buran | b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe
Size

212KB
MD5

3ac926d3bca5450ce48d10c253700ae4
SHA1

0a918e434b1f8e125fb23a71c7317e6b16f3df23
SHA256

b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa
SHA512

ef62bc011a2fdff15b466f798bcbe5c4308e925fb1240d7621f65ede89432a329e00c80a917cc5be401b7029a2c5a497a9bc09436c3f1c05259a2e3479c581c5
SSDEEP

6144:Via1gMHvEXtAuL5Qnqn64DQFu/U3buRKlemZ9DnGAe+hH+8:VIMH2Gw5Qb4DQFu/U3buRKlemZ9DnGAV

Score

10^/10

buran zeppelin defense_evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 14E-AFB-3D5 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 10 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe	family_zeppelin
behavioral1/memory/2356-98-0x0000000000070000-0x00000000001B0000-memory.dmp	family_zeppelin
behavioral1/memory/1504-177-0x0000000000980000-0x0000000000AC0000-memory.dmp	family_zeppelin
behavioral1/memory/1196-4078-0x0000000000980000-0x0000000000AC0000-memory.dmp	family_zeppelin
behavioral1/memory/2008-10804-0x0000000000980000-0x0000000000AC0000-memory.dmp	family_zeppelin
behavioral1/memory/2008-20356-0x0000000000980000-0x0000000000AC0000-memory.dmp	family_zeppelin
behavioral1/memory/1196-22509-0x0000000000980000-0x0000000000AC0000-memory.dmp	family_zeppelin
behavioral1/memory/2008-28247-0x0000000000980000-0x0000000000AC0000-memory.dmp	family_zeppelin
behavioral1/memory/2008-30284-0x0000000000980000-0x0000000000AC0000-memory.dmp	family_zeppelin
behavioral1/memory/1196-30316-0x0000000000980000-0x0000000000AC0000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (7385) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1296 notepad.exe
Executes dropped EXE 3 IoCs

Processes:

smss.exesmss.exesmss.exe

pid process

1196 smss.exe
2008 smss.exe
1504 smss.exe
Loads dropped DLL 2 IoCs

Processes:

3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe

pid process

2356 3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe
2356 3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe

pid	process
1296	notepad.exe

pid	process
2356	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe
2356	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start"	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

smss.exe

description	ioc	process
File opened (read-only)	\??\H:	smss.exe
File opened (read-only)	\??\E:	smss.exe
File opened (read-only)	\??\Z:	smss.exe
File opened (read-only)	\??\V:	smss.exe
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\K:	smss.exe
File opened (read-only)	\??\A:	smss.exe
File opened (read-only)	\??\W:	smss.exe
File opened (read-only)	\??\R:	smss.exe
File opened (read-only)	\??\O:	smss.exe
File opened (read-only)	\??\J:	smss.exe
File opened (read-only)	\??\B:	smss.exe
File opened (read-only)	\??\Y:	smss.exe
File opened (read-only)	\??\X:	smss.exe
File opened (read-only)	\??\U:	smss.exe
File opened (read-only)	\??\Q:	smss.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\I:	smss.exe
File opened (read-only)	\??\M:	smss.exe
File opened (read-only)	\??\L:	smss.exe
File opened (read-only)	\??\G:	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

20 iplogger.org
22 iplogger.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 geoiptool.com

flow	ioc
20	iplogger.org
22	iplogger.org

flow	ioc
3	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

smss.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099180.WMF.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0157995.WMF.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00057_.GIF.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187893.WMF.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01130_.WMF	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kuching	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dataset.zip.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBAR.DPV	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\ACTIVITS.ICO	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086420.WMF.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143744.GIF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSEvents.man	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Resolute	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Guayaquil.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MX.XML	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Atikokan.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME13.CSS	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690.XSL	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\ODBCR.SAM.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\currency.data	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belize.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00798_.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE.MANIFEST	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR12F.GIF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_COL.HXC	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_K_COL.HXK.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_OliveGreen.gif	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Sakhalin	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Toronto	smss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\http.luac	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_ja.jar.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00121_.WMF.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLMAILR.FAE.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPTS.ICO.14E-AFB-3D5	smss.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR9F.GIF.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue.css.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14514_.GIF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mset7es.kic	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ulaanbaatar.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Denver.14E-AFB-3D5	smss.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102002.WMF.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-heapwalker.jar.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\rt.jar.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099171.WMF	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XOCR3.PSP.14E-AFB-3D5	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_COL.HXT	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp.14E-AFB-3D5	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1848 vssadmin.exe
1984 vssadmin.exe

pid	process
1848	vssadmin.exe
1984	vssadmin.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

smss.exe3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	smss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	smss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	smss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	smss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	smss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	smss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

