5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d

Analysis

max time kernel
143s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/01/2024, 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe
Size

1.8MB
MD5

5aef42cb1a86816dfd2146d7d0225797
SHA1

2a9554d3f2d8d9fe81c07007f05a231c5db3c3c9
SHA256

5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d
SHA512

54f8387bf1575db90b0fe21c69fbde62b29fc5f1a37be19a04ea849f02713365742ce257be99720f630c94001280c0c7b33fa891b0b5cc2941fdd18ce65841dc
SSDEEP

49152:OKJ0WR7AFPyyiSruXKpk3WFDL9zxnSmJvMf+swLH:OKlBAFPydSS6W6X9lnzqWswr

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 36 IoCs

pid	Process
468	Process not Found
2144	alg.exe
2508	aspnet_state.exe
1632	mscorsvw.exe
2156	mscorsvw.exe
2200	mscorsvw.exe
1172	elevation_service.exe
1776	GROOVE.EXE
1484	maintenanceservice.exe
944	OSE.EXE
2528	OSPPSVC.EXE
2968	mscorsvw.exe
1728	mscorsvw.exe
2440	mscorsvw.exe
900	mscorsvw.exe
1684	mscorsvw.exe
1968	mscorsvw.exe
2600	mscorsvw.exe
592	mscorsvw.exe
2656	mscorsvw.exe
1944	mscorsvw.exe
2044	mscorsvw.exe
2312	mscorsvw.exe
440	mscorsvw.exe
1104	mscorsvw.exe
1756	mscorsvw.exe
2772	mscorsvw.exe
1684	mscorsvw.exe
1164	mscorsvw.exe
2372	mscorsvw.exe
2516	mscorsvw.exe
896	mscorsvw.exe
2880	mscorsvw.exe
2060	mscorsvw.exe
1212	mscorsvw.exe
2312	mscorsvw.exe

