84c3dec959703a8b4da4a80699c9824691ac0a09c2e10b27c1e2387c217639d7

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 16:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
Size

808KB
MD5

c12114b9db125b505852cd828ddd74d3
SHA1

b4210f379daae7714411cf3f34a43433b7e79356
SHA256

84c3dec959703a8b4da4a80699c9824691ac0a09c2e10b27c1e2387c217639d7
SHA512

00dc1d4f3b70cd6f7789e0fb47c10da5b87163f66efdf660452fc03088fe0c82bbe292f9ca40c455cc3a1ac9a2d937b057fd13fdb433b3f23ffaf1db43d7a817
SSDEEP

24576:PybubCa4AEEqtLX8g8ChUae3HhZ39PqVr1r:aabcARaLX8zC0HhB9Purl

Score

7^/10

credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2120	mscorsvw.exe
2880	mscorsvw.exe
1832	OSE.EXE
1052	iexplore.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-2958949473-3205530200-1453100116-1000\EnableNotifications = "0"	OSE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-2958949473-3205530200-1453100116-1000	OSE.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened (read-only)	\??\Z:	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened (read-only)	\??\M:	OSE.EXE
File opened (read-only)	\??\X:	OSE.EXE
File opened (read-only)	\??\H:	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened (read-only)	\??\L:	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened (read-only)	\??\M:	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened (read-only)	\??\P:	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened (read-only)	\??\E:	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened (read-only)	\??\I:	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened (read-only)	\??\J:	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened (read-only)	\??\Y:	OSE.EXE
File opened (read-only)	\??\Q:	OSE.EXE
File opened (read-only)	\??\W:	OSE.EXE
File opened (read-only)	\??\W:	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened (read-only)	\??\E:	OSE.EXE
File opened (read-only)	\??\J:	OSE.EXE
File opened (read-only)	\??\K:	OSE.EXE
File opened (read-only)	\??\T:	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened (read-only)	\??\U:	OSE.EXE
File opened (read-only)	\??\L:	OSE.EXE
File opened (read-only)	\??\O:	OSE.EXE
File opened (read-only)	\??\P:	OSE.EXE
File opened (read-only)	\??\S:	OSE.EXE
File opened (read-only)	\??\G:	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened (read-only)	\??\N:	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened (read-only)	\??\R:	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened (read-only)	\??\U:	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened (read-only)	\??\S:	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened (read-only)	\??\H:	OSE.EXE
File opened (read-only)	\??\N:	OSE.EXE
File opened (read-only)	\??\R:	OSE.EXE
File opened (read-only)	\??\T:	OSE.EXE
File opened (read-only)	\??\V:	OSE.EXE
File opened (read-only)	\??\O:	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened (read-only)	\??\V:	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened (read-only)	\??\Y:	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened (read-only)	\??\G:	OSE.EXE
File opened (read-only)	\??\K:	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened (read-only)	\??\Q:	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened (read-only)	\??\I:	OSE.EXE
File opened (read-only)	\??\Z:	OSE.EXE

