Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
12-05-2024 15:21
Behavioral task
behavioral1
Sample
3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe
-
Size
212KB
-
MD5
3ac926d3bca5450ce48d10c253700ae4
-
SHA1
0a918e434b1f8e125fb23a71c7317e6b16f3df23
-
SHA256
b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa
-
SHA512
ef62bc011a2fdff15b466f798bcbe5c4308e925fb1240d7621f65ede89432a329e00c80a917cc5be401b7029a2c5a497a9bc09436c3f1c05259a2e3479c581c5
-
SSDEEP
6144:Via1gMHvEXtAuL5Qnqn64DQFu/U3buRKlemZ9DnGAe+hH+8:VIMH2Gw5Qb4DQFu/U3buRKlemZ9DnGAV
Malware Config
Extracted
C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Detects Zeppelin payload 10 IoCs
resource yara_rule behavioral1/files/0x0008000000015626-64.dat family_zeppelin behavioral1/memory/2356-98-0x0000000000070000-0x00000000001B0000-memory.dmp family_zeppelin behavioral1/memory/1504-177-0x0000000000980000-0x0000000000AC0000-memory.dmp family_zeppelin behavioral1/memory/1196-4078-0x0000000000980000-0x0000000000AC0000-memory.dmp family_zeppelin behavioral1/memory/2008-10804-0x0000000000980000-0x0000000000AC0000-memory.dmp family_zeppelin behavioral1/memory/2008-20356-0x0000000000980000-0x0000000000AC0000-memory.dmp family_zeppelin behavioral1/memory/1196-22509-0x0000000000980000-0x0000000000AC0000-memory.dmp family_zeppelin behavioral1/memory/2008-28247-0x0000000000980000-0x0000000000AC0000-memory.dmp family_zeppelin behavioral1/memory/2008-30284-0x0000000000980000-0x0000000000AC0000-memory.dmp family_zeppelin behavioral1/memory/1196-30316-0x0000000000980000-0x0000000000AC0000-memory.dmp family_zeppelin -
Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (7385) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 1296 notepad.exe -
Executes dropped EXE 3 IoCs
pid Process 1196 smss.exe 2008 smss.exe 1504 smss.exe -
Loads dropped DLL 2 IoCs
pid Process 2356 3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe 2356 3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start" 3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: smss.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\G: smss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 20 iplogger.org 22 iplogger.org -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 geoiptool.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099180.WMF.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0157995.WMF.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00057_.GIF.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187893.WMF.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01130_.WMF smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar smss.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kuching smss.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dataset.zip.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBAR.DPV smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\ACTIVITS.ICO smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086420.WMF.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143744.GIF smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSEvents.man smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Resolute smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Guayaquil.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MