76cc280d217092eb8bdae8504f14d6e9fcd5fef56887c762b45d03bac8183650

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
Size

353KB
MD5

6fcdccdb6165e840f34cb0147f0e9535
SHA1

ac3901d5e79c55605a67754f0662a591285a6e70
SHA256

76cc280d217092eb8bdae8504f14d6e9fcd5fef56887c762b45d03bac8183650
SHA512

0090e279af2c0ce4123a88710efdd42aa6b8d4f8de2531bebecd6c64bf0bed74051f3c0295b9db03393e379fc6b27b5063593c2348625768e2da8d1d47f699b1
SSDEEP

6144:zDe7lKbsPlMg/yO9TC7d/SoLFjjbVrBZ8yBH:uZPlMtd/SoRjbVrBZ8E

Score

7^/10

credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2176	mscorsvw.exe
2808	mscorsvw.exe
2628	OSE.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-3294248377-1418901787-4083263181-1000	OSE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-3294248377-1418901787-4083263181-1000\EnableNotifications = "0"	OSE.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened (read-only)	\??\J:	OSE.EXE
File opened (read-only)	\??\W:	OSE.EXE
File opened (read-only)	\??\X:	OSE.EXE
File opened (read-only)	\??\Y:	OSE.EXE
File opened (read-only)	\??\Z:	OSE.EXE
File opened (read-only)	\??\H:	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened (read-only)	\??\I:	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened (read-only)	\??\O:	OSE.EXE
File opened (read-only)	\??\S:	OSE.EXE
File opened (read-only)	\??\E:	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened (read-only)	\??\Y:	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened (read-only)	\??\N:	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened (read-only)	\??\Q:	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened (read-only)	\??\E:	OSE.EXE
File opened (read-only)	\??\I:	OSE.EXE
File opened (read-only)	\??\V:	OSE.EXE
File opened (read-only)	\??\J:	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened (read-only)	\??\M:	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened (read-only)	\??\K:	OSE.EXE
File opened (read-only)	\??\Z:	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened (read-only)	\??\H:	OSE.EXE
File opened (read-only)	\??\R:	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened (read-only)	\??\T:	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened (read-only)	\??\M:	OSE.EXE
File opened (read-only)	\??\K:	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened (read-only)	\??\P:	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened (read-only)	\??\S:	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened (read-only)	\??\X:	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened (read-only)	\??\G:	OSE.EXE
File opened (read-only)	\??\N:	OSE.EXE
File opened (read-only)	\??\R:	OSE.EXE
File opened (read-only)	\??\U:	OSE.EXE
File opened (read-only)	\??\G:	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened (read-only)	\??\O:	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened (read-only)	\??\W:	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened (read-only)	\??\L:	OSE.EXE
File opened (read-only)	\??\P:	OSE.EXE
File opened (read-only)	\??\Q:	OSE.EXE
File opened (read-only)	\??\T:	OSE.EXE
File opened (read-only)	\??\L:	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened (read-only)	\??\V:	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\searchindexer.vir	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	OSE.EXE
File created	\??\c:\windows\SysWOW64\svchost.vir	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	OSE.EXE
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	OSE.EXE

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	OSE.EXE
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	OSE.EXE
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	OSE.EXE
File opened for modification	C:\Program Files\7-Zip\7zG.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	OSE.EXE
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	OSE.EXE

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{60417963-FFE7-4771-AC99-DE8A6F5DDA66}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	OSE.EXE
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	OSE.EXE
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	OSE.EXE
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{60417963-FFE7-4771-AC99-DE8A6F5DDA66}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	OSE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2628	OSE.EXE
2628	OSE.EXE
2628	OSE.EXE
2628	OSE.EXE
2628	OSE.EXE
2628	OSE.EXE
2628	OSE.EXE
2628	OSE.EXE
2628	OSE.EXE
2628	OSE.EXE
2628	OSE.EXE
2628	OSE.EXE
2628	OSE.EXE
2628	OSE.EXE
2628	OSE.EXE
2628	OSE.EXE
2628	OSE.EXE
2628	OSE.EXE
2628	OSE.EXE
2628	OSE.EXE
2628	OSE.EXE
2628	OSE.EXE
2628	OSE.EXE
2628	OSE.EXE
2628	OSE.EXE
2628	OSE.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1900	6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
Token: SeRestorePrivilege	2768	msiexec.exe
Token: SeTakeOwnershipPrivilege	2768	msiexec.exe
Token: SeSecurityPrivilege	2768	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	OSE.EXE

C:\Users\Admin\AppData\Local\Temp\6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6fcdccdb6165e840f34cb0147f0e9535_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2808

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:2724

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

Filesize
284KB

MD5
e439430997faf032bb90db4cb3cfb85d

SHA1
f5faec3b5a9b6a72e3434ed146fe1cf6fbf692a8

SHA256
d15fafd0644267bcef470fe5eb5b87aac659560e973ed4843881b06f644afddb

SHA512
98f9d641157b47abf6a5046488da7c77a4a80875265267bd18395926ff167635c24a0c73e8979e9614a2b28a6126bafbc5364c9da43b6a242b9e7133c380801c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.2MB