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	OSE.EXE
File created	\??\c:\windows\SysWOW64\msiexec.vir	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	OSE.EXE
File created	\??\c:\windows\SysWOW64\svchost.vir	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	OSE.EXE
File created	\??\c:\windows\SysWOW64\dllhost.vir	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	OSE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	OSE.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	OSE.EXE
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{457CA50D-7EB9-4A2F-814D-EC127BA24827}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	OSE.EXE
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	OSE.EXE
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{457CA50D-7EB9-4A2F-814D-EC127BA24827}.crmlog	dllhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{97ED0961-62FE-11EF-9232-D6CBE06212A9} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062974e5b5f804e45b98349be16bffb780000000002000000000010660000000100002000000040153132e2351a70f2a0d2b8ca01fc99da55cbdb7cae3c870282761187b99283000000000e8000000002000020000000199a25a1818b65e0265d132abaee99cdd6be41264a50aa2c6b6f3080a6ceb2ec20000000dd840658f157dd6688d1771cd53da7805b772a97e51c6bcd64cfba0fbaa3bb5540000000daa666e5a377999e43d30c472432f2403e6a8bac3c751c269bc6f5c2b19c212de85096459e2b674998dedd9f55695cf439e4e930b42150b1b55adc35b881ef58	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\User Favorites Path = "file:///C:\\Users\\Admin\\Favorites\\"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062974e5b5f804e45b98349be16bffb7800000000020000000000106600000001000020000000781d6f41b6d0f6e89cf6b9164bb75863d59240f0e2cc5e6e5af73f76213fbc93000000000e800000000200002000000005ea6506e74ca52467837ae36d3d8f330843b9d0c12284de984a88e1aff4dd609000000012081943cd3fbfb1701d5cfa98f7a8d2c85ef53a200adaee1ce14d069defd931eca43fd8dc7c38726a238f2bea5b1ff0cd6c32f8e59ddcfecc4bd8a7780fb659f3207128c72379ab623496858fb04e43b2f696bcc80cb30a5cf029c7777983b1458f9d8816ba265f4bbd88400a39da147d3663a7412c3e8231e95a9796fda4840e1475a1cbc006df9c0f067517847c8c400000008a97cc591d8fda7b14c62641abd19ae548f6db4a5fbdf9c6c5ebed4b4c236918d3a0eacf0b6ab3316b637c9a2d4339a7bc342b74e861528bff48f3d1e2675154	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "6.1.7601.17514"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430764975"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\UpgradeTime = 902a935a0bf7da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\ConfiguredScopes = "5"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\UpgradeTime = 909b955a0bf7da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\UpgradeTime = e093a25a0bf7da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20a882710bf7da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1832	OSE.EXE
1832	OSE.EXE
1832	OSE.EXE
1832	OSE.EXE
1832	OSE.EXE
1832	OSE.EXE
1832	OSE.EXE
1832	OSE.EXE
1832	OSE.EXE
1832	OSE.EXE
1832	OSE.EXE
1832	OSE.EXE
1832	OSE.EXE
1832	OSE.EXE
1832	OSE.EXE
1832	OSE.EXE
1832	OSE.EXE
1832	OSE.EXE
1832	OSE.EXE
1832	OSE.EXE
1832	OSE.EXE
1832	OSE.EXE
1832	OSE.EXE
1832	OSE.EXE
1832	OSE.EXE
1832	OSE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2416	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2416	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
Token: SeRestorePrivilege	2768	msiexec.exe
Token: SeTakeOwnershipPrivilege	2768	msiexec.exe
Token: SeSecurityPrivilege	2768	msiexec.exe
Token: SeTakeOwnershipPrivilege	1832	OSE.EXE
Token: SeManageVolumePrivilege	2000	SearchIndexer.exe
Token: 33	2000	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2000	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1052	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2416	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
1052	iexplore.exe
1052	iexplore.exe
2236	IEXPLORE.EXE
2236	IEXPLORE.EXE
2072	SearchProtocolHost.exe
2072	SearchProtocolHost.exe
2236	IEXPLORE.EXE
2236	IEXPLORE.EXE
2072	SearchProtocolHost.exe
2072	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 1052	2416	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe	37
PID 2416 wrote to memory of 1052	2416	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe	37
PID 2416 wrote to memory of 1052	2416	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe	37
PID 2416 wrote to memory of 1052	2416	c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe	37
PID 1052 wrote to memory of 2236	1052	iexplore.exe	38
PID 1052 wrote to memory of 2236	1052	iexplore.exe	38
PID 1052 wrote to memory of 2236	1052	iexplore.exe	38
PID 1052 wrote to memory of 2236	1052	iexplore.exe	38
PID 2000 wrote to memory of 2072	2000	SearchIndexer.exe	40
PID 2000 wrote to memory of 2072	2000	SearchIndexer.exe	40
PID 2000 wrote to memory of 2072	2000	SearchIndexer.exe	40
PID 2000 wrote to memory of 2056	2000	SearchIndexer.exe	41
PID 2000 wrote to memory of 2056	2000	SearchIndexer.exe	41
PID 2000 wrote to memory of 2056	2000	SearchIndexer.exe	41
PID 2000 wrote to memory of 2840	2000	SearchIndexer.exe	43
PID 2000 wrote to memory of 2840	2000	SearchIndexer.exe	43
PID 2000 wrote to memory of 2840	2000	SearchIndexer.exe	43

C:\Users\Admin\AppData\Local\Temp\c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c12114b9db125b505852cd828ddd74d3_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.wisecleaner.com/order.html
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1052 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2236

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2880

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:2896

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2072
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 516
  2⤵
  PID:2056
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 516
  2⤵
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