smss.exe

pid	process
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe
1196	smss.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2356	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe
Token: SeDebugPrivilege	2356	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	1460	WMIC.exe
Token: SeSecurityPrivilege	1460	WMIC.exe
Token: SeTakeOwnershipPrivilege	1460	WMIC.exe
Token: SeLoadDriverPrivilege	1460	WMIC.exe
Token: SeSystemProfilePrivilege	1460	WMIC.exe
Token: SeSystemtimePrivilege	1460	WMIC.exe
Token: SeProfSingleProcessPrivilege	1460	WMIC.exe
Token: SeIncBasePriorityPrivilege	1460	WMIC.exe
Token: SeCreatePagefilePrivilege	1460	WMIC.exe
Token: SeBackupPrivilege	1460	WMIC.exe
Token: SeRestorePrivilege	1460	WMIC.exe
Token: SeShutdownPrivilege	1460	WMIC.exe
Token: SeDebugPrivilege	1460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1460	WMIC.exe
Token: SeRemoteShutdownPrivilege	1460	WMIC.exe
Token: SeUndockPrivilege	1460	WMIC.exe
Token: SeManageVolumePrivilege	1460	WMIC.exe
Token: 33	1460	WMIC.exe
Token: 34	1460	WMIC.exe
Token: 35	1460	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1460	WMIC.exe
Token: SeSecurityPrivilege	1460	WMIC.exe
Token: SeTakeOwnershipPrivilege	1460	WMIC.exe
Token: SeLoadDriverPrivilege	1460	WMIC.exe
Token: SeSystemProfilePrivilege	1460	WMIC.exe
Token: SeSystemtimePrivilege	1460	WMIC.exe
Token: SeProfSingleProcessPrivilege	1460	WMIC.exe
Token: SeIncBasePriorityPrivilege	1460	WMIC.exe
Token: SeCreatePagefilePrivilege	1460	WMIC.exe
Token: SeBackupPrivilege	1460	WMIC.exe
Token: SeRestorePrivilege	1460	WMIC.exe
Token: SeShutdownPrivilege	1460	WMIC.exe
Token: SeDebugPrivilege	1460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1460	WMIC.exe
Token: SeRemoteShutdownPrivilege	1460	WMIC.exe
Token: SeUndockPrivilege	1460	WMIC.exe
Token: SeManageVolumePrivilege	1460	WMIC.exe
Token: 33	1460	WMIC.exe
Token: 34	1460	WMIC.exe
Token: 35	1460	WMIC.exe
Token: SeBackupPrivilege	668	vssvc.exe
Token: SeRestorePrivilege	668	vssvc.exe
Token: SeAuditPrivilege	668	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3044	WMIC.exe
Token: SeSecurityPrivilege	3044	WMIC.exe
Token: SeTakeOwnershipPrivilege	3044	WMIC.exe
Token: SeLoadDriverPrivilege	3044	WMIC.exe
Token: SeSystemProfilePrivilege	3044	WMIC.exe
Token: SeSystemtimePrivilege	3044	WMIC.exe
Token: SeProfSingleProcessPrivilege	3044	WMIC.exe
Token: SeIncBasePriorityPrivilege	3044	WMIC.exe
Token: SeCreatePagefilePrivilege	3044	WMIC.exe
Token: SeBackupPrivilege	3044	WMIC.exe
Token: SeRestorePrivilege	3044	WMIC.exe
Token: SeShutdownPrivilege	3044	WMIC.exe
Token: SeDebugPrivilege	3044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3044	WMIC.exe
Token: SeRemoteShutdownPrivilege	3044	WMIC.exe
Token: SeUndockPrivilege	3044	WMIC.exe
Token: SeManageVolumePrivilege	3044	WMIC.exe
Token: 33	3044	WMIC.exe
Token: 34	3044	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exesmss.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2356 wrote to memory of 1196	2356	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe	smss.exe
PID 2356 wrote to memory of 1196	2356	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe	smss.exe
PID 2356 wrote to memory of 1196	2356	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe	smss.exe
PID 2356 wrote to memory of 1196	2356	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe	smss.exe
PID 2356 wrote to memory of 1296	2356	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe	notepad.exe
PID 2356 wrote to memory of 1296	2356	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe	notepad.exe
PID 2356 wrote to memory of 1296	2356	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe	notepad.exe
PID 2356 wrote to memory of 1296	2356	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe	notepad.exe
PID 2356 wrote to memory of 1296	2356	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe	notepad.exe
PID 2356 wrote to memory of 1296	2356	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe	notepad.exe
PID 2356 wrote to memory of 1296	2356	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe	notepad.exe
PID 1196 wrote to memory of 1248	1196	smss.exe	cmd.exe
PID 1196 wrote to memory of 1248	1196	smss.exe	cmd.exe
PID 1196 wrote to memory of 1248	1196	smss.exe	cmd.exe
PID 1196 wrote to memory of 1248	1196	smss.exe	cmd.exe
PID 1196 wrote to memory of 1028	1196	smss.exe	cmd.exe
PID 1196 wrote to memory of 1028	1196	smss.exe	cmd.exe
PID 1196 wrote to memory of 1028	1196	smss.exe	cmd.exe
PID 1196 wrote to memory of 1028	1196	smss.exe	cmd.exe
PID 1196 wrote to memory of 1428	1196	smss.exe	cmd.exe
PID 1196 wrote to memory of 1428	1196	smss.exe	cmd.exe
PID 1196 wrote to memory of 1428	1196	smss.exe	cmd.exe
PID 1196 wrote to memory of 1428	1196	smss.exe	cmd.exe
PID 1248 wrote to memory of 1460	1248	cmd.exe	WMIC.exe
PID 1248 wrote to memory of 1460	1248	cmd.exe	WMIC.exe
PID 1248 wrote to memory of 1460	1248	cmd.exe	WMIC.exe
PID 1248 wrote to memory of 1460	1248	cmd.exe	WMIC.exe
PID 1196 wrote to memory of 2548	1196	smss.exe	cmd.exe
PID 1196 wrote to memory of 2548	1196	smss.exe	cmd.exe
PID 1196 wrote to memory of 2548	1196	smss.exe	cmd.exe
PID 1196 wrote to memory of 2548	1196	smss.exe	cmd.exe
PID 1196 wrote to memory of 2744	1196	smss.exe	cmd.exe
PID 1196 wrote to memory of 2744	1196	smss.exe	cmd.exe
PID 1196 wrote to memory of 2744	1196	smss.exe	cmd.exe
PID 1196 wrote to memory of 2744	1196	smss.exe	cmd.exe
PID 1196 wrote to memory of 1916	1196	smss.exe	cmd.exe
PID 1196 wrote to memory of 1916	1196	smss.exe	cmd.exe
PID 1196 wrote to memory of 1916	1196	smss.exe	cmd.exe
PID 1196 wrote to memory of 1916	1196	smss.exe	cmd.exe
PID 1196 wrote to memory of 2008	1196	smss.exe	smss.exe
PID 1196 wrote to memory of 2008	1196	smss.exe	smss.exe
PID 1196 wrote to memory of 2008	1196	smss.exe	smss.exe
PID 1196 wrote to memory of 2008	1196	smss.exe	smss.exe
PID 1196 wrote to memory of 1504	1196	smss.exe	smss.exe
PID 1196 wrote to memory of 1504	1196	smss.exe	smss.exe
PID 1196 wrote to memory of 1504	1196	smss.exe	smss.exe
PID 1196 wrote to memory of 1504	1196	smss.exe	smss.exe
PID 2744 wrote to memory of 1848	2744	cmd.exe	vssadmin.exe
PID 2744 wrote to memory of 1848	2744	cmd.exe	vssadmin.exe
PID 2744 wrote to memory of 1848	2744	cmd.exe	vssadmin.exe
PID 2744 wrote to memory of 1848	2744	cmd.exe	vssadmin.exe
PID 1916 wrote to memory of 3044	1916	cmd.exe	WMIC.exe
PID 1916 wrote to memory of 3044	1916	cmd.exe	WMIC.exe
PID 1916 wrote to memory of 3044	1916	cmd.exe	WMIC.exe
PID 1916 wrote to memory of 3044	1916	cmd.exe	WMIC.exe
PID 1916 wrote to memory of 1984	1916	cmd.exe	vssadmin.exe
PID 1916 wrote to memory of 1984	1916	cmd.exe	vssadmin.exe
PID 1916 wrote to memory of 1984	1916	cmd.exe	vssadmin.exe
PID 1916 wrote to memory of 1984	1916	cmd.exe	vssadmin.exe
PID 1196 wrote to memory of 2876	1196	smss.exe	notepad.exe
PID 1196 wrote to memory of 2876	1196	smss.exe	notepad.exe
PID 1196 wrote to memory of 2876	1196	smss.exe	notepad.exe
PID 1196 wrote to memory of 2876	1196	smss.exe	notepad.exe
PID 1196 wrote to memory of 2876	1196	smss.exe	notepad.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1848
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3044
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1984
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2008
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:1504
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2876
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:1296