Loads dropped DLL 1 IoCs

pid	Process
468	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\480a74983db14c9a.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM61CF.tmp\GoogleCrashHandler64.exe	5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM61CF.tmp\psuser_64.dll	5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM61CF.tmp\goopdateres_th.dll	5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM61CF.tmp\goopdateres_ro.dll	5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT61D0.tmp	5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM61CF.tmp\goopdateres_kn.dll	5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM61CF.tmp\goopdateres_ko.dll	5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM61CF.tmp\goopdateres_am.dll	5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM61CF.tmp\goopdateres_vi.dll	5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM61CF.tmp\goopdateres_fr.dll	5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2004	5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe
Token: SeShutdownPrivilege	2156	mscorsvw.exe
Token: SeShutdownPrivilege	2200	mscorsvw.exe
Token: SeShutdownPrivilege	2156	mscorsvw.exe
Token: SeShutdownPrivilege	2200	mscorsvw.exe
Token: SeShutdownPrivilege	2156	mscorsvw.exe
Token: SeShutdownPrivilege	2156	mscorsvw.exe
Token: SeShutdownPrivilege	2200	mscorsvw.exe
Token: SeShutdownPrivilege	2200	mscorsvw.exe
Token: SeDebugPrivilege	2144	alg.exe
Token: SeShutdownPrivilege	2156	mscorsvw.exe
Token: SeShutdownPrivilege	2200	mscorsvw.exe
Token: SeDebugPrivilege	2156	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2968	2156	mscorsvw.exe	40
PID 2156 wrote to memory of 2968	2156	mscorsvw.exe	40
PID 2156 wrote to memory of 2968	2156	mscorsvw.exe	40
PID 2156 wrote to memory of 2968	2156	mscorsvw.exe	40
PID 2156 wrote to memory of 1728	2156	mscorsvw.exe	41
PID 2156 wrote to memory of 1728	2156	mscorsvw.exe	41
PID 2156 wrote to memory of 1728	2156	mscorsvw.exe	41
PID 2156 wrote to memory of 1728	2156	mscorsvw.exe	41
PID 2156 wrote to memory of 2440	2156	mscorsvw.exe	42
PID 2156 wrote to memory of 2440	2156	mscorsvw.exe	42
PID 2156 wrote to memory of 2440	2156	mscorsvw.exe	42
PID 2156 wrote to memory of 2440	2156	mscorsvw.exe	42
PID 2156 wrote to memory of 900	2156	mscorsvw.exe	43
PID 2156 wrote to memory of 900	2156	mscorsvw.exe	43
PID 2156 wrote to memory of 900	2156	mscorsvw.exe	43
PID 2156 wrote to memory of 900	2156	mscorsvw.exe	43
PID 2156 wrote to memory of 1684	2156	mscorsvw.exe	44
PID 2156 wrote to memory of 1684	2156	mscorsvw.exe	44
PID 2156 wrote to memory of 1684	2156	mscorsvw.exe	44
PID 2156 wrote to memory of 1684	2156	mscorsvw.exe	44
PID 2156 wrote to memory of 1968	2156	mscorsvw.exe	45
PID 2156 wrote to memory of 1968	2156	mscorsvw.exe	45
PID 2156 wrote to memory of 1968	2156	mscorsvw.exe	45
PID 2156 wrote to memory of 1968	2156	mscorsvw.exe	45
PID 2156 wrote to memory of 2600	2156	mscorsvw.exe	46
PID 2156 wrote to memory of 2600	2156	mscorsvw.exe	46
PID 2156 wrote to memory of 2600	2156	mscorsvw.exe	46
PID 2156 wrote to memory of 2600	2156	mscorsvw.exe	46
PID 2156 wrote to memory of 592	2156	mscorsvw.exe	47
PID 2156 wrote to memory of 592	2156	mscorsvw.exe	47
PID 2156 wrote to memory of 592	2156	mscorsvw.exe	47
PID 2156 wrote to memory of 592	2156	mscorsvw.exe	47
PID 2156 wrote to memory of 2656	2156	mscorsvw.exe	48
PID 2156 wrote to memory of 2656	2156	mscorsvw.exe	48
PID 2156 wrote to memory of 2656	2156	mscorsvw.exe	48
PID 2156 wrote to memory of 2656	2156	mscorsvw.exe	48
PID 2156 wrote to memory of 1944	2156	mscorsvw.exe	49
PID 2156 wrote to memory of 1944	2156	mscorsvw.exe	49
PID 2156 wrote to memory of 1944	2156	mscorsvw.exe	49
PID 2156 wrote to memory of 1944	2156	mscorsvw.exe	49
PID 2156 wrote to memory of 2044	2156	mscorsvw.exe	50
PID 2156 wrote to memory of 2044	2156	mscorsvw.exe	50
PID 2156 wrote to memory of 2044	2156	mscorsvw.exe	50
PID 2156 wrote to memory of 2044	2156	mscorsvw.exe	50
PID 2156 wrote to memory of 2312	2156	mscorsvw.exe	51
PID 2156 wrote to memory of 2312	2156	mscorsvw.exe	51
PID 2156 wrote to memory of 2312	2156	mscorsvw.exe	51
PID 2156 wrote to memory of 2312	2156	mscorsvw.exe	51
PID 2156 wrote to memory of 440	2156	mscorsvw.exe	52
PID 2156 wrote to memory of 440	2156	mscorsvw.exe	52
PID 2156 wrote to memory of 440	2156	mscorsvw.exe	52
PID 2156 wrote to memory of 440	2156	mscorsvw.exe	52
PID 2156 wrote to memory of 1104	2156	mscorsvw.exe	53
PID 2156 wrote to memory of 1104	2156	mscorsvw.exe	53
PID 2156 wrote to memory of 1104	2156	mscorsvw.exe	53
PID 2156 wrote to memory of 1104	2156	mscorsvw.exe	53
PID 2156 wrote to memory of 1756	2156	mscorsvw.exe	54
PID 2156 wrote to memory of 1756	2156	mscorsvw.exe	54
PID 2156 wrote to memory of 1756	2156	mscorsvw.exe	54
PID 2156 wrote to memory of 1756	2156	mscorsvw.exe	54
PID 2156 wrote to memory of 2772	2156	mscorsvw.exe	55
PID 2156 wrote to memory of 2772	2156	mscorsvw.exe	55
PID 2156 wrote to memory of 2772	2156	mscorsvw.exe	55
PID 2156 wrote to memory of 2772	2156	mscorsvw.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe
"C:\Users\Admin\AppData\Local\Temp\5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 258 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 250 -NGENProcess 264 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1dc -NGENProcess 268 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 260 -NGENProcess 26c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 264 -NGENProcess 270 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 268 -NGENProcess 274 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 268 -NGENProcess 1d8 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 27c -NGENProcess 274 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 27c -NGENProcess 268 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 280 -NGENProcess 1dc -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 27c -NGENProcess 298 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 284 -NGENProcess 29c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 254 -NGENProcess 28c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 29c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 280 -NGENProcess 2a0 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 298 -NGENProcess 29c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 26c -NGENProcess 1dc -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 28c -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 258 -NGENProcess 2a8 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2ac -NGENProcess 29c -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 298 -NGENProcess 2b0 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2060

