4930509fc8b1a87c43fb6141e70d81975f1927ad994ab381b05122b9be5837f866b752c491c19

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
d8e44502cd27dcf545dff0ab860272e0

SHA1
9c22319680b0e75d50b6b1648fe489d68b7cf83e

SHA256
4b815ac9cbd08e504faea4e3d868fad703780003e7abc8f79d5afbdf27102cf1

SHA512
df8e593f379eecb5ab18c45e0a92962b272d349f0c1639d42b784e7b13678e16d0e1a876c44aa80ea4ed53f90f3ae23637a5a4daf81d53af445d2067548e7a2c

Download Submit
memory/680-357-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/680-371-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/680-369-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/680-354-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/940-104-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/940-97-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/940-98-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/940-103-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/940-124-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1052-94-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1052-171-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1544-401-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/1572-302-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/1572-288-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/1572-301-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1572-284-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1664-142-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1688-270-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1688-287-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1688-170-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1688-169-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1688-172-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1688-160-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1688-153-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1688-152-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1708-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1708-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1708-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1708-246-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1708-141-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1740-411-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1740-403-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2008-408-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2008-382-0x00000000005B0000-0x0000000000617000-memory.dmp

Filesize
412KB

Download
memory/2008-387-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2168-286-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2168-261-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2168-267-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2168-271-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2168-289-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2284-125-0x0000000000AA0000-0x0000000000B07000-memory.dmp

Filesize
412KB

Download
memory/2284-258-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2284-131-0x0000000000AA0000-0x0000000000B07000-memory.dmp

Filesize
412KB

Download
memory/2284-123-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2336-259-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2336-274-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2336-251-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2336-256-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2336-273-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2336-250-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2396-317-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2396-311-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/2396-330-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2396-329-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2464-159-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2464-13-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2464-17-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2464-26-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2468-165-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2632-339-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/2632-372-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2632-370-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-345-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2680-144-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2680-114-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2728-316-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2728-297-0x0000000000AD0000-0x0000000000B37000-memory.dmp

Filesize
412KB

Download
memory/2728-306-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-315-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2952-331-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2952-326-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/2952-343-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2952-344-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2984-365-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2984-373-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2984-385-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2984-386-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download