7b33c10203120082f771de53577b5ff1d2439419dcf5d721273e5765dba9a9af

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b33c10203120082f771de53577b5ff1d2439419dcf5d721273e5765dba9a9af.exe
Size

1.8MB
MD5

4901a08eee2cc636f6fd904b39beb89b
SHA1

ddca16ff6a8bef2e331139f0b1899a969cab34fd
SHA256

7b33c10203120082f771de53577b5ff1d2439419dcf5d721273e5765dba9a9af
SHA512

b73aa63af1d20d3ab8f510fbd9c26e19f8e6458a527fd260935c8d8e056d5823d4b8f838426fdca4734d9da79113b2858b2bc4c6e51b286160c2ec602d32ebee
SSDEEP

49152:sKJ0WR7AFPyyiSruXKpk3WFDL9zxnSO8HNUPCAaq8Wdo0:sKlBAFPydSS6W6X9lnF8t4C7

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 37 IoCs

pid	Process
464	Process not Found
2648	alg.exe
1184	aspnet_state.exe
2796	mscorsvw.exe
1712	mscorsvw.exe
1708	mscorsvw.exe
2288	elevation_service.exe
824	GROOVE.EXE
1972	maintenanceservice.exe
2172	mscorsvw.exe
1764	OSE.EXE
384	OSPPSVC.EXE
860	mscorsvw.exe
2900	mscorsvw.exe
1372	mscorsvw.exe
1960	mscorsvw.exe
1664	mscorsvw.exe
1600	mscorsvw.exe
2612	mscorsvw.exe
2528	mscorsvw.exe
2076	mscorsvw.exe
2836	mscorsvw.exe
564	mscorsvw.exe
780	mscorsvw.exe
3064	mscorsvw.exe
1320	mscorsvw.exe
2156	mscorsvw.exe
1672	mscorsvw.exe
2148	mscorsvw.exe
2540	mscorsvw.exe
1360	mscorsvw.exe
1948	mscorsvw.exe
1252	mscorsvw.exe
1944	mscorsvw.exe
2192	mscorsvw.exe
752	mscorsvw.exe
1828	mscorsvw.exe