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2200
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1b8 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 230 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2312

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1172

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1776

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1484

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:944

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.3MB

MD5
9a78a5da44ab92ae4aef5d1abc5af06d

SHA1
49dc0e1f9c3fde555420beefafaa02609fdae905

SHA256
320a241e8320b237dbb53bc6aef4420fe265c81cc4dffcb5052764920a3ac0b8

SHA512
1605d8471913ee06bf12c22e77fa2ac760a9248b5bf71aa5fb96579fb231a3f6fd086dbea10b0e5fd40a52576c4b2b5fdce8015058f967df0c255d61c8432063

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
6f17483b5c2bb1d91738beaf89497baf

SHA1
7d6d29a4833791200c20d4d54a104efd51a2ae97

SHA256
9d572beefd07a1ab54dcc374574ace15176149f92d11f23e5f67cc67ec5a6b38

SHA512
bd56ba919282f74a9ae49b46609dcec9df9ab77b10414cf6467e582e6afcdebf6b3440551a9d135b689b690c8941d307eda88d2c51d80af23609a67c439d0b66

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
8bdb96801360975efd7bbd8b55c64b95

SHA1
5ff037bb2457138c3fc1134d0daf11a3ff381e05

SHA256
38860eacaf0daa1df496749e395c8bfd1c9ea130ce7f293fa4dd068c3c92a1af

SHA512
e1e2b0ee2cc6cac0d4b142f25c9ce1b14f19d1c060f1621cea612cbd9ce4f941df0aa4040d9904c43e32f1cb18419ddf73e54873172c77089263fa636f7f9445

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.6MB

MD5
a80eee393e429d0d09710311ea7c08ec

SHA1
6c2eb05f211d973edc543ed3283da92fcddad429

SHA256
03d032e0ae23546df61fc1c1ad6cbd74bea3f7649040ee6f13fe756d19984f96

SHA512
35045ec4202e3c17a85b9ccd69e8c217f13729e247a54107ee659956bd17219ca12c4ee5b3ddee93b2d96f4ca65d6ad3a6279e2928879360198eebd56c59d608

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
9807b784ec612ef577ba2ee0eacf6dfa

SHA1
7e57261626a9032a4378e1427936c380b10d773b

SHA256
5ae06fa2e77f0c2abe2ae567e5a4e5fdd03e6141b3c0730d6b6ebc1018f92f05

SHA512
3e332963de780e18ce5b04a5a9b3509caf6e6d18cab22e7abe3f431b3ee5bc2ae16965e13426db73d9ee48d77a1d2b03f83f03d4a486c55fc8d9618498d1a8e3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
713cda64698169754ba8d8fe46c49501

SHA1
014045fc250aee60902f020c1e01f514a49dcd30

SHA256
b399614c83e81185ad52402a96b8925d2ef483c04b6ab60c209c5b503c88ed13

SHA512
7549696fc74f028e15cd32a620030a8a93a18ea4305b1d94cc4cc30c8d0e11f38891bc9235a15c813a5f4e15e8dde8b3390a7dce06333cf70c5162533f36f274

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
466070277030479a97f7097e8939d50e