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng

Filesize
23KB

MD5
a5bbc9c29fb277dfc82f3558ac96ae7c

SHA1
e3ecbc7701d2c849d166c132ae92b5fa70ee58fe

SHA256
18b28dbdd1126941f7799e5f3b56b0cf932d21af2e1c60e5725de6e296b1d69b

SHA512
04e095bd2a17f70d7979e1ed78ce6d5d255ac7267cf89343b890d52aa2a0ab13064d45abc1745c80d6f20e7e6fe4b3fbd76d9baf3a3b3c7e1fede2e1999e21e3

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt

Filesize
29KB

MD5
6896925b1fb91e7a49f4e8b38e272368

SHA1
93106de64eeeb9b05f3bbcdd523f525f3d331dfe

SHA256
045cd18bad678c94176dea1a0131f5de34ee2ba5cb546e2afe428fc7cd801c01

SHA512
b02db9e2dc58809617f1f898f754712a9aa40df842f50f98cd904f001397e7a4511c07cd63c34d4cab534c050466ec495393e78a39d16244c174b2007810c92b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME54.CSS

Filesize
125KB

MD5
56038f65034ce7e3d3cb6fbaf58d8fb0

SHA1
9ec19cef50ebd625f6fac9b567f9bcda8dcacca0

SHA256
0b33c9a0e3b80f2264538f530e3c4a4b025c3be55303ecd17dd9e9834f71e2ca

SHA512
a9ebad7ea860e15b0c34057767275e33f19bb4e579374b54c608eef8c1ab069fd1840fc337d7fb0f80f4da4ab0ea87ee0d0d9d3c8b3cd51d20e77e3fa422e37d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML

Filesize
78KB

MD5
37ad3bc45e791829d64645243b6cdff3

SHA1
95a734d0117ff73a6d497d0a09104be817720fb3

SHA256
9ea048e5050baf703bb62f0e1cda15e2b32009c902fad75bce9465b73cacb95b

SHA512
bb99a4eaf880f549d411d6e82c2cb80f33503768a1bb11cd5c32876ae260b2ff50e69e47e67feb94fcde933a7daa479f49fafeca02b8c09526c97b057d9ad3d9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp

Filesize
8KB

MD5
d0484fdb94dd67bc655d0cefcdd4b091

SHA1
ea46e90917cee6e0cf8ef3c4d5dd58e24b3976ed

SHA256
301a51e930bd53cb9e5619d91ec59c781ace9cebd6455d9663148c43295f98a7

SHA512
5765ced9439bb55103cd8b09d85a237da66e9cc8eab8dc7bffcfd7d3a270662c522f23e0ccb383a08780a7cbc87c78464dc16515c5e1e004eea36092b7bc2109