Filesize
284KB

MD5
e439430997faf032bb90db4cb3cfb85d

SHA1
f5faec3b5a9b6a72e3434ed146fe1cf6fbf692a8

SHA256
d15fafd0644267bcef470fe5eb5b87aac659560e973ed4843881b06f644afddb

SHA512
98f9d641157b47abf6a5046488da7c77a4a80875265267bd18395926ff167635c24a0c73e8979e9614a2b28a6126bafbc5364c9da43b6a242b9e7133c380801c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.2MB

MD5
8174bc516ba6943da8e0f2daec453f27

SHA1
414db3d2b6875d529a290517033fbf8002a4b319

SHA256
f4a842742e5554defbac5cefa75c8d8313191d0ec0b7d6a3ddeb7a1dfbb1364a

SHA512
a9b0a6951aa76a1cc37b470a9089237652e2c1c6f6dc9aa0200f1356e2653b0a216bc3082c14659be59657323ee890ae92338129837add13dc12e0bbdbafcb96

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
284KB

MD5
b2236b39225726b0e04896564626e84d

SHA1
18c6ba27eed60a637a1f633cc23a68f434f5babc

SHA256
a35043776ea406ff71af20194392231047a7b27858e707923bc5cdd5354880ca

SHA512
f83f5fcdf3236d2daed96b7660226a9ea5565db9d4fbbc5883694c93c7f20ced5ef32542d24c44227121a288066125490921c883be340446a5e88a51df8e562c

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
785KB

MD5
0685765c0cbe095ba0c6c8790bae21ef

SHA1
ac421b25637dae29da89bf128c8767a85ae9ff9d

SHA256
1b3c732f64215970519e0895e6153ea3e83da8877a83aac62520cca5c04bd267

SHA512
feae15fa071e0656df05c6e0bf00c9cc6840d31b8f7f6edcb2738e59bf2f7bfd967537c7985285b1526cd508ed0792f7e14a6b4c8dfb64880d009b8770df3494

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
017ace9bd07611b1a4728ce71fce9777

SHA1
7f13c6af85be9e54d1dff99576e0a071083a0f90

SHA256
ff97c5548e7471cf5df397e9a69504e2abc66ff5c7d702e9cc99341e5c63edf7

SHA512
d4d79bce57e06fa6d44b985d306d6d3e718aff83b88991f6624d4905f97698fe8b56515cb9f356fc3dc648c9a0f1e7f4e99f92b84feabb6d2f104439f6cfe8ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
241eef9a890096617ebaa754c47224c0

SHA1
8cfb559829339cedb27da501a3d2b20dc67a5613

SHA256
b31a306fbf7a7380e45e3fb1ab061beac24b5e48ae0f1e0c401ef786cd23bbd2

SHA512
736f99b419d695fe0dd42b3594600eaca2e22fb150372319bcf03f9394d496afd96e2ae441a270e24620d45a03de8c479b90618bbd102aa70be93344b549274e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
46797a65b80392cc8b6df6a144fb327a

SHA1
6ad3a15ead1a1078081e5f00608e11fca93abb9e

SHA256
3286466ed755601aeabb37ea83de0cf5321bcaf10b52ff79b1321dc527808317

SHA512
59572f2a963b49b178253aad5666640dc5a5044b482e7862f8d2328a936fd974d04b479ab45c7125ac4cb14929113588e887e4d89b34cd1c6e005433fbb2c611

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e9295b46d114df31407e13bb5b1784b

SHA1
adb247698813ebe529901ab65cdafd6c28ef1e73

SHA256
c062c2c8adadc775da423bfe1a620b31613698c8d220a8ad4771748f06fa8c23

SHA512
e83cd0ab691c03740b3647130a4cd3b8333434c4b05760b859fb08e07084d33ce3c4fed7ccfec8cbfa284c43a5bc627e8e3bdfe8db208bf00a768d24bd76899e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad1c5d96a84205556cf1c6d9e8e93a1a

SHA1
a44b88dd10eaf77c29c50d9cbeb127819660022d

SHA256
5eaa559824d9b2338d79812642852f796e8a2c20130f92c49fae6586be16071b

SHA512
65de97d6cd6a9080a57444d6b882f74fd6036f4af45a359595b1a907d54fce3f174823ddc8a90268b01a03efbb9043cdd84820b364c41ffe030440f749a09cdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2353502692d67baef8a73a24aa82275

SHA1
e22659c617644894479b3bf96b1978736fb0d8c9

SHA256
052a7f3d707aacfddfacad2ffc06bf7c89e699a1b0d4fd0fa96966d81e5366f8

SHA512
9502adb7b53c3e393d6294e3d0f07a9e375f67646d007a42c0df5314cc4818554529ce9e0fdd913ca1f8893807fe7b67a36b448712474541f3b91ebd28aac6f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afc74beabe54fadcdcabe7511266eed3