SHA1
bf57610f6c65bccd07230929d05eb47c985fd15b

SHA256
73cd94ed1bfa21fbd1ec1356dd2d2c7278930b9b5bc3c98850dca156ccc00927

SHA512
4e4eb440537fc97e056057883d4234518daccd311989f2d093a501ed60757b38070cfeeffb202091869a4e765dd37d0805f3cba84856a2962df4496411b28662

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.3MB

MD5
811991ce68fd9989906337a97bc8523d

SHA1
7783fa3a4346ceed11eab19afa05e40e234a32bd

SHA256
344d7198ea5262e9ace03e6e80dfab0edf2f2634f632f79a6bf19feb89e43c89

SHA512
a5008b5b32ad536be411eac73967fe7aed6cfa6a4ffa8f6e6e23454fd31fd6861b1be09d55da80698ac050e7583ba99c6c3b2d6b0706f28398794ada220f7e58

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.1MB

MD5
c903097cf8970a2a0e8d771b15ebc3bd

SHA1
4c254072d4265f653f80f8d293d06997ed8ca807

SHA256
50883d01770b84442f0225d6aaf874ebcb655e9012f26ab2ededb921c52c9757

SHA512
596a3892a4c178b84ab0863e68376ee3a8c7c9f760947418531e39b3606397537d4e9e8b088d138088ffcc0517440e844d3bc96414bf5ce9666688bc50e9a3e9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
932ed7c0130e4fb63c880a80ec22ea33

SHA1
d4110b9b8e5595d5e2eacb6db6a62d0a020ac962

SHA256
8e09f0ab133b3098ccb79fd0d413e539d1ded7457e3c7cfb6cbd4bc303ea6dee

SHA512
231f7abe92775f65bb0c2e143787a16511d96bdc2043560ba2694c3f38c97ebb5992b9a23c4a0783a8e86932e56639de205a2890a026a118ca24680b7ea2acf4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
384KB

MD5
56ab814ecef4f1d22509150150349abd

SHA1
2b6ce233b51e142b1f3d6661edc888d12f4dc124

SHA256
35acbfdc1ccc27b3077310bfa80a1a21f94722fd7f6d278e0ff1ebe40681b1cc

SHA512
dec648018318c7ff0b33d79aa994da57843e27ac422b05046507e8c1c33f68df2143a6133affe5331d9590bc02095f3643781fb44e8acf29032105d81d40ae71

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
3.1MB

MD5
c9270503d44f3930fe772274f518c3b4

SHA1
7cb7cdcc2573d34d19442fcd3d15f90423b23b36

SHA256
942e75b98ff75e8c547a51ddec8f6d6c2e2cb5415d4612430606edead1711fbf

SHA512
b5253660403a0724e40ef917213a4d136aaf8bf1ee9d5b68fc3f514d3d192f696fb21da1db158e026920240d9abaeaf9a867b3fa7d03b106699bbdf651a78ad3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
832KB

MD5
187711d9d45f6eedd1583a856baaebea

SHA1
b9be8836fff5d5926877edf1f27dc427dda2059a

SHA256
374c881044371902ca463fbc59b646581fc195bd072dabd53eb15c057870f968

SHA512
a8467ec31b6238486cf61e3967b81ee36558c977cd2bb962a2bc07c130096b0c0271697fb44e3389c857a8378855ae2e3e22dcb9ab50b4a0f2e4c95be98aff15

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
768KB

MD5
80dadab50d225405619b563cb9f1857b

SHA1
9898f7278921d6e52b8cbce4a0455620fbc6492a

SHA256
1c8a8de5c2d93ee32fe60decc3ae96cdcbc3f898121180e3a2eb452353b1a7bd

SHA512
d189845b0130a894e17a167a036f265684bd3bd3a07890503efa5e3ba741e23842e06880ad13868a0db9ca65afc006bb4a26ae80a0be6862abf2a3aa2baf89f0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
896KB

MD5
2ca5e16fa591713773b9d0c65e948745

SHA1
42276cf37bab9c5c19a7f18db5ab79377fdadfed

SHA256
b96d9b054a954b80c2fa74ec8078804c53df8a6e7676ed36cd8f3817d80099b1

SHA512
a99f52472ec00834287281aa91b7b0db504ed36f33156666347fe04313416748188e7860f1dc38a2a37bc291e3ecb9b90b6db30adebcd69c61234eeb9ad34321