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML

Filesize
78KB

MD5
93a94e722ff52b7c17dd5f95fdb817f9

SHA1
d2d2459c254b7392d382bf929bc4b4a8283f9830

SHA256
034a58202cc0f3cd83f6c10ceb86013952c78bf4c073121bcaf484c3d344fcf5

SHA512
f4ffd71aa715474c4a33283e1b7be360e2b109dc536055b127784e1326e4e5683d6de9ea4ae8fdda34cc97792cbf55382798f4a8444619dfa96b077715b4e268

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml

Filesize
249KB

MD5
e11b4cf2728c1f78f5487126ece7b2ed

SHA1
9a28d293d9910b575eb0d15df7f1f61cfdec5538

SHA256
a8c164de2a9ae312f807869f25a097e944a6fc9bfdcc3d6968a8dbf8f5926ffa

SHA512
a8acd8f57a1acf79c61879284ea57422ae4aa136c61f78e0468cd11e5c76a0658b37046d2f1556b419215f805815e29a189f7b14e7a21cbc18d61a261ae46e48

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\PPTIRMV.XML

Filesize
78KB

MD5
2b99134b425b046ef90069340721a341

SHA1
0b7c71eba857d5d2681d693a1770fcdd02379965

SHA256
fee72633f7d28ba5730361ea49f30c6f1e20e0e099dd68413696e831404f5d98

SHA512
dd067c3b92459580915a5f67739a34b94b2d775c8ef704347bbe9392d29f97e0447e88ea3aa3520e3fbc41ef57d471ed27cc7e69f2bb7b40df68d23bc7b36f6d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\WORDIRMV.XML

Filesize
78KB

MD5
cc14d689c06c7d2a3c0b4e7141bb9062

SHA1
03e08872afe6bfe49a57f33b6c926d68285e0879

SHA256
fa5f9626f94a2a5ac4eb514cef18a23df4d79598b015dc56e5c9993a996642ba

SHA512
17715621883a099c84df4c63b4652f56774b9ed6a2209179d4ca8c1b405c8e2d66f24cb2c030fbfe8ed9dc22739d21ea3bb2b1fe4c6349f9643a28696a21112f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
946B

MD5
62c1a28d988e2e3c9ff0b10b85e8638a

SHA1
68381870942f86ab64f80310e1efc8fd6154497e

SHA256
dc413d38cc1d9cac0482e3aab9c40ba47a4d5848ad88bd5601f823c404565463

SHA512
92575b499f9546720d5f0ff7c12c7ee74e9cf4fa230f00913620039cef1aedfe30b2f1d2534ba7a8f04e4952a9a56b7232e4f55707ad204cc0f124c3ea4b0180

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html

Filesize
10KB

MD5
100eeca90212de3ac8a2e2e2e2612d97

SHA1
c040cbfec2ba3c9a7190a8247f94cdbe2894c3ca

SHA256
c65aaa811751a3de05b8c6c72f8b5174d86dd1c47813dce8a588007c2c7ddbfe

SHA512
827898d7b3f861821f38be44dfa7a6fc86a7a3237121342577fc097e7e6eadd46f86999af511576d7893d3ac2d796fae2bbe1fd9d8795fd656fcea2594ce1b49

Download Submit
C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo

Filesize
604KB

MD5
269460fe31165ebc55a570320c75449b

SHA1
fdd35583a96a6fe1f9b6725bb944436bfe83cc25

SHA256
16d645ffbcd9490867bacf166b19eb712246b6358dbe47d10daac126fa307ea7

SHA512
c34727d40f0f85fae358c40868e9e7e043c9702dbcb64cfbdb19a04d57c0d75165f118487ac440564d09a6db19fe5b330e251a58a8014db3cfbecc89682a0ee8

Download Submit
C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

Filesize
785KB

MD5
06b0ed7f13d39321a2032b38435e03a7

SHA1
f72b20da8b75ff5b16cd3cfdcb1fa1c11054a517

SHA256
54d636052be8a2a2b46344c829b69c97b9ef212d27b80ef6988fa6ac180dfac9

SHA512
6730df5ae5160ebd0c9d96a42a74cf3d9717a980f9ad0a8d2dd2071fa48896205c75ce26b2ce936c2dabc92a025915bf6d165c8202b679001d38e1ca641a9c7a

Download Submit
C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo

Filesize
600KB

MD5
beb26d4ef9ecdeba5c6d439e84da6dae

SHA1
92f0f6a97c5b02a037ff11814927a626fcca52ea

SHA256
002c48d0226c1bce9734e7019d4ccb57d11e11d8974d132ac50a40cc87dcf154

SHA512
7cbee62b51aebe03973d48d3c20b329767a81aec5d0387d6d54803c0e33a1690ed283581f07a7d345a60b0d1c61e1d6a176b9da0959e1836b282d0f4fb42ff58

Download Submit
C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\vlc.mo

Filesize
621KB

MD5
7b6339ce74473709dedf5881d99a2061

SHA1
d44ca3c5b8cd757d74dbe075fb45607ae849c927

SHA256
780f43bcd1cde93716c65a35aa705a3aa6870e7e3215020e00149c1a18aee5c2

SHA512
cd0ae85de3cfeeb1a2f68738cdcf8eb843fd088dc8983ada1a1a91b6b0d03905c0b20cdf63792db02424d535bd3f022eda50ec7b349ca5721afb205aa1843e25

Download Submit
C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo

Filesize
771KB

MD5
bee6b2939ba766563435dcf1743caa6b

SHA1
710b3791b17b17d7d31cb6b3358dc210cd1f5b5c

SHA256
c8b8dccd4c9d8164193d18d3ea0a5014603e8e726184979c524a60552934d766

SHA512
7c8505302ddceed2946801ee28fd864170dbfcb168ccaf54267af38276f037d63204304f0b8a0d5cfacd67960f899b82bcb85ce11e18e93cabe90572c5005c7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
793f91b724d85cfbee31286611d24276