SHA1
91ce5bc05c3845a65b741c96d22e29b3a18b8179

SHA256
5ef53b307d5920ceb631c63af500fb452ce1e3ef7fa318c75a5a35db7f51b308

SHA512
a680f985d16d24fb55a05901cc49a84db0f49b5a749717c02d8b69dc648157142a853b90b6361b0859ce8c9c53cde73ea73392219f3e9eabd67440e556360331

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53789a569f8b0deec601214a57a82945

SHA1
df338d30000d146b48efbbb8f41608f2cb8f33eb

SHA256
1dee35a4cd73f12a022afbba11d51ac54e363b4f24582c149f54981c415a8674

SHA512
869b4084c1fa0479cb106e6ab7031f1ddfad922000babd8dc6382c1675964941b452f207da47eaa4ce3cad3a09cd538b66167f9bf0df4a61346da58faeb58b99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d74db13e87f8fc65fcf46f651fd6dd7

SHA1
d727a86481a3fd02bd31428e17f98f457d1aeefc

SHA256
3acd000a4066d40c9deaef1ddeb4b51ba2a2d942dda95b0f93455640664f0f7e

SHA512
c52e957eca3cc4aad812304092d5c8b0b9e19f42ed277b59f055825d2723f8afff237302bcd9f9e11418ccf137852b16d54cfb0b608fbc3bc87b57865eed3424

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4b6ffb6b4074289e4818c1306211fc8

SHA1
009952479f42e8302e2dfa21c16f156e18f2ed6d

SHA256
dee495121b72fe917717ba32da67acd972b7135e7ca554d2e8615a8cbd4a7c44

SHA512
9a16bb7b4ad56131aca42d5688cad7c64c00a3b306d47e26097a57bb1bada0e0efda040685fa593e5dac0f447aba9f0b88f63ec5b6d01ee492f209fb53e7dd30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e89c0e101aca9ced3f9b2144d7d5aab

SHA1
e9cf4935b161733e32820a4da991db1bcf348aa5

SHA256
51ad302469371e20e14fb64faf216eef5b8b4354805811b11c8cc143194a3309

SHA512
017422d39c318166e85a1ba001019d24b6dc32053f051ae1766cc6d76904986990c7aea0b7ddc3bfbb09381488c8cfa7d37df9e21073032c2c9157caa9e32975

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56d2296544723ca5fc8d2462e34cdecc

SHA1
a56a883ea2a4b30d4cb7a423282eb051299719a0

SHA256
a342ec95a2ae199a093c49db1be93ae76fe7479bf16fa556e1b1960aca4e7145

SHA512
9b8b3c738c7c18b803a7cdc375120e27a357b41d6676141354bf172590cdaa7fd225619fc5a67cfe22783e309ce89437d2a28ff1ea4623a8eb761bd2c33c13a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d70c3930b7e1dfcffd4d09aac570ea2

SHA1
d5ea7726ba9865ccb2585106617c33a55d1602e3

SHA256
484fd7b7d1855b199e2fa7fbd560a0971d69ad01e0a76ab85601a0d1de6e2e74

SHA512
14a4b12b052465f1496148091f3796ea93b5ecbf55d975f156d3c10e999a5e384b2b5d83f714431be7733c030283cdd1d8e1421cd5fe83517472696700fd439c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1f261b4bee507bc61845e37950569a4

SHA1
8b81f0a962a4183ca944f18fe33b350019d7bbbb

SHA256
bf3d00f51c30712d0a22fc9b8d2a2448cafbd673e82f4d0dec4e37648fb231f6

SHA512
6c128490a5814f933fb008624f3fd3c3bbb2619651db24cb0be4331b6fa3171b18396b4631d603e91681784ce0be53d3da27d5d20e2ec1bc4c48a3acf5828ee4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8492d7620f3dd09ca2f29e7b8b32f0d

SHA1
3a989394fc0a1534be415cd5de1b05014631da1e

SHA256
b088888ac0d4ab28689b37e5b0b8f82c6d2ae736d98213b5c8a4d1b2457b526f

SHA512
06a0afefe062b058153cb9e81c2d3deb1b748edc5e5b2adf7fa70e626c8659cf3c4f0db9878ccd4443c93b0e9e20010f7884c99e1bb00691bde2b2fa94b02818