Loads dropped DLL 1 IoCs

pid	Process
464	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	7b33c10203120082f771de53577b5ff1d2439419dcf5d721273e5765dba9a9af.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cad892fe7df8f25a.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5F01.tmp\GoogleCrashHandler.exe	7b33c10203120082f771de53577b5ff1d2439419dcf5d721273e5765dba9a9af.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{DACF1076-23BF-40CD-A7B7-7111819689FE}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5F01.tmp\goopdateres_pl.dll	7b33c10203120082f771de53577b5ff1d2439419dcf5d721273e5765dba9a9af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5F01.tmp\goopdateres_hi.dll	7b33c10203120082f771de53577b5ff1d2439419dcf5d721273e5765dba9a9af.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5F01.tmp\GoogleUpdateOnDemand.exe	7b33c10203120082f771de53577b5ff1d2439419dcf5d721273e5765dba9a9af.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	7b33c10203120082f771de53577b5ff1d2439419dcf5d721273e5765dba9a9af.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	7b33c10203120082f771de53577b5ff1d2439419dcf5d721273e5765dba9a9af.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	7b33c10203120082f771de53577b5ff1d2439419dcf5d721273e5765dba9a9af.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2120	7b33c10203120082f771de53577b5ff1d2439419dcf5d721273e5765dba9a9af.exe
Token: SeShutdownPrivilege	1712	mscorsvw.exe
Token: SeShutdownPrivilege	1708	mscorsvw.exe
Token: SeShutdownPrivilege	1712	mscorsvw.exe
Token: SeShutdownPrivilege	1712	mscorsvw.exe
Token: SeShutdownPrivilege	1712	mscorsvw.exe
Token: SeShutdownPrivilege	1708	mscorsvw.exe
Token: SeShutdownPrivilege	1708	mscorsvw.exe
Token: SeShutdownPrivilege	1708	mscorsvw.exe
Token: SeDebugPrivilege	2648	alg.exe
Token: SeShutdownPrivilege	1712	mscorsvw.exe
Token: SeDebugPrivilege	1712	mscorsvw.exe
Token: SeShutdownPrivilege	1708	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2172	1712	mscorsvw.exe	36
PID 1712 wrote to memory of 2172	1712	mscorsvw.exe	36
PID 1712 wrote to memory of 2172	1712	mscorsvw.exe	36
PID 1712 wrote to memory of 2172	1712	mscorsvw.exe	36
PID 1712 wrote to memory of 860	1712	mscorsvw.exe	41
PID 1712 wrote to memory of 860	1712	mscorsvw.exe	41
PID 1712 wrote to memory of 860	1712	mscorsvw.exe	41
PID 1712 wrote to memory of 860	1712	mscorsvw.exe	41
PID 1712 wrote to memory of 2900	1712	mscorsvw.exe	42
PID 1712 wrote to memory of 2900	1712	mscorsvw.exe	42
PID 1712 wrote to memory of 2900	1712	mscorsvw.exe	42
PID 1712 wrote to memory of 2900	1712	mscorsvw.exe	42
PID 1712 wrote to memory of 1372	1712	mscorsvw.exe	43
PID 1712 wrote to memory of 1372	1712	mscorsvw.exe	43
PID 1712 wrote to memory of 1372	1712	mscorsvw.exe	43
PID 1712 wrote to memory of 1372	1712	mscorsvw.exe	43
PID 1712 wrote to memory of 1960	1712	mscorsvw.exe	44
PID 1712 wrote to memory of 1960	1712	mscorsvw.exe	44
PID 1712 wrote to memory of 1960	1712	mscorsvw.exe	44
PID 1712 wrote to memory of 1960	1712	mscorsvw.exe	44
PID 1712 wrote to memory of 1664	1712	mscorsvw.exe	45
PID 1712 wrote to memory of 1664	1712	mscorsvw.exe	45
PID 1712 wrote to memory of 1664	1712	mscorsvw.exe	45
PID 1712 wrote to memory of 1664	1712	mscorsvw.exe	45
PID 1712 wrote to memory of 1600	1712	mscorsvw.exe	46
PID 1712 wrote to memory of 1600	1712	mscorsvw.exe	46
PID 1712 wrote to memory of 1600	1712	mscorsvw.exe	46
PID 1712 wrote to memory of 1600	1712	mscorsvw.exe	46
PID 1712 wrote to memory of 2612	1712	mscorsvw.exe	47
PID 1712 wrote to memory of 2612	1712	mscorsvw.exe	47
PID 1712 wrote to memory of 2612	1712	mscorsvw.exe	47
PID 1712 wrote to memory of 2612	1712	mscorsvw.exe	47
PID 1712 wrote to memory of 2528	1712	mscorsvw.exe	48
PID 1712 wrote to memory of 2528	1712	mscorsvw.exe	48
PID 1712 wrote to memory of 2528	1712	mscorsvw.exe	48
PID 1712 wrote to memory of 2528	1712	mscorsvw.exe	48
PID 1712 wrote to memory of 2076	1712	mscorsvw.exe	49
PID 1712 wrote to memory of 2076	1712	mscorsvw.exe	49
PID 1712 wrote to memory of 2076	1712	mscorsvw.exe	49
PID 1712 wrote to memory of 2076	1712	mscorsvw.exe	49
PID 1712 wrote to memory of 2836	1712	mscorsvw.exe	50
PID 1712 wrote to memory of 2836	1712	mscorsvw.exe	50
PID 1712 wrote to memory of 2836	1712	mscorsvw.exe	50
PID 1712 wrote to memory of 2836	1712	mscorsvw.exe	50
PID 1712 wrote to memory of 564	1712	mscorsvw.exe	51
PID 1712 wrote to memory of 564	1712	mscorsvw.exe	51
PID 1712 wrote to memory of 564	1712	mscorsvw.exe	51
PID 1712 wrote to memory of 564	1712	mscorsvw.exe	51
PID 1712 wrote to memory of 780	1712	mscorsvw.exe	52
PID 1712 wrote to memory of 780	1712	mscorsvw.exe	52
PID 1712 wrote to memory of 780	1712	mscorsvw.exe	52
PID 1712 wrote to memory of 780	1712	mscorsvw.exe	52
PID 1712 wrote to memory of 3064	1712	mscorsvw.exe	53
PID 1712 wrote to memory of 3064	1712	mscorsvw.exe	53
PID 1712 wrote to memory of 3064	1712	mscorsvw.exe	53
PID 1712 wrote to memory of 3064	1712	mscorsvw.exe	53
PID 1712 wrote to memory of 1320	1712	mscorsvw.exe	54
PID 1712 wrote to memory of 1320	1712	mscorsvw.exe	54
PID 1712 wrote to memory of 1320	1712	mscorsvw.exe	54
PID 1712 wrote to memory of 1320	1712	mscorsvw.exe	54
PID 1712 wrote to memory of 2156	1712	mscorsvw.exe	55
PID 1712 wrote to memory of 2156	1712	mscorsvw.exe	55
PID 1712 wrote to memory of 2156	1712	mscorsvw.exe	55
PID 1712 wrote to memory of 2156	1712	mscorsvw.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7b33c10203120082f771de53577b5ff1d2439419dcf5d721273e5765dba9a9af.exe
"C:\Users\Admin\AppData\Local\Temp\7b33c10203120082f771de53577b5ff1d2439419dcf5d721273e5765dba9a9af.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1184