MD5
8174bc516ba6943da8e0f2daec453f27

SHA1
414db3d2b6875d529a290517033fbf8002a4b319

SHA256
f4a842742e5554defbac5cefa75c8d8313191d0ec0b7d6a3ddeb7a1dfbb1364a

SHA512
a9b0a6951aa76a1cc37b470a9089237652e2c1c6f6dc9aa0200f1356e2653b0a216bc3082c14659be59657323ee890ae92338129837add13dc12e0bbdbafcb96

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
284KB

MD5
2d979e47cfa142db8bd41699ba3a6f7f

SHA1
4cbcd1f20fdd6969806285586d8c9917c099d965

SHA256
bb3a8f001f959e7fe32b0987ec47c57f26e291c9f13bf79498eff9da18072a6c

SHA512
6d150339eb5884981cd52bad319611b7f596101dae8a033a3d9df7a1e20127260625a1a88662fee6f2124f08f0163e5fb32d3ee0fac744da4eab75508c40e133

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
203KB

MD5
da2a7e0d93d7d2292d55139069e1ba5a

SHA1
0e32f03c0cf659151af8198912621785b599b564

SHA256
ea95164d0a7fbbc31a3221c82d68f0918d3aab8947dd83d737d68e2072a933ae

SHA512
9b2022c8d3943777656064377c70b60700ba90e24f87a12ca04fbc47f303b458c7dac7bd19e18eab1c6b4cad14bfbfed293626ec7f8c6dc9539f5829a54d5581

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
0cf012fdfea9bd33223bc472f29ad92a

SHA1
ef861d740c99a22659969da5761a953aa2d4f7f4

SHA256
dba3956dd431b580bd32a9516a6c397e398cbf7c7dd3730975843c089f5bbd12

SHA512
0939c2d16acdf92f26b1ef734ca00d7fd37b9b9c2c4d1a6f133ed9c3605fd9fdaf1aa6096be2d30918b9e40bdc69ef9ca038e1fc5de46968f9bc47a73cd1efa3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
234KB

MD5
4e73ccb844990dd4715ff295529c05b6

SHA1
2edc2c8112e604e1a08764dde598258a682f1031

SHA256
4a86d6bc3cadbffeb88f36f8cc3147bb805d48e10cb2d2c571bbff76cb594c68

SHA512
a6b6b128c66e390b4e89a9493222f5a0d7dd44645a98cf5571a35cc688bbb0f1c97331b59248fe6fdf37fd2f2df7f08d04fd69227c56e8246c199b765d40517c

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
29.7MB

MD5
6ce2e01ff0452170c2f5216c17fe5350

SHA1
5d549f1ab908c19ce468223e08ff5cf417556f35

SHA256
681662b27755cec4fa903ce27c908defcc69a911bd5230f25062ec50ffe362f5

SHA512
7f9adfa72b0daf39706bd949141377464a5fd1f4f75a2035876fa91a202006e572ebf064e0ef751c1c7782fe8e021426105e11ae25c67e24838dfe53c6f0a824

Download Submit
\??\c:\windows\SysWOW64\searchindexer.exe

Filesize
562KB

MD5
6dcded6c7dea1660f5fdaede7cd90b6f

SHA1
b769ac93506b20e1791440146086cf7df22044e7

SHA256
bc477cd26c08a20dc4e51c6fc6fbfab0595428709346155b5a37287111aa47ff

SHA512
55e298f1251d599c18b0516467994cfc314ab46b5e2e1ab1b576d206022496a57107e965ac204cdf9866f31e73feb043f0de2f10ba7f1fba8dd2404fbe0884e1

Download Submit
\??\c:\windows\SysWOW64\svchost.exe

Filesize
164KB

MD5
786655e4d9551066745196534567b561

SHA1
89c1484576f34a68962ca719d1450f6083847df2

SHA256
4f49286450e8149b95ba67312493830ee4a61ae3bac4241fe97489d80332b38d

SHA512
e93d1acf4dcdc6cfa074f59a280bb22b9841695f6503600a0e08512dea4184f2a05f0b8cadabceec2a764aaa6cd1f2e2e260497814aa0485dca6bcd40cd345ed

Download Submit
memory/1900-1-0x0000000001006000-0x0000000001008000-memory.dmp

Filesize
8KB

Download
memory/1900-79-0x0000000001000000-0x0000000001097000-memory.dmp

Filesize
604KB

Download
memory/1900-0-0x0000000001000000-0x0000000001097000-memory.dmp

Filesize
604KB

Download
memory/1900-45-0x0000000001000000-0x0000000001097000-memory.dmp

Filesize
604KB

Download
memory/2176-12-0x0000000010000000-0x0000000010070000-memory.dmp

Filesize
448KB

Download
memory/2176-13-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2176-30-0x0000000010000000-0x0000000010070000-memory.dmp

Filesize
448KB

Download
memory/2628-46-0x000000002E013000-0x000000002E015000-memory.dmp

Filesize
8KB

Download
memory/2628-44-0x000000002E000000-0x000000002E086000-memory.dmp

Filesize
536KB

Download
memory/2628-80-0x000000002E000000-0x000000002E086000-memory.dmp

Filesize
536KB

Download
memory/2808-24-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download