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
979a643bd62a044bf9c53ac6c0d92911

SHA1
5313861d8162f6b07fa13fc530478fc39c99b71f

SHA256
40a6bc33dec6dd3f88a816c154ec2ef772a12752beee6f474ec06c119f4e9a73

SHA512
a49ebc8ae435011772162c2d2f884659e9e65b22503a67faf1b754a1e3ef4e6256dfcf6bc80883222f88459b9df17b05d10b3751d5a8ab2e215cd1cdbd0ab83a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
768KB

MD5
60e2856a2d2a03017e19e2fff54a363d

SHA1
e862efe626db07fd4802dfbb522925f83861b4c4

SHA256
0728aaaff7d39863d474a415bc185fc2c0945ff0fed5e8497cea7b1051375065

SHA512
5f24f6d9a553b8b0fe4e563d9fd5ae7123fbd3159c8525be680e41a636c90cdd7120a8476970749232c69260de83c63d1f02d208ea4303c0b56d2e9dfe610732

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
704KB

MD5
886d701729f945338cbe3fecb7b739b6

SHA1
585cb1d955fe50387d2b0b886648aeb18619a3cb

SHA256
4a7178189f9568d3f4d395904a20ab56342567d73ba84db8c915a4f01aa40298

SHA512
79464e07e5988c2515c2cd878e5c4d4356eb654c01c10c444f71a481440162eeebaec2f976e149e534d6e75fe583240c7cf2adc03e93b3bd8afbb2179a32c9dc

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
576KB

MD5
086793d5b1e089447ce4f3229c87c223

SHA1
70edd43eadfb6dd2db194336766e641bdaccf674

SHA256
633d809314873c3d83c7e04449a5d0c1bf82d0105065e5e3f4eb9e62cd033cb2

SHA512
27c910df810335e20e378de6c7ee241ab81233c5fbecd1bf29aa5fb3260321e076a3b2bbe43d54ebaaffed4dcc89aebb0ac72e36a2c5b9b892f275d95ee37b92

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
576KB

MD5
4ac3b46f7cc28562a5237be71185b448

SHA1
e5243b2de7ed377aa8228260c3288c7ded4f3d08

SHA256
cea60969714356e9b2c54154c8c642c65e7c15d3a6ef6e917918d8d0ff344038

SHA512
bddb57b90a98a79417203efaeafcfa8c9ea0fbc93197194cd6b82a2bad6f34a509e48799782b9a077ef5774f51030b7c7a6e19ad8e6eddde511013fed1e19d2e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
512KB

MD5
7a365e2849972e69eaaa571c0a7ebc79

SHA1
e27661eb9b69741f0f097677220fa7b19cbeeda3

SHA256
69763da3c4599c05f818d9b3165553ce4ffac12aac9339a7846206c18b3e00eb

SHA512
68574d14ce21fe4a9cb85bc68f3a2d26a20c7a756d0e2d3f8594e518afe91441420eefe7501601607682710e4f2ab8243bd0f6de0fcfa555bffd3204c0c47863

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
448KB

MD5
9bd07ba493b88b2d494785303c2fc259

SHA1
28231ac3448fb498d256d435fec8ed71bd1fbd8e

SHA256
e12dded73ffa4e74355cfea92058c4344df0a7e9423a6460e48c501632546e54

SHA512
d1ca7304328a47f53bfcb4e8d68988c49c3d670b606ea6149d7f870ecfc194550db2ff4b97c30225c0bc552e59daae835dadd3ac11e20e59d49affb9b7227090

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
384KB

MD5
0219abf4759443b6a6d863ff3d3cdd91

SHA1
fd66697e9683de1d947266edd0de88cc0b50ba2b

SHA256
6ea38aa8a2cd5c5de0a602497eb4124db39ed44f556ff66d70df801208d702ac

SHA512
ddfc736fdabd9097174043e4229224b4158f8405dac24a8ec106d8189e2424b73b8f636902e5d4d0fbdd520ebe7b2673fa477456c731c2cd29f5ca723ba0c304