SHA1
7ea041859f49b0ddbe169ba8cfae7a012566e901

SHA256
1670d1c6d9364e85bbcc0fed25ee15d08f776ff0cda2faa922d2332bbdefe8e2

SHA512
1a2a569ea31e129b74d72c88a82c4fababbaf1594035587be2c4605635cbe5b208ee8cc5320ff14b9381861be6eba06423c928bc097c9fd7ef6278bb9b4feec3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4

Filesize
472B

MD5
28441017ed2172f154d6a0eb6ee6cd87

SHA1
b2a96dc105d2603b76c8a06da371fe207f44ada7

SHA256
0eb597a1106d9f406c3a235763137119b0c2ecbf4c5ed4776b38742f85cddcb0

SHA512
69f5ad19f1104a9d2918ba113e49bd27f9047a9c5a9300a06dcfbeb76e6cc5161cf53225816d6df1b4b3b680e86e9eb0ad1791189dfd0f1a351250924b6d3923

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
a26045c60badc3ea12344117b7bc4403

SHA1
e042d0cb3844ca44869d5e01a2e427144b458556

SHA256
69872c2a3c0bdca24598431943ea06f46d2a28bee615698ae09ba335b1cfa925

SHA512
7b0e7562480066d929e4dce2201ced8be9e7d309d28ada04d7779a9ab232ee4bf5a8ba89317865eb382250f8f529c0c0b95d8eb80cff800e595280f2f395d7bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
f2a7bef3c890748b52e2fc35b32663c2

SHA1
7c5538bfb0fe21c17bbaa3183d1a081d5eea906d

SHA256
a6db3fb549254bfae69b44499d5ef43d1b9c245b3098d9c159cdbbb1c218a683

SHA512
8755efb2c0141414abe270d5ba107cfb26e1961e0b12675c5c8e27eedc434bcb3679a019c75fda6a643a191705db52b59618e4a5308d035c48ac5a1e2facdfe9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4

Filesize
488B

MD5
7485735150780d51c94b8e79b49801be

SHA1
2aa1a8e5add2a90c096d21fb2f0d711746d06294

SHA256
43d1c6e1ebcc2bf7bd5dfb48a82efed786d7311055fdb713d407d15398c73ce9

SHA512
ff10c15b69e329dd89e8e0ca8d856d901bf1b209951d9d9325129ea068cf35ad7a21ea87e194f0ac67c631974fc6084ff9a6d9c2d601a014199b731b005cb5a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ee5ed88f64c8f32e00f1a82796f42efe

SHA1
344cc85598729a6e2ec411e0b8777c8cf19d42bf

SHA256
d98e21f2cb0bfde16f6ff91e553dc595260d46eb6dee218c588e057a8a19e5c1

SHA512
72abc3e0cb7b2cd4347d057afe7d990cef4ad7b096e5c03a6d9621c3fdda4fb398301ac8be8f0c14306afbdcdd036fa92659da97ef974e82714b1b4bb1fd864b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e523894127efd959dd309a3ccfc5e5e2

SHA1
13e8163eb3ef4b0a83069e327c22f12c6d295f98

SHA256
c9488e7ca289b2e77afa81712c83cdc43eccc722dbd3e1bdf66e9b8c0a274f07

SHA512
cff8bd16b77e7024d7047a124bf31f58481d42119cd162a46c25b7d4bbd47bcf2cb6daad16a2eab5cc2f9b0616d5a5db9f94127d02b8a729af4e0ec2e9144d80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
e774e9649d12cdd6ce3d3b68cc37b326

SHA1
810956c31a76191d9767ac8dc280b2c93da4adf9

SHA256
5cd32da3672c8721b4ce359b9ca0f885a8bc7d3f92da90ca9dcc7c72d4926920

SHA512
cc4aba2f73d6d916edb8e3aaf68d655de61227120552a702799c38c70284cc7a5b132ec60bde67878a24b8afdba3630075ea321c0d28c2a3058954c7689eab8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
59d27db22acf717c6d6e35890a9cbf00

SHA1
43d961acafb7226bef97c09cab996496a17eac23

SHA256
dc9056a03c71474fff14b5138e7a448644ebb188865c2a122046989d6c25632c

SHA512
ae4fc25a5c3dab8809c3dd086f65591ef51e1f3463a16fa06a55665c44f7f158cdeef8aaec00c2a18d732c05a3ab7f459bbc347be18a1b2cb01f827304daa20b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\10EQ14HQ\86H149ZM.htm

Filesize
18KB

MD5
46e7f28a55cdab07533424725a04b9e5

SHA1
48a915fe8958b0882f364b1e0ceb37e7b7948319

SHA256
e40cc25f9a709e182c284705b0b50b448deb4b1b81b456a633638003db77068b

SHA512
717be51be74aa8b36d714f35942d40c8c18bea13a49d293681e16f1b10dfbdf3887a887ca40688348eee38b10ec80c96a17c338378c315c70d4abebfd42e9076

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A9HMGN4E\ATG2T6O4.htm

Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB2D.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
406B

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\Desktop\AddRepair.html.14E-AFB-3D5