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 24c -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 268 -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 23c -NGENProcess 240 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 23c -NGENProcess 25c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 274 -NGENProcess 240 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 268 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 244 -NGENProcess 25c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 27c -NGENProcess 274 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 284 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1ac -NGENProcess 25c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 288 -NGENProcess 240 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 184 -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 278 -NGENProcess 264 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 284 -NGENProcess 27c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 284 -NGENProcess 288 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 298 -NGENProcess 27c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 264 -NGENProcess 290 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2a4 -NGENProcess 1d8 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 298 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2192

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 154 -NGENProcess 15c -Pipe 168 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 1dc -NGENProcess 1d8 -Pipe 164 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1828

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2288

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:824

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1972

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1764

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
8c0a30418de2fb68636708b7a737c359

SHA1
6c1fb298bbaebe605bc7a90d37369151030124e5

SHA256
2e8bdc50ab60ae6643a8ce43bef53dfbe15943628f63b866d71fd276532789b8

SHA512
13c60e9f1b4d0ca16f5320af984b20336af390479fef05c9ce3e3b4196965bc0ee51a65483609847712c722c1f8a1427fc5c923f8ee39ac9ca68021180a04154

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
542d062495a845b3adb7a7e172b458f8

SHA1
c463111c39660cd42e65930eed0ef2850c020ee5

SHA256
34810e61986f2aced6fc3b61e89ea05239ad6cdaf68297ed1473f390416a65a3

SHA512
f9cfa269c9663308a00098ef1359c88275759a66829127e8410bb927f447917951422efdad94ab4f36ace89ccdd92c59b743804da6ab73fd18ea93af586761ba

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
28d9d17a99bdcfa5ca1ee37b1d928a9b

SHA1
faa6ff789b0a57c31fc9e9b18deeb4faf99feded

SHA256
5bcce55e8212db953ddb8a0f958f6fc16aa349f48ebb26bdb1c2758b2522cb5a

SHA512
f00d535971b4c9ca9b084ad2a64ed11bae2543726096f25ebf880f6d07cd1d506cf127e152bcd7e2a6a00d5f66c80536074130d03e1ea4ca78ea455ea8f2f345

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
87c336b57897fb5748e5c85adc7dcc83

SHA1
844849fb51441f108110c078825d873598e42b26

SHA256
6fb7117596975ebd52fc2a2aaa319a124a28bbdc428733082fa55971d4fc4b18

SHA512
13fc20b4a67c7cfa94c8b819040bfb441a2499a3dbe6c9a9b4870f1e0d8fcef49eb189632db36da3a9b2b486813baef3688845a17561519c166ce8b7050a08af

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
f063caa98967578d17eb038bb5451a7a

SHA1
509a6a9d13554c8db28a34592f33133dedc6bbb3

SHA256
c4aeffdc4b8ad88edc3ad8b5f5892f4f2a33abc6a77f3d75a5f60526219328e8

SHA512
1a460c6dd232aa417f7a39631ba4ece8e0ed7546410daeed8661e2248baa4da1865e4d305f0dd21409c231a1e59d04fefdb6951ae23e62d4aa8cdd14c9c73e8b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
ce52ea80d88aae76772ebde806f2b058

SHA1
6e7b9104eef9a680efa65c199d007e95a3097aa3

SHA256
53e4ef0701658676a18b82d71f8fee0cdceee544d74d54d89660219ad5669724

SHA512
093aa8a9f76393edbfd3b6227dfaab232aa4f2d60c8e84d7171f5c8fc61566879a6bbbf14198fa5b8de95c2d1b8d6aa5f0fd9c302c0944a297a8afb81587575b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
dadff526c9583310ae1cb454fdbea640