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

Filesize
384KB

MD5
b6b0eb1b29727dc6a0a6b75f1f6096ce

SHA1
93a5a56c8bac41e9bd73f16ab3948d208afe3797

SHA256
02c7807fd2a60022e9ab3b78cf5448c99761945c4bfdcf06ce1a09b5b91b3439

SHA512
e9f221c2860dd753b8e8a6923bcd9e4d31d7050c0ab9e7f1b6e7a857ba5171e89b39adf9b757507e59426536c85caf3c84ca8dd20d99af687615d2ce39ace084

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe

Filesize
384KB

MD5
6b018474690f4abec1ba2fbb53bc85aa

SHA1
8c41622b342a379cb85a773dcfb02c14237e6810

SHA256
57fb24ea0ab2bf8cc13778a91b762f5066af52363b88b5a4df3119205542c987

SHA512
0e0863347f3060e1c8e5d60981c196a3b4e3c3df479cc5cb18093550b7d9d6def86f1125d70fd4030a72a9fb019566682756d256d2feeae9c654f5efbb7b314d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe

Filesize
320KB

MD5
8503900297f05ca57b182e7454b24be6

SHA1
3cd7569aa90a5bd7091cfe6769db0f56d43da9a7

SHA256
a8e4db78f7bc779b968a24d4dec3c21c345be517766642313b84f0fc67df30a9

SHA512
f2cc169e695492f2aee0f1f9d80c51863fafc5cef8c4097efd80aec15ccc89d1a39f745c1b1b0db4f3adce182738f8ba0561080a690b1615b085f54630c4972f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java.exe

Filesize
256KB

MD5
20d1ae260116816a323c1492dd1ca94f

SHA1
ef141a032d84bc63be355a1995851ced565644a6

SHA256
48085f123cbae69af98c59079cac4d7f2fbe63ac5a6fa136c8fb95549d89058c

SHA512
2223d03ff2d74f1fca2de0668ee4df61c5ac028e67b1f5bce51bc53ad67ebaa53c19e9445a51eb11a89fa52c11c648ff2159fcf103e6356106e5783c177fb215

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe

Filesize
192KB

MD5
c49ee9654bfd73d9ebfd53c7c3e0f0f8

SHA1
991e4073a1a1a8068b87aace6b707229da530c5a

SHA256
4a231e137237407c207e25c13d5cd094e85815902423bc73f9b1509e89f8865a

SHA512
e9bdf43873ed6768faf1e096d5504cd72fc9a03af3fcb95a2c1db95a7be2860e256293080fde122430771abb92b8cf8e20831c4d431248caedbe0944c5a82364

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
b1a7782a23f7b657ac6782544a330906

SHA1
a4bb89f8c9f69c032ac74c7fc35f06f460bf5911

SHA256
47b38fb7af4e3164ad96e4941915e26f61bd049d2b0e864c77c9fa74251597fd

SHA512
343d9989655dbafb4de7ba8456de89cb1a98258231d82e4813379c11a638067fb5f8fb93aae2f324a355905839f3742856a55d0db64b0df929ee5dfc09a31982

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
fe7ab027724653a1a1643ef3754bed30

SHA1
4369742a11478857a13f6b2d667008cfa3990b8f

SHA256
a2786419de9facf108792e16a8d96a175f782f793bd2b67d1157dacf4f49e36a

SHA512
0e3ab7d178b581ebf3877ed27ccb01f114a00dc5c596bcb56827fa34eb682fd1a87c77df61c9bf1040c7e400ca4e6ad0a0379808e56c8fcbd3d0d690b7d46467

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
d251d5e01bb1fcfcc6461fc6c21efc46

SHA1
94f0914380be324f74aa69ca5534659aaebae862

SHA256
db832d9f790681f0a81a40d40a8c8f794ffbc897046c71b2e28db255956c792f

SHA512
872945ab4e15a79413b6007ade3fb9b009be005a1d9f90ccb9d93014bb5bfdaa75c92dc148cddaf4fd5c6b7dfe35616df5d697cc16dd7be29f374c9e86dbe623

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e304fc1007721067ecd06dd4facc6b89