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44636c0b46ffdd9f47186e96e8e6de22

SHA1
0f03c54f50805e403de63d2d72e6aab96e6c5fcb

SHA256
61480aba7d4a38e780ef0e0a057286d1e5bdc95da0b7f4a35622764eec5bab19

SHA512
ae420fb7dfd4336b05a7cf8c1a65791c7d12dd0a6c926a4717dc07e5a360e785c3e4b71f8b283b4bc927460d9efee2b08564086a8bbcf5adb46434e87b744b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6ffac1c58c09698c4d46505db237d5e

SHA1
43650a0af89a94c26c0f03377a0674cdd2984d83

SHA256
1362e13a5201bbcf2d4420beaecd780876b7f53cbf85bd172bdb40c28219405c

SHA512
fc65c213f7b1ae7b5a23a90a00e224b87f17840727270ae91e3bb68bd9d69378a73b57745e9345f5824249d6be87c9f312da00339f2aec5cf0f4d37278851f5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
089f01cf79a579a259a16cc023765634

SHA1
93085781bd2e2a0a17870ec837697c15a1f8ec92

SHA256
185e328f52ea4bd2eb6b9898ffd21a3048ea1fab30e5dfec3b6edf5a1bae5edf

SHA512
ece3f051ddbb6101c3639bcaf099e7db933e07a09a65ea063c08a215eb6bbc4755eaa5e9bb1b87dbd581a80bebe8a866712e8f1bd6e5d0d8bdaea0468f550bf5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
369c2a83c004016293d8cd69302ec52b

SHA1
999bdafdc85e03759d57b12a5db8a60d28d6ce6d

SHA256
c82a87be180d7c3cc4236ea41e800ede75690425b02b2dcea1cb4a1909c826c4

SHA512
8bbb0b9edaeb31a3ca841ac3bd249ce1f0d18c78c16b6bb46e002d06b4715b0ff19eb53bd7cfbac44428797df5b0cbca0afa5a554829ea9f449b4c1f54b6ac7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2429f5a05873d56c5f6c02d4ad7f1cc

SHA1
4b4fa2ab271b48ca43a5fd4945fb8cdc676e9a27

SHA256
20048ad5e53e0a6345cbaddb02445345e97b550d8cfa7a98f91c1f63260381a3

SHA512
93480bc7d97cf51f0adfa93ab4e8e47a15c644ab5be54a5c53c9e3b430b4290e62e42407b62b91e7d9e335c9265b19a074368e38d3c2ae7f535e767049f89ce8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
990ad21ff4e22e5940a796954cc7a541

SHA1
ac58c6793c73c87e9a0b17a9ea1f9c1f6cacbb61

SHA256
bf6c8b605eea5620d9f7f2b2efdc8569aa5d9ebd465c9cb4f76e801282e83bc2

SHA512
586a0799e713bcaba449abc0921c9b2b389e58f09d471b788eadac6dd6b522b115b51dbad1d1e62d46bc7adb8565c91e25d7bedf11ad4d8e67aead7a14615387

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f513841a634e94eb6369a9d2333c09d4

SHA1
fc2c03903cd200daa77bcf0a621ddad192d9fbf5

SHA256
2608e9f9ef2ee1877396aed8262a31df31b6fa7ac51ed05700caa0566146d9d9

SHA512
701a0e3bc13dc87e5322e9811b3bc00dccda1ad362d8a8c7671d9e26440ec34b2aad74f0d5aa0b0bc7265c698e93a1dc1d3dd0f82bad66ed00a2a4f10d856e44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ab22acb92e89dad6fc16e60e4e4052de

SHA1
da553b65dc60baae78f501bbed63667ca10e9655

SHA256
83ad2e224f3e4be5ea57ce13afb42dbc1975b95dcb48160f4f94dd51fd19c263

SHA512
d2119a1539f62f8860773428b269ebd54a2b7b967f727fe63de5f4fe20ec38a7736a9b56c4ec3e7347bd428f4006a1089c8cfe294c8738a1c7e18040a1802f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2BD4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2BD5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
725B

MD5
94e411c9754a0bf5d9b0cba827db9cca

SHA1
22957720c1d478a7199c93d56e8f79b6298f1a76

SHA256
aab78a20a553ffda62af147443ea610fa0d748a98c0d7584bfe1bd18d615b888

SHA512
85de80347319d4c765d16aecccb50a5f19d3ce2652b3f95732a0d9fd9c878359de25d032489080e299e27637ffeab909ef1ca59dde2ef4292f00530138b7905f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
203KB