SHA1
2435db11aaabb3f39e5939296555e12668515791

SHA256
e829441b68a2791bee84488a0b00f9b322c5bbe57fea0dd2fa78a34b4d3213f7

SHA512
7e715649e66cb7dee6bdcf1ad0ed3a2d366dba9b93d15696571729ccde4c4caffb77bbdf948baae51e82788348cb6a7e50cbefa81c03b2f3fcb3c2baec27e130

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
ed3338b8835fdca0b3d23f6f350a65af

SHA1
cf0f8158ea5a93228ef03891b8f7d73f2aa20e96

SHA256
bef88f3e300243a91a321cc956e728f6e55662f9c0410447f078e9a8e84d0ad9

SHA512
5544f4de64d654812f144816176a29ec517ebeef5a78a458ea5bdaeba011741f5c5f968998e0a1bc6e0923b462164af511cc9761689c20a447559fa935315195

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
238bf62ac23954e6592451902b1f28b5

SHA1
c3ff5cf8f2d75802aebb026acf52075640551548

SHA256
70bf0011a9b9b93ca2e8f7fc4fe121f65db6c877b8d5b12d5781e2e48ccd7ef1

SHA512
057685d5f58f127294032aaaf97d4d8df0f13d0764c87d6a46952436c9c92f93b13f4f6afa3f05ba7cd37d0bbe5e39bbbab0c6df808d4ea7656ec91596b216c5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ce66b81b6e76399cec2a11ce02e9705f

SHA1
00fbf9987587262e1a24a8bfd05d7c6c8d975d30

SHA256
0538b2863443502b3fb7538e91797b4e2aeadd93a97be6bb82db1261cc553edc

SHA512
78b87e9604d964ab1abd5454e9380d20cb0be9e518f6ad30fb893424470a132740b467b8d9b15d642e5d9ad35f8e5ea8a97f51bdcee259b8a6a34d154ceefe7e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
00c19aa31027527eab6f228efd2c205d

SHA1
b030dbf6133495f11e3225756b125fde5b8c0cb5

SHA256
311a34bcf0cc1148ddda531b67e967bdbce205bc45153df77290b97288ba1a6f

SHA512
8acd5f1083fee201265357dc85301d2cbd0bbc1009e574521b2b010da382bf5e7a367460595a182f172df617445f0cc070531f65ad8b149ca31ddb64a195151d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
603f2ec1c31d35ab8f05e9d15f2a219c

SHA1
7bb4fe2213bd05febf4f1ab259188ac03e2bed4f

SHA256
593b6e39e882d92625e2c36385bad9b2e418d3998be682904aabfa650677e406

SHA512
c41eded267191dda7d592b1e4328a4c00683be6b87c3026126f3de6fd093b50cc435545e9fe91b803a35b9caa934fd8831ac1eb6d98059c03ac0168ccf60102f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
863a9eef8b8f5e4c4e4edb2b55dd4faf

SHA1
414ba5a25c328f225bc71bfd06df10a9b796fe3f

SHA256
436b96b3566355e26c365510cebb956faf568a4deea643900ea8a373667129d7

SHA512
7a755322cafa81541ce6f5cfe8565aef57781c3a3f34e9c6b2507a59a6235dce82505907021a5d3814d153d3317408ed8bb3b370504e4f4fa15d3a062110f13d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
34bff6e6f44dd9afcd74c14fe00a3657

SHA1
15f4c713a7ad5f5a6bd48ffbbb6e218ad40714f3

SHA256
5bc78497b13dccea81a807167c68881401c187f24bd2874165ea4f4751395548

SHA512
640239c96928b9b15cdcb057c35057fac83b52fdccb2773961bf87f6187870ec33a9ded528b355097a872031c9d8058d4cda1f982bc8bb688031f1ef7fac28ae

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
82f44667f70400b6c3bbb50c62aa1d86

SHA1
2a31cf00e6d6f00fc1be5201d5d26a48d15fc402

SHA256
f46b939873fa21c2ac2af25397ab63eb1c4c345359a89ea597df2ceb43e33001

SHA512
b7ffdd83dd470d41be926f99d520da47ebeeb9d86ff0f992e64867432d0da29724c13ec1bffd3ff854603ff53ded1808b1892260813878d96d21a143398ec2f1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
d40635867bee5b421eb3e49be18c2862