SHA1
a73697188f72fb34cda9e8f738be899e96a957b5

SHA256
d7a4b847858ec8ea7c2cba4ad47623c23cf15500cb9c703a207e4c40fbc3161b

SHA512
f2948c5101401fa49f1c733a8084ceaf4a878a028f9b2135044658b321167cb98fb794d761a91fe48f6bbe477beb6c57b0f4353289003432d0cdcb894811ada1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
832KB

MD5
9056239c8101f82ee71fa2d3b74f462e

SHA1
d91806d422051e6de2db19c1be121b813361f240

SHA256
e968ba4d5a604eeae79f4c028a4ae0ea8d10f19f00df4bd2a9018ca9012349e0

SHA512
d6d94558496b313aca440cdbda4e2a2652953f19e104da02c7492c763148be2a189f66f03b1c02c09c1dfc1d2288eb2753e5999df22956f891901c1456cfd4b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
64KB

MD5
a16d1c6119ba9a4d1c9b8e9231ebbf3e

SHA1
a769fb97ef99885c3c8627eba047aaa82cc4849b

SHA256
4c605155be0fd918a780c183093b2f7ab67f56c56fe8feba72fddb31e9690226

SHA512
f65d4de45f99153e4d553f98dd652888f6dc2f9cd8fb9689fc78a4f313ab8d421134a9577f15d2fa161866016a165103bed6f76973ffb51ec3e12a584b4609c2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
256KB

MD5
5ffb74e357d17d2fef711df6a8f014d2

SHA1
6800a318999f0804f1c4c2be4c090b2e4e60d0de

SHA256
4cabb00028ea96f2ed85a8794f7d3fd080965f213cbf6c64a825a48067235ec3

SHA512
9d158760b2121782cbe1204a9db532c2a097c7b3a0e9d2519b76316adc3431b73f8bcb869f08afefd19b318d6e65f778266121b201b4541f3c0f6d355d8413c3

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
b377549adb7d39388457a028f9d616c7

SHA1
ad7fee7fb222c18826803ca6b4be0b28aff7fac6

SHA256
e7e2b9f197cebb262c49036ef0be8c8b59304f209fcb8b9973a4326a135626b4

SHA512
9aed9c67283ca227722d6946856d66aaa75fc57362fa79b43f92052cb8272f738f329c5139f1db7a271db902474806e45b5e681ba08042f28812d14abf3fc4f3

Download Submit
memory/900-477-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/900-501-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/900-500-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/900-486-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/900-472-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/944-378-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/944-248-0x00000000003F0000-0x0000000000457000-memory.dmp

Filesize
412KB

Download
memory/944-250-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/944-257-0x00000000003F0000-0x0000000000457000-memory.dmp

Filesize
412KB

Download
memory/1172-216-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1172-268-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1172-208-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1172-209-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1484-237-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1484-246-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1484-244-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1484-231-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1484-230-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1632-97-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/1632-98-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1632-176-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/1684-518-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1684-517-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/1684-502-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/1684-498-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/1684-492-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1728-380-0x0000000000BA0000-0x0000000000C07000-memory.dmp

Filesize
412KB

Download
memory/1728-385-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/1728-419-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1728-372-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1728-418-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/1776-224-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1776-220-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/1776-281-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1776-226-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/1968-532-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/1968-519-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/1968-533-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1968-513-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/1968-508-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2004-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2004-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2004-7-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2004-173-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2144-13-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2144-17-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2144-174-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2144-35-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2156-184-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2156-179-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2156-239-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2200-199-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2200-198-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2200-191-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2200-193-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2200-255-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2440-416-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/2440-485-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2440-430-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2440-484-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2440-411-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2508-86-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2508-175-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2528-487-0x00000000747A8000-0x00000000747BD000-memory.dmp

Filesize
84KB

Download
memory/2528-431-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2528-367-0x00000000747A8000-0x00000000747BD000-memory.dmp

Filesize
84KB

Download
memory/2528-269-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2528-409-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2528-271-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2528-262-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2600-534-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2600-530-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/2600-525-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2968-366-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2968-384-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2968-285-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2968-381-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2968-286-0x0000000000710000-0x0000000000777000-memory.dmp

Filesize
412KB

Download