cycbot | ea9523c99323e10c319ef3ae857a6a4ba50e7d553c44ae52327b94cfd0c2ea9e

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
Size

429KB
MD5

e34a3f36fb50ef5af71c30581e95ed6f
SHA1

100513d331ffbfd191d54d2cb7f332d15c9b0c78
SHA256

ea9523c99323e10c319ef3ae857a6a4ba50e7d553c44ae52327b94cfd0c2ea9e
SHA512

8322a59e26551ed7f3c1d65eb81057c9219d4b7c1fb40c3e872b9ee6e4885ab83901697776fb5cccd82e3776321f3307ad98a9a95015e6554612a689a647038d
SSDEEP

6144:Vp6J4VKtQ0otLvnko+XxoSb2xBliiyNgccAOFAIgcAxlHWCJJXSW+rtx7EKNvVLD:76P8nTu3mmiyGcgLlGXSXtxpVj2w

Score

10^/10

cycbot pony backdoor credential_access discovery evasion persistence rat spyware stealer trojan upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 9 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2372-4-0x0000000000400000-0x00000000004CB000-memory.dmp	family_cycbot
behavioral1/memory/2372-17-0x0000000000400000-0x00000000004CB000-memory.dmp	family_cycbot
behavioral1/memory/1984-129-0x0000000000400000-0x00000000004CB000-memory.dmp	family_cycbot
behavioral1/memory/2372-145-0x0000000000400000-0x00000000004CB000-memory.dmp	family_cycbot
behavioral1/memory/2104-212-0x0000000000400000-0x00000000004CB000-memory.dmp	family_cycbot
behavioral1/memory/2372-213-0x0000000000400000-0x00000000004CB000-memory.dmp	family_cycbot
behavioral1/memory/2372-321-0x0000000000400000-0x00000000004CB000-memory.dmp	family_cycbot
behavioral1/memory/2372-328-0x0000000000400000-0x00000000004CB000-memory.dmp	family_cycbot
behavioral1/memory/2372-337-0x0000000000400000-0x00000000004CB000-memory.dmp	family_cycbot

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe

Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 4 IoCs

pid	Process
1548	mscorsvw.exe
1164	mscorsvw.exe
2924	OSE.EXE
912	566A.tmp

Loads dropped DLL 2 IoCs

pid	Process
2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-4177215427-74451935-3209572229-1000	OSE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-4177215427-74451935-3209572229-1000\EnableNotifications = "0"	OSE.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\18D.exe = "C:\\Program Files (x86)\\LP\\D055\\18D.exe"	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened (read-only)	\??\X:	OSE.EXE
File opened (read-only)	\??\L:	OSE.EXE
File opened (read-only)	\??\O:	OSE.EXE
File opened (read-only)	\??\W:	OSE.EXE
File opened (read-only)	\??\I:	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened (read-only)	\??\L:	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened (read-only)	\??\N:	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened (read-only)	\??\T:	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened (read-only)	\??\V:	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened (read-only)	\??\T:	OSE.EXE
File opened (read-only)	\??\H:	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened (read-only)	\??\J:	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened (read-only)	\??\O:	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened (read-only)	\??\Q:	OSE.EXE
File opened (read-only)	\??\Z:	OSE.EXE
File opened (read-only)	\??\K:	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened (read-only)	\??\W:	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened (read-only)	\??\X:	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened (read-only)	\??\E:	OSE.EXE
File opened (read-only)	\??\H:	OSE.EXE
File opened (read-only)	\??\J:	OSE.EXE
File opened (read-only)	\??\G:	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened (read-only)	\??\M:	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened (read-only)	\??\R:	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened (read-only)	\??\N:	OSE.EXE
File opened (read-only)	\??\P:	OSE.EXE
File opened (read-only)	\??\U:	OSE.EXE
File opened (read-only)	\??\V:	OSE.EXE
File opened (read-only)	\??\Y:	OSE.EXE
File opened (read-only)	\??\E:	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened (read-only)	\??\Y:	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened (read-only)	\??\K:	OSE.EXE
File opened (read-only)	\??\Z:	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened (read-only)	\??\M:	OSE.EXE
File opened (read-only)	\??\R:	OSE.EXE
File opened (read-only)	\??\S:	OSE.EXE
File opened (read-only)	\??\P:	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened (read-only)	\??\Q:	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened (read-only)	\??\U:	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened (read-only)	\??\G:	OSE.EXE
File opened (read-only)	\??\I:	OSE.EXE

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	OSE.EXE
File created	\??\c:\windows\SysWOW64\dllhost.vir	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\svchost.vir	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	OSE.EXE