SHA1
417c2e6bdbf8a7cca5fa70544c5bf0099b33593b

SHA256
15357929570875d50927f9275e6bc232a607b866bda99599a9729e4b7ad69890

SHA512
e39c980a3955d491d016af02b480c62bd3ae8d0dd48da4a2882bfd17571387a6075f6fd6b49fb39288d0f5b83a9c4620bc663aee3160b50e618837ea1cd8fc68

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
7a84c3cd0690b0ae8eba2f3b30b68711

SHA1
398f9b8941115a6abdb5c3e8237373faf50ea942

SHA256
1839399d30bf3c848d4a74cdd3611419055185df103d1198f74bb85e79c470a7

SHA512
e0a487139a7d01acb2113e521612b97dbc336c95e97b9ce2743871eb4cfcd958b32dcdcfa24ba8838bfc0e06d12aea27cb41d905bf1a8e6a44fa8c891247e33b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
1c6172d750c2458ac623bc0d06f0006c

SHA1
a296bead278ed693f88bd3cc9fe7e16fd4dbd145

SHA256
3593fdb1137338ba5e7e771d59aad4a00c3e919f29f59adaaf92c378d13e031e

SHA512
4179a14f463bc849cba9b4d73bdb799bbefb5b07b57fa0d22336db1d7b277b329cb4d3085c9fd50efc0aff82cd9ce2c230122b61c25e93b73e3aeffa29c7f291

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
577KB

MD5
c0d722dbeb99d9ee874d895b2fe54ad5

SHA1
d5b10355e33bbe0430b3606bc144354d21c82b00

SHA256
d8691ba91ac841db2ee6117b9acfc9053ce39276f99705f5dca846c4cb33df76

SHA512
304cdb7238a12b33c87a781b976abf43c4c440a5b98a4f8d14c9f2d7f407af8df0d0bf90d71a7b66a303a89f1d78a210e8a812774d0335befa8b9e0477475ea6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
577KB

MD5
d2dca3638cdf63a28aec50d89ad1c175

SHA1
be2cd3cf36c6d47e7f5f55a3831ff1f3577e8b47

SHA256
c16629f5ffd566d51de3a07cdac01894f451c9decde62c0dc69d1de3ef539f57

SHA512
038c4ac8f54d8b71319b8ce4968dec39ea2672864856be5be54b4e7bbe41913eb838bf4f69adad39a15b2cf41a1424099726d1d54ff0f23b1eddd57cde851c16

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
577KB

MD5
2438ac4e6b8b57d89cd158a95ce00c70

SHA1
cf4a3773526a86d5f3c359876aeb2ab1d127cce0

SHA256
00fb5a75d94b19a465fd91cc60ff24c5b134f07befe9dd880d035402ffa12436

SHA512
428dac33e51414e3c1abbb55083e4c23a09bc2dfef46fe205eb84ab129d0ab42a851a7b0b5f3c60b3c38733111907c355e951fff84c398aae65ef081c2234bb5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
577KB

MD5
d51a501a764d04a7604fad5e9b567f59

SHA1
a699e5466b2171a42810a275e83c6d509e1c5684

SHA256
f2f3eedffbdc745300a3fc9be61a3cfc751c704b01097db9244ad42ccdc9420d

SHA512
a0364f880d1982141adbd5a9c293da84972355dd0e76104bcc027e9680ea6f0612d6291f47b38ce507b9a041e4c19a6ca010818a127d9415bf3b3f2a0a9a8ef4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
615KB

MD5
44d6d9642fa8ae36569bf15e8ef368ff

SHA1
7cfbe854f4ddd2957ed5f0926f33398e0fa63377

SHA256
6402e3560b2acfa044cc27bc3145f044deb8b564ac2c02b08e5a4771c736b86b

SHA512
234d83a9145f7bbdcf478f829d9dc7e98befb506ed3a08e07c22c9e5d2da6d76a2702b7c1180b5ba41a1fae3fa4ee8c29bd8442ef634a6b7618d90624c509e63

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

Filesize
577KB

MD5
2409f132827b27ad9f763ec4f1f6459f

SHA1
c80fba45b85c2eadf05c424326cd4bad3607e305

SHA256
53c17602b7c3fc765f27a9a63379ae061e7abba50fcdaa668531bb31fc8ab685

SHA512
e88cd03a8444cadffe46e7033eb44d44d989bcd08f7da4a4da04fa337b7d3a16cb38b3f1deab079ba413a816ffece870d4ccb78456817075aa353b573cd2a123