MD5
1e873e548e0e5fdc72e1c091d56743c2

SHA1
ecb960a9b77d2fe7acb1b5206040e338f28b9dee

SHA256
707a50c86c0bca972f3b24b658bef79067950dac8d5d657ab6d0b02799b2690c

SHA512
264d31fafb5813fc0c24391eb78037bb469c02b6557a56357fecc48168b037e71cc020b691b36363d084bd31458517856ad4681606111efc6f53131043cfd7de

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
9e656d15b5874231f272ef006349d995

SHA1
a7209dc63109c028ef472489599001dccadf5fe1

SHA256
fc2f46a22a472082dc4a4e9d1a8700953bbeb917433ae127441b38018fe75feb

SHA512
7ca915a4079cba135abf87a0a9d93e301d36bf047dbbeb637768ea92d8c7b1c992caa0314e9c24f68603b98bce46a2975810f09eae3737481f16daff6d3580d4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
234KB

MD5
3fcc237fc02a1230179321b7a2cb74b9

SHA1
69885acee8bde5188a1e1c272b5636acc6ca835f

SHA256
186ccfb20c219f9535384288d8b2f11174e9757bc871b74c0d214405ac4a5918

SHA512
570582ca06f0f4d37bcd9ee82731e2bb43b3aa69267eb9a8d459ec358ec6f2f7e48de5c5384bc613602fc3a4376647377e512fb00fdc2459ac81dce3382f3008

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
29.7MB

MD5
ade9b02bcb0ffa7000fbf69d7e7870c4

SHA1
e525f39247299fa07a5aa3c0dc218e455d21f929

SHA256
a24866f8470293441637cbddc4c7cea8203399d6a4f6d1a06c47977edb3ad265

SHA512
fdd966b682d9d8e1619d96b06b0fd58787eddc4a730b37404892b2cf09879d56872d1be6b9955e4e96366c582e1a9078980f6d84a8c0921643c6e94433c214ce

Download Submit
\??\c:\windows\SysWOW64\searchindexer.exe

Filesize
562KB

MD5
6da2aa546d8b19c63f093b38726ca71c

SHA1
a8bd1b15341cb421052df8c603c692e79c6b5d06

SHA256
870025b034150f65799f248e046ecb495bda429eaaa32947585120006790a781

SHA512
c46e0efc9387bae0976c4ee7c61b7c929f0ac46197f4d3032a223be22b4d937eee059c40ace89b0eeb488647a6a7a2ace6a5551a634a46e30c0e3cd900090229

Download Submit
\??\c:\windows\SysWOW64\svchost.exe

Filesize
164KB

MD5
14f883375a73e82aa0a9251b14400804

SHA1
a87d67df071dd0514e26593c96ae09bb32d60d57

SHA256
e8e72c8e403c29f10c78ebaa6bf06935320f439421659fa0caded4126e39bfe0

SHA512
aa13e2153d72ac3abd9a48440cc52188ad3eead951647889b242c3e42a34ba8650e5d2e3b19f20b82fccbfbdc7ede807d182abfba24df40c1f61604574f5bf4e

Download Submit
memory/1832-51-0x000000002E000000-0x000000002E086000-memory.dmp

Filesize
536KB

Download
memory/1832-128-0x000000002E000000-0x000000002E086000-memory.dmp

Filesize
536KB

Download
memory/1832-52-0x000000002E013000-0x000000002E015000-memory.dmp

Filesize
8KB

Download
memory/2000-136-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/2000-195-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/2000-184-0x0000000002700000-0x0000000002708000-memory.dmp

Filesize
32KB

Download
memory/2000-178-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/2000-177-0x00000000027C0000-0x00000000027C8000-memory.dmp

Filesize
32KB

Download
memory/2000-151-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/2000-186-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/2120-37-0x0000000010000000-0x0000000010070000-memory.dmp

Filesize
448KB

Download
memory/2120-20-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2120-18-0x0000000010000000-0x0000000010070000-memory.dmp

Filesize
448KB

Download
memory/2416-3-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2416-133-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/2416-127-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2416-197-0x0000000007760000-0x0000000007762000-memory.dmp

Filesize
8KB

Download
memory/2416-604-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2416-1261-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2416-19-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2416-706-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2416-274-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2416-17-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2416-6-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2416-5-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2416-0-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2416-1-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2416-2-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2880-31-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download