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2372-3-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/2372-4-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/2372-17-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/1984-129-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/2372-145-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/2104-212-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/2372-213-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/2372-321-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/2372-328-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/2372-337-0x0000000000400000-0x00000000004CB000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	OSE.EXE
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LP\D055\566A.tmp	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E0E1D327-58AB-4308-8D02-53A9301F5C31}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	OSE.EXE
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	OSE.EXE
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E0E1D327-58AB-4308-8D02-53A9301F5C31}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehsched.exe	OSE.EXE
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	OSE.EXE
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	OSE.EXE

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	566A.tmp

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
2924	OSE.EXE
2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
2924	OSE.EXE
2924	OSE.EXE
2924	OSE.EXE
2924	OSE.EXE
2924	OSE.EXE
2924	OSE.EXE
2924	OSE.EXE
2924	OSE.EXE
2924	OSE.EXE
2924	OSE.EXE
2924	OSE.EXE
2924	OSE.EXE
2924	OSE.EXE
2924	OSE.EXE
2924	OSE.EXE
2924	OSE.EXE
2924	OSE.EXE
2924	OSE.EXE
2924	OSE.EXE
2924	OSE.EXE
2924	OSE.EXE
2924	OSE.EXE
2924	OSE.EXE
2924	OSE.EXE
2924	OSE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1952	explorer.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeRestorePrivilege	2284	msiexec.exe
Token: SeTakeOwnershipPrivilege	2284	msiexec.exe
Token: SeSecurityPrivilege	2284	msiexec.exe
Token: SeTakeOwnershipPrivilege	2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
Token: SeManageVolumePrivilege	484	SearchIndexer.exe
Token: 33	484	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	OSE.EXE
Token: SeShutdownPrivilege	1952	explorer.exe
Token: SeShutdownPrivilege	1952	explorer.exe
Token: SeShutdownPrivilege	1952	explorer.exe
Token: SeShutdownPrivilege	1952	explorer.exe
Token: SeShutdownPrivilege	1952	explorer.exe
Token: SeShutdownPrivilege	1952	explorer.exe
Token: SeShutdownPrivilege	1952	explorer.exe
Token: SeShutdownPrivilege	1952	explorer.exe
Token: SeShutdownPrivilege	1952	explorer.exe
Token: SeShutdownPrivilege	1952	explorer.exe
Token: SeShutdownPrivilege	1952	explorer.exe
Token: SeShutdownPrivilege	1952	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2012	SearchProtocolHost.exe
2012	SearchProtocolHost.exe
2012	SearchProtocolHost.exe
2012	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 1984	2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe	37
PID 2372 wrote to memory of 1984	2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe	37
PID 2372 wrote to memory of 1984	2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe	37
PID 2372 wrote to memory of 1984	2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe	37
PID 484 wrote to memory of 2012	484	SearchIndexer.exe	40
PID 484 wrote to memory of 2012	484	SearchIndexer.exe	40
PID 484 wrote to memory of 2012	484	SearchIndexer.exe	40
PID 484 wrote to memory of 1596	484	SearchIndexer.exe	41
PID 484 wrote to memory of 1596	484	SearchIndexer.exe	41
PID 484 wrote to memory of 1596	484	SearchIndexer.exe	41
PID 2372 wrote to memory of 2104	2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe	42
PID 2372 wrote to memory of 2104	2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe	42
PID 2372 wrote to memory of 2104	2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe	42
PID 2372 wrote to memory of 2104	2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe	42
PID 2372 wrote to memory of 912	2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe	45
PID 2372 wrote to memory of 912	2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe	45
PID 2372 wrote to memory of 912	2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe	45
PID 2372 wrote to memory of 912	2372	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe	45
PID 484 wrote to memory of 1364	484	SearchIndexer.exe	46
PID 484 wrote to memory of 1364	484	SearchIndexer.exe	46
PID 484 wrote to memory of 1364	484	SearchIndexer.exe	46

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe"
1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2372
- C:\Users\Admin\AppData\Local\Temp\e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\5B771\D97D0.exe%C:\Users\Admin\AppData\Roaming\5B771
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1984
- C:\Users\Admin\AppData\Local\Temp\e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e34a3f36fb50ef5af71c30581e95ed6f_JaffaCakes118.exe startC:\Program Files (x86)\7172B\lvvm.exe%C:\Program Files (x86)\7172B
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2104
- C:\Program Files (x86)\LP\D055\566A.tmp
  "C:\Program Files (x86)\LP\D055\566A.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:912

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1164

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:2792

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:484
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2012
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 516
  2⤵
  PID:1596
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 516
  2⤵
  PID:1364