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe

Filesize
577KB

MD5
c84f0dd8362fa1f1a66c8cc0c0c63ffc

SHA1
b9b04c40a62c4c7d8c29b6f2671d0686825cb3fc

SHA256
fa760d9d0a6e03847a17023481aabe8bd1f7ad59ca60fd21a238e3eb3987fb26

SHA512
a6d522a647c05dd0901bdac6dba9bcc687c8fb773a2a9d0ebeafedda47ec8cb21d6f06ec83ef1086e9affc2bb8966bce5589a8a4f9a29d3695ef6d23342232d6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe

Filesize
577KB

MD5
0794833ef3b27a4a5995dfd07460bebc

SHA1
86a3939b2fb2e716f8cbe0c4781f7ff2237891ec

SHA256
31194f97bfb23763a6fe89e05a0e11c0ef8e1d72444b31fb340a2467b027158f

SHA512
77fccede7d15da6f7f670d21886d7ffd82e74833f9586c0186b3bc98b714672234f9ad7912f2a3c731411aa233ea61769c46113dbd6d8c978cc0cc7499c6905e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java.exe

Filesize
745KB

MD5
1439b8bc051cebc374b3b596de0da924

SHA1
cf268ee11d728bb7f263b4442e589d283e068940

SHA256
9a923d951ac00b53a78fb2cd98d47c0506a2d9be2bdfe6619f0e01ef988c26a0

SHA512
6ecde461ced0d6109091d95c471b648859794588455d1fb2da7353539f0f7c0d6d13c71b5849918f0cc29e1b77c794fae58f56300f678e5a95927123a88cd24d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
97e8b6f76a62532d4fff0802a9fde314

SHA1
32c7fffab4aa8ca0092afda7ce4c334246de1f26

SHA256
48f0ed3cf92420edc0c01f82ca93e6377f7fd06173410d32c880c55db560ba89

SHA512
75c42e5deb13160868a21a18f6e12d6c2cbe93fa8b592cceca51b7b95074c37030650f93cbf86bf95422105af3f4b8c62fd9703eeaa6116896d5a9013a576e03

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
060b2ee5c2dd410767b886597d5f9271

SHA1
23c30f6f4495176ef7815201d7ee157c14e646ea

SHA256
c7d5194c6498633488610225c2b5d345ce50e67daf4ab3b40fa1fa718a72630d

SHA512
5eb46cacb1796b656b9f77f5ccbbff3ad2f676bb5467819bd7cd15d7fe0fa279566bc36ba6c2b34b06568e6a1d341e2a68782347f0f152568a2a5dcf0a448140

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
8ee87a819b8462bbe6df4383f3c4b835

SHA1
0d10785de25b880e23016f9430b0d750325e2ff1

SHA256
af27ee857cb821ad3f18f0a02165c274ac3a74eb2ee927691af3b1753ab7efda

SHA512
dd4b23a9ffdd65b250f869551ad2dc5ac04d5b0fc944d10b25063c03a0c19f3f1512b3f62936263820d222abc571bfd84f7cbcb867294ad691d5ebaea6f694d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
fc00b3b221a6f5a1145d67f02d6009f6

SHA1
f697037c4554002fd541723c7a57b85a2cf39d2b

SHA256
03a8713623628bdd9cda932b01f7a173df169d530ef2efc2c6c8140da8befb1a

SHA512
2f83b33ed7a20bee7dbccd70d3bf89d85c8864d9552cd92bc47810143c990a42c7988f6e556b4f0f0918ccc0280851af948dfaea2f682f57cd8a80fcaa84a5d5

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
0605b964428a87b02ca70689c164f08b

SHA1
4553cbed72d765e240e980a2fd6876a8b572f7f8

SHA256
f3ad1f87edcf289c5a1b2c4df99b19976968f292994f7c3e31f39f152a2f12a4

SHA512
ac5e0262b09c614dc628ca1a99004659cb39391bac0682566c1c87151d2651cf441151bb78543d663fb4e1243c9c0ea2f7e0b443647ed61ea460786b714a5f4c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
73615ff2bfa3270601f443d3efff9174