Filesize
262KB

MD5
ac8b0a68260a56996c171ee4530d323c

SHA1
d0f1f8a775e264b610c3ecf2e8a48782b1fd9530

SHA256
386454730542ca8e45f482dd672619c0d5409b433f82c628c63df2f3966a5743

SHA512
4baea9d06d85229cb3f6a18b59f7cc43851518c6636aee04f137b86f618198d762afa1f305b98a7987e093208fdfb1c1965fb92537dd94643b0d150dacbf6f5a

Download Submit
C:\Users\Admin\Desktop\ApproveGet.tiff.14E-AFB-3D5

Filesize
412KB

MD5
e8773ec3b87a29b60de2d982c9173d4f

SHA1
c5d75fb52bb9d0922d1ddbcd617bd470604b365e

SHA256
9f719f0ffbdde1526058b2a39b55ddc49fd8db4ae89cf48b48594c782d66d673

SHA512
c69317ff8b8acba1c63028b78f41b3171db1676e94bd005a6dcc14cb934bf87aa995bb6f219d386c852bd1bebdb28d3faf8025e8240499f1eff8d4133387a267

Download Submit
C:\Users\Admin\Desktop\BackupCheckpoint.3gpp.14E-AFB-3D5

Filesize
275KB

MD5
7e8b1402bb433eda4d250bcae92d6add

SHA1
de24bb72ce6373e6d22aa2cccd97fc0d0fc9247b

SHA256
3ac611dcc3c2a17a36cc7b24658c6640ca76dc9d1870d343655c9ded6636fb87

SHA512
24a5b66e5503ddaa3c9dff9e0f02cf263231cd8d69fb42b929aa7e216407436c434643289f6ffc3b806614740653cde15aef1bef78d6172267a23066e02f1b08

Download Submit
C:\Users\Admin\Desktop\CompareClear.wmf.14E-AFB-3D5

Filesize
337KB

MD5
da460cceb7d21bb1b777172886f00b36

SHA1
f8892964a345cf1b5ad4b1295a9222a63df8beec

SHA256
d2b993c891f6ffc4198a63a77e5b318d10a3cd1ca2487c991493ecae11b87bb3

SHA512
b9d43cfa9e8b2167841acefe224e4e38b6d81385dddbbb964509eea7ca3867de59cdd83691cdb98299a0df056dbb7a932598cbfe4d37263157ab2487f638104d

Download Submit
C:\Users\Admin\Desktop\ConvertToInstall.xltm.14E-AFB-3D5

Filesize
424KB

MD5
385cd401da3db25d291102680c9a255b

SHA1
6fb2e99eb50f236197466f057fdc474a5d6cef4e

SHA256
e43ae87a5df20a9a14fa4a0586d8716429b96e1b6846d5bad2091ee4c6350a02

SHA512
222c7ab5576fb952bab15655440b1fcbb516b7eaab59189c3f48609f397644a1e7d4687ce87c513f00c2a535c913ab08c128b667dae6bd1794929b632f97e199

Download Submit
C:\Users\Admin\Desktop\DenyExport.ADT.14E-AFB-3D5

Filesize
200KB

MD5
e92e03456726a3e0d1b5191a49665f5e

SHA1
652fe6106455013710e6511edb1777cdf0e7b0fb

SHA256
cd9f16c5005dabc552aed853b0e63c76b3ef73d380350f48f05c149cac779d1f

SHA512
4d664ccf4f6cfd1570836fab159aefb01b9cad8b626e172c4a89bd9efb820e7062803f07941917d15759c93a6181f5a75266659dbe012580d6ffd36652ba1b0b

Download Submit
C:\Users\Admin\Desktop\DisconnectConvert.mht.14E-AFB-3D5

Filesize
238KB

MD5
ea785fe3b21a51d17801dc733f161723

SHA1
7eb1705b5d2773f4c55cf298f4dce886bd94295f

SHA256
7700843bc5e3012d440443bc16b074e9f8b6ee9262c000752d9b114b6b0b5492

SHA512
708c5e7d82e538e444078ec34e6a7e1202ab99c25bf27c218a7fdd82bb0fe77cdb40b739030bc27f05e72788317fb8176c14d5d5e5bd03a63895ea75c94f7bfb

Download Submit
C:\Users\Admin\Desktop\ExpandReceive.dot.14E-AFB-3D5

Filesize
312KB

MD5
2ae8e7e8c5b1437d88847cb8c67b2a50

SHA1
c20c137f2031c452a37bff536d71a98cb7af13c1

SHA256
5c8ad92af527ece1939a6ca793de572f94381e8c01d26e7a729ee904e8b180cb

SHA512
5b2b2b277e00922bb06180271fdc1f36ceed7787f9c57cbad1e4ac7cc4a002d035243123c463ff4d20c1ea80e878124cbb1eb662b0c9c001af7855290f119778

Download Submit
C:\Users\Admin\Desktop\ImportSuspend.pps.14E-AFB-3D5

Filesize
325KB

MD5
6ae3f0cad507530f59d294664ed758c9

SHA1
3afec150ffbd7be07cca83b4bc9961e20723aec3

SHA256
d50f3bc10a7181e8cca130981977c3e27e384ae50f4b10989822de5f9a67ca60

SHA512
13b1f6affb20182263e276643ac48ae271a57ef03ea787ca39ae36790be13de848bcceaeed419c33482ee0f56370e79d7f1061db81f723f20bce79454292e461

Download Submit
C:\Users\Admin\Desktop\InstallWrite.mp3.14E-AFB-3D5

Filesize
362KB

MD5
e209219e7690389d8c3c0b88c1dc9d9d

SHA1
f4b12160de659ce8bc78b0dd7434814fbaf415bb

SHA256
7735e08fe56fe2ca74983963951b73b516d5be321dd27884105ea1cb895d070b

SHA512
62868ba9ab4a751b3dff6cb2ffc0a1644917bbfabf5ac2d915ef313d77c2a2afcf887f3d009765915666d70079f26611d802819e21d96050c3ddc76af1e5d8a2

Download Submit
C:\Users\Admin\Desktop\ProtectImport.DVR-MS.14E-AFB-3D5

Filesize
175KB

MD5
8766071c3ab359f0ed6074644b01526f

SHA1
608013f0a975b184a5c7ac987d5890ba994261db

SHA256
d0b29872f4cd13670967bb0729dc12982feba128473740bb0fdfdfed27a0ccd5

SHA512
1e2b76d98f025e167cbc8690796bbf460969913ebf1a39d93ef1b83e15301fafe5271a91627eb10498aeaa31cad72f77a5e4f2b2a0711fba3ef0801ea4ca9fb9

Download Submit
C:\Users\Admin\Desktop\PublishReset.M2T.14E-AFB-3D5

Filesize
350KB

MD5
6b8586b91b11334d6c61e6c0c59513d4

SHA1
1f7bf37d9618cb0e845fefe369888653e851da43

SHA256
80d3634905de82110e8d6174dcba575a3a5d4866b0e47217864b5bf361a3b314

SHA512
36b1e88faffa1f484bccfd8c009374cdfa9abe1c79025701524565b04fa74f5fbcee76eb700f27cb141437bdb8227b4ad3be6a39f9210f01e35ebc289ca03bbe

Download Submit
C:\Users\Admin\Desktop\ReceivePush.tmp.14E-AFB-3D5

Filesize
287KB

MD5
3737d44f4fbdc6dd721921b851622d07

SHA1
6df2d05f4f33d3ac51bb9cf8acf7d9812b3ba079

SHA256
49cfe4314dbf58ece3e2403683f3b3ed32b286de85cb56a4bd79b8ca6be3b732

SHA512
77c0f75dcbba208c381be711552d967aea8d67616d2ccd534e6b899d488775ed177fa59db387fd07317af8a17590798d47661bef145913f8826fb16959485a45

Download Submit
C:\Users\Admin\Desktop\RemoveRepair.asp.14E-AFB-3D5

Filesize
250KB

MD5
ffd53f3d6a038bc5623f6940bb825928

SHA1
8aa69cd657dd8956ed38efec3abc1c88bfec95ac

SHA256
fd3cbae61c7a8297d917e6ee47c2d334bcd97507ccc7dcb3107be8719dbf9809

SHA512
9a09b0c9a2496aa11afccdf396fe7cfcd494d3a89fbb1a6ca32b79744f6ed80c8013e50760ac415dc47b42eaace4c9af8049548d4a30f54446c70e0a40de3b0f

Download Submit
C:\Users\Admin\Desktop\RequestRegister.wpl.14E-AFB-3D5

Filesize
188KB

MD5
ef0830edc81cf125c4fcd36a14624bca

SHA1
698b7bcf60f840eb0e422a3f6b918e918b547ed2

SHA256
210846a90f3bc5a275764562bf84ccba29dcdaa8e7d0dabe1362f9e1d9299ce6

SHA512
576b10b9b662766d033ba86961c19cf82a5e3121e1965028d4c092cacc82d4029d62029a8874b8ffb94cc46112ccd61c1567aa2926494d09053777910f819173

Download Submit
C:\Users\Admin\Desktop\ResetExit.m1v.14E-AFB-3D5

Filesize
213KB

MD5
bd6aaeeace7363f0b357cb735ce5582f

SHA1
18eeb15df857ed208ee88d13a2a3b99d60599725

SHA256
7ae1b886c9e782d5710c6001e0a978aaff11191821b8892dd44cb925a6e376fd

SHA512
f7917b6288092a4a0f061628763c435c3e146f45ad24b4c0df78e35befb086688d584471c0a9b7707e4ecb0d6f03772f54f192d14b992907fbd7bf574c3e0661

Download Submit
C:\Users\Admin\Desktop\ResolvePop.mhtml.14E-AFB-3D5

Filesize
586KB

MD5
3134dbae039a3c1149a3a84e32bac127

SHA1
ad8310eac5a88ce68ffad808a913a18990113125

SHA256
005976543e92e760053e7f1c7f04b24e463b9e3c42f2a634052c538c9780ec09

SHA512
ce6dd1b8463b56cf2d2d385511ee36833ef6dbac76ae8e4984c69f69c5f7ff768b9320bb57df0020e754e3d2d9c8185aff294036befb5b56eb7a7277dcc88b40

Download Submit
C:\Users\Admin\Desktop\SavePublish.mp4.14E-AFB-3D5

Filesize
225KB

MD5
9c4269893d1cfe6c9ce4de5435451eca

SHA1
e67cb5105a6803c2b51fc7ac5b9d494ee47f133e

SHA256
e04578697bff496930bd7685742e957e3aa622032130c7d331d16bfc16c8d413

SHA512
7a723da8f1251f9c69691c4dc220a7fd93d697211b14c760bd75fe439b8aa485fc58b8f2434343bcc91a1c703926c6a63ea9a73e1c0c54c16e93212551124ef4

Download Submit
C:\Users\Admin\Desktop\SelectSwitch.clr.14E-AFB-3D5

Filesize
374KB

MD5
41cf3de7efc443ba1a5a30833cb18ab6

SHA1
4d14db2b3fa6b3673db74884ef6c512b11ad66f4

SHA256
0cbc30801ab952762d2e808e22ca3855e686742371b04e8c9edf5d48b90580c9

SHA512
466f7c6684fa5ce164bb32e6cc50d2325e6204cee18b945ba4b83bfa29e739e99c8119eb511777cd5a24e74a15c1e4bc219b7ee33cf348556d80776c35f245fc

Download Submit
C:\Users\Admin\Desktop\SetRepair.mhtml.14E-AFB-3D5

Filesize
300KB

MD5
db87c2c184eded56ac2786b5e9a20b99

SHA1
813c6db5dab2b44d77a8db7ed51865208451c774

SHA256
a8e2b89cb64668903582b6c2b6255ac45af464ae66a835d899a15e533077add6

SHA512
ee0eda15167ca08110ca9e0b283b7bbadc67b5bcd55979bab3dd5ac6a5ceee42b823c5cdd114be439eceba5e81c728539a67be3a805143119b62b273790763c2

Download Submit
C:\Users\Admin\Desktop\StartSave.mp3.14E-AFB-3D5

Filesize
163KB

MD5
07d99587c4bbd2e449f0173fec690e7d

SHA1
ddb2d1953e6ca01514f7cf767ae7eb64cbb64fbe

SHA256
c51f831b96b2a4580de04f5851ec6f9f0813bc84d40476fac23fe6c4a0180049

SHA512
9b22160a328ff5048ba7c779d9b4fb7a6a7950ce3df317fc12bd4ad960f96008fee54d060efa01583ef961147bdd010b30c8189dff41069d39bde805e501bae7

Download Submit
C:\Users\Admin\Desktop\SyncUnblock.avi.14E-AFB-3D5

Filesize
399KB

MD5
a55cf521ea4c84515b75ec892e02d43e

SHA1
637adb6fc5acf494ea9bf8f1e3e173def2b02d64

SHA256
fde86f4ec6984fc02c81eb02eea3a71b56959e188b3b96a5db9cd9a91d85ae2e

SHA512
189a81af5d950ad510b4c553b055b914d425577d0dbd0255084e08c0f4ebdefce5c8e038d0ad030e2b1dbd855f2541f8d654f4e6f46354f099120557d96ce166

Download Submit
C:\Users\Admin\Desktop\UnregisterRepair.asp.14E-AFB-3D5

Filesize
150KB

MD5
ac24c393b45c3fc606559896bc0f3d29

SHA1
324b83b549a172120f6590d9756adc0aba62b3f8

SHA256
6d08c8d19c4845f0d857ca1d557928a753de4d7776206e18374dc01bb9e96d03

SHA512
6d43adf5a2fae90d9b00548b3838f855ac7c8ce41a65157e29829c655d70d2c66f28963c9e96a9c7dbf273b243cb8c42bd03fcf88828128cfc12b27aa31b9040

Download Submit
C:\Users\Admin\Desktop\WaitMount.mpa.14E-AFB-3D5

Filesize
387KB

MD5
45037db8ffd9e0670be1a1d45341afda

SHA1
4ee84bc28d926a35c9ee7a963e91593d6617e603

SHA256
e1d6421b3d138e376368d00685704b6b2f836f99a012e550705970d7179d0277

SHA512
8c46119b2675fd963231add6acabb793959ac944eb55357b0249f74ba78c4e18dac54dea4f3e23d8bd2011c86cda58aa06344525f1dbe3412ccbd4638ec9ff9f

Download Submit
C:\vcredist2010_x86.log.html

Filesize
83KB

MD5
2d5421cc20161ad59dcde312e4679433

SHA1
6d11660e1b7fa33db1e41a0bc2047df9bb4f68cc

SHA256
a07055334dc7cb968f21dc75f5e9d486e65f9fe4856ca6572cd468c68cebde65

SHA512
776385880013a50ffa9c2f7c98571e79c864b5652451ecb69feaa6dbe774656073a8b634c1c1bcd429316d0c9de676cb0412e8b4a0765c82bae4375376389807

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

Filesize
212KB

MD5
3ac926d3bca5450ce48d10c253700ae4

SHA1
0a918e434b1f8e125fb23a71c7317e6b16f3df23

SHA256
b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa

SHA512
ef62bc011a2fdff15b466f798bcbe5c4308e925fb1240d7621f65ede89432a329e00c80a917cc5be401b7029a2c5a497a9bc09436c3f1c05259a2e3479c581c5

Download Submit
memory/1196-4078-0x0000000000980000-0x0000000000AC0000-memory.dmp

Filesize
1.2MB

Download
memory/1196-30316-0x0000000000980000-0x0000000000AC0000-memory.dmp

Filesize
1.2MB

Download
memory/1196-22509-0x0000000000980000-0x0000000000AC0000-memory.dmp

Filesize
1.2MB

Download
memory/1296-77-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1296-71-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1504-177-0x0000000000980000-0x0000000000AC0000-memory.dmp

Filesize
1.2MB

Download
memory/2008-10804-0x0000000000980000-0x0000000000AC0000-memory.dmp

Filesize
1.2MB

Download
memory/2008-20356-0x0000000000980000-0x0000000000AC0000-memory.dmp

Filesize
1.2MB

Download
memory/2008-30284-0x0000000000980000-0x0000000000AC0000-memory.dmp

Filesize
1.2MB

Download
memory/2008-28247-0x0000000000980000-0x0000000000AC0000-memory.dmp

Filesize
1.2MB

Download
memory/2356-98-0x0000000000070000-0x00000000001B0000-memory.dmp

Filesize
1.2MB

Download
memory/2876-30315-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download