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

Filesize
284KB

MD5
e439430997faf032bb90db4cb3cfb85d

SHA1
f5faec3b5a9b6a72e3434ed146fe1cf6fbf692a8

SHA256
d15fafd0644267bcef470fe5eb5b87aac659560e973ed4843881b06f644afddb

SHA512
98f9d641157b47abf6a5046488da7c77a4a80875265267bd18395926ff167635c24a0c73e8979e9614a2b28a6126bafbc5364c9da43b6a242b9e7133c380801c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.2MB

MD5
8174bc516ba6943da8e0f2daec453f27

SHA1
414db3d2b6875d529a290517033fbf8002a4b319

SHA256
f4a842742e5554defbac5cefa75c8d8313191d0ec0b7d6a3ddeb7a1dfbb1364a

SHA512
a9b0a6951aa76a1cc37b470a9089237652e2c1c6f6dc9aa0200f1356e2653b0a216bc3082c14659be59657323ee890ae92338129837add13dc12e0bbdbafcb96

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
284KB

MD5
bcbb86de2d9b26986fa407ad4079d074

SHA1
4b5d5b455ed73ef66299404be3ef351437831e2d

SHA256
b412a7eee14683f2bf410fd0ad5524387bb4a73ec565f32b8e997c827bc00ce3

SHA512
a7ac36602e3f8b59dc88d0a627ccd0127fccaedccac3b08b664af363b80d008fc8e5debcb7e8294aaa585d2599a398ea855f9f86a962926505865677261d2782

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
a966de0604a7629db060cb5c0f8810c4

SHA1
10c6832e2b1f3d1c4b04e61d76daaf79dd2422ce

SHA256
1a39ff3da1df5c90c9b2f9a96318f4db749eff0bfb53d49612e49da4f2678059

SHA512
c7d6ef34acf66b6c54f8b1db25e269cd780f4d40200203efde4488db62f40cf860f4f4dfb7c9a1b8015ee107768bd8ef35754b006757119e3281db7b8591b316

Download Submit
C:\Users\Admin\AppData\Roaming\5B771\172B.B77

Filesize
600B

MD5
1a465ac9b4abe7ac4aeaad82cc87bdfb

SHA1
949db227135b77bfc4b23fb627c59ba48941440f

SHA256
c9446af316cc55b3018f6ad044a58ac4df3bf4469c673cf7223c6e254a949c7f

SHA512
c1562aefd6a63acc86f00233f7d7f7fb50f3afcdeee5794ad69ff7cad93beb7040a2a6920b2e6fb50b69ba2df9f1970d060dcc9a60c321b629b385ea959c72eb

Download Submit
C:\Users\Admin\AppData\Roaming\5B771\172B.B77

Filesize
996B

MD5
31f9bcf6920fa0f951372139689616aa

SHA1
ea6dc65491f84813bab24113428fe7cbdff627c5

SHA256
61616e4f7aff8edacd964714d16b16b860219aa51944b4057e9b19df0b095f90

SHA512
57053d572fbc906bf6a2e005c64b57f06d177be78d1aab553e8d18dc525fc5e37a97abdfe81d5730e9e41027797dcc3f6dd03314be95085e33a531e1f8402ac6

Download Submit
C:\Users\Admin\AppData\Roaming\5B771\172B.B77

Filesize
1KB

MD5
e3233691f7766713a873f362b2073330

SHA1
82844239f84625584332b2a494ae292ca038be3d

SHA256
82964296a114b74c36a67c2274e15c5e2b0dc930b75f3967151be6c317bcf03e

SHA512
14f21af55ec5783c49ce55c98f227e62652bba0d7875b2d86d4ac812fac7d460d29fc700ccee7bf880c2bd087e8ce3e791cb2159588a708bd88303e1eec082b5

Download Submit
C:\Users\Admin\AppData\Roaming\5B771\172B.B77

Filesize
1KB

MD5
d9d84e975a5fa1352e61fc2a5e6ae025

SHA1
24420aa551403e3ae25101ed6f0e8f3c3691c337

SHA256
f49b7454070aedf28749c901e5deedbf798bfe047c43edf7dd260bb26abab337

SHA512
ae5efc498cf869f8b84b04a3dadae308a93740fd26f938dd0eb35f61e44f1f290790bec3caecebb1402fe53bb1b0d08ff682776eb2cb704026f76fc313fac05d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
203KB

MD5
00b1e477313e2241b3b495e04fa4760d

SHA1
31df090715944e218cf0f2126acb90e9bf695480

SHA256
6977a75c2ea95a6d99031e3a24f89e8c6aeb7fb835cda5b76267a515083a3576

SHA512
017a1735e171f95a802e5b9587b708908ca92e887e24dbb36249c16f9f9d58f3f85477686cabd5244d936f4eff220c475fff33b079f68418d00210d53a8f1a20

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
875a6833094c01968717fedad44c9dea

SHA1
3ab1ed4d6eae53357a0f644d825aa83aeff75340

SHA256
3e62b17766f270216c23b358864ba1aa9b55d4fd46724f1f686ae080412c28cc

SHA512
6a07f75bc27fc09a4c0a8862238d590ee6965bb3ee0c2095e22654692b1c91f51d3f84ff8706fb095127f8612b7e91e6198ef0c3b85702952f112f3a06bcfe1c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
234KB

MD5
7ad7c8b56f314932e74f9c7f6d258d65

SHA1
c590fc2dda6f3caf52621e0a28080829ce1058ba

SHA256
4f0fc3c868e016adb858d41766c6fc0d3f3b81ba30e9159655bd89040890e28f

SHA512
bc77ed7bb76373f4710a2b1e096d6205d9fa3999a9590de174b729e7cced0a512a535768dbec6685f63ac1123531484db5d5a9218bbef4aae95b421e2858df11

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
29.7MB

MD5
2d41775446d615becf53e6c78d9cb934

SHA1
07f0aff179dbcd0a040e97b9cc66b9401edd6803

SHA256
08f57b98a291d221ad2bd26c05c54fc8d5fc591ffea915612a76b74117e06f09

SHA512
ae87e642231315f4acd747adecd37959f7a8bf9c80d7aa372bba29502bc4076342a76724065737b2786a95b69cf14df80eccd3f11cad3ef8c81399bbd1fb8dbb

Download Submit
\??\c:\windows\SysWOW64\svchost.exe

Filesize
164KB

MD5
3538e3da5752eea7456d08315e49a9ef

SHA1
2eff2f862b904f4f62e4d30edc5b4d548266ebce

SHA256
3161861d3d8aa94928a980195d58145088f9da3441271a071582df4f6c72c4a6

SHA512
2681ad42bf61b5a6999d085e0b24bfd3a661d430a2929c746811496a5e706f7d6d1aa5d87db10f8bce974c72d43a4c9df7285383946f7bf0c4f64f497f328842

Download Submit
\Program Files (x86)\LP\D055\566A.tmp

Filesize
99KB

MD5
9d83b6d4629b9d0e96bbdb171b0dc5db

SHA1
e9bed14c44fe554e0e8385096bbacca494da30b1

SHA256
d3a6060ff059a7724a483d82025a9231a61143839b633a6d3842a58ccb5a7d7d

SHA512
301187bdcab5ca9942b2c7b7114e37e53e58b5661eef50c389622950d7691993a29f5a825132cf499ca73cdb6637d3f58afdc024cb04fac2b8e01f752209572c

Download Submit
memory/484-112-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/484-104-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/484-68-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/484-52-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/484-121-0x0000000004250000-0x0000000004258000-memory.dmp

Filesize
32KB

Download
memory/484-110-0x0000000002780000-0x0000000002788000-memory.dmp

Filesize
32KB

Download
memory/484-103-0x0000000004240000-0x0000000004248000-memory.dmp

Filesize
32KB

Download
memory/912-292-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1164-29-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1548-31-0x0000000010000000-0x0000000010070000-memory.dmp

Filesize
448KB

Download
memory/1548-18-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/1548-16-0x0000000010000000-0x0000000010070000-memory.dmp

Filesize
448KB

Download
memory/1984-91-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1984-129-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1984-127-0x0000000000730000-0x0000000000930000-memory.dmp

Filesize
2.0MB

Download
memory/2104-212-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2372-17-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2372-1-0x0000000000404000-0x0000000000405000-memory.dmp

Filesize
4KB

Download
memory/2372-146-0x0000000003F50000-0x000000000401B000-memory.dmp

Filesize
812KB

Download
memory/2372-0-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2372-145-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2372-90-0x0000000003F50000-0x000000000401B000-memory.dmp

Filesize
812KB

Download
memory/2372-213-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2372-5-0x0000000000404000-0x0000000000405000-memory.dmp

Filesize
4KB

Download
memory/2372-4-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2372-337-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2372-328-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2372-3-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2372-321-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2924-134-0x000000002E000000-0x000000002E086000-memory.dmp

Filesize
536KB

Download
memory/2924-45-0x000000002E000000-0x000000002E086000-memory.dmp

Filesize
536KB

Download
memory/2924-46-0x000000002E013000-0x000000002E015000-memory.dmp

Filesize
8KB

Download