SHA1
f84238db09135240a4582bbb6237554f2b15fc35

SHA256
7c73e2292e1bd4b5372bdd0202ecca6680257169feb46b44650f25779301894d

SHA512
2be5a54be7f3dc9d9502005e7bb342b9c60450c94ac390cbf8bf51c900763cf5e4b36823b8da376098764862e703da8be7817421fdd6c527f46274faf7aa5f65

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
d329771d14badaddee67b2e4acca379e

SHA1
a7a5bdd9e323e76ef9f9822f30c2d98bd65495b5

SHA256
613abdd3ee9408b05d94022662c4bc5d4c246a48dc5138646ade9c641ea4a0b7

SHA512
55a9de9f5d0082f83cb09ca0a1fa31e5e752e1942c8ed2c50011ef57dd659fa9cb7b7e293d9066425e33dff243306b7ef95105044b1630d1e3ad9ebc3753745f

Download Submit
memory/384-425-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/384-428-0x0000000073858000-0x000000007386D000-memory.dmp

Filesize
84KB

Download
memory/384-275-0x0000000073858000-0x000000007386D000-memory.dmp

Filesize
84KB

Download
memory/384-266-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/384-262-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/384-258-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/384-254-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/824-220-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/824-221-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/824-265-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/824-215-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/860-434-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/860-427-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/860-451-0x0000000073C10000-0x00000000742FE000-memory.dmp

Filesize
6.9MB

Download
memory/860-450-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/860-449-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/860-436-0x0000000073C10000-0x00000000742FE000-memory.dmp

Filesize
6.9MB

Download
memory/1184-94-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1184-223-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1372-466-0x0000000073C10000-0x00000000742FE000-memory.dmp

Filesize
6.9MB

Download
memory/1372-480-0x0000000073C10000-0x00000000742FE000-memory.dmp

Filesize
6.9MB

Download
memory/1372-481-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1372-479-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1372-453-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1372-459-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1600-503-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1600-509-0x0000000073C10000-0x00000000742FE000-memory.dmp

Filesize
6.9MB

Download
memory/1600-521-0x0000000073C10000-0x00000000742FE000-memory.dmp

Filesize
6.9MB

Download
memory/1600-522-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1664-508-0x0000000073C10000-0x00000000742FE000-memory.dmp

Filesize
6.9MB

Download
memory/1664-491-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/1664-507-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1664-495-0x0000000073C10000-0x00000000742FE000-memory.dmp

Filesize
6.9MB

Download
memory/1708-196-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1708-255-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1712-180-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1712-186-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/1712-181-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/1712-235-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1764-424-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1764-251-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1960-494-0x0000000073C10000-0x00000000742FE000-memory.dmp

Filesize
6.9MB

Download
memory/1960-478-0x0000000073C10000-0x00000000742FE000-memory.dmp

Filesize
6.9MB

Download
memory/1960-493-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1960-474-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/1972-229-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1972-228-0x0000000001010000-0x0000000001070000-memory.dmp

Filesize
384KB

Download
memory/1972-243-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1972-237-0x0000000001010000-0x0000000001070000-memory.dmp

Filesize
384KB

Download
memory/1972-240-0x0000000001010000-0x0000000001070000-memory.dmp

Filesize
384KB

Download
memory/2076-546-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/2120-174-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2120-1-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2120-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2120-7-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2120-0-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2172-246-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2172-245-0x0000000000AF0000-0x0000000000B57000-memory.dmp

Filesize
412KB

Download
memory/2288-203-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2288-210-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2288-204-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2288-263-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2528-535-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/2528-525-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2528-538-0x0000000073C10000-0x00000000742FE000-memory.dmp

Filesize
6.9MB

Download
memory/2528-550-0x0000000073C10000-0x00000000742FE000-memory.dmp

Filesize
6.9MB

Download
memory/2612-517-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2612-537-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2612-523-0x0000000073C10000-0x00000000742FE000-memory.dmp

Filesize
6.9MB

Download
memory/2612-536-0x0000000073C10000-0x00000000742FE000-memory.dmp

Filesize
6.9MB

Download
memory/2648-41-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2648-56-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2648-212-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2648-42-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2796-193-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2796-97-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2900-448-0x0000000073C10000-0x00000000742FE000-memory.dmp

Filesize
6.9MB

Download
memory/2900-444-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/2900-465-0x0000000073C10000-0x00000000742FE000-memory.dmp

Filesize
6.9MB

Download
memory/2900-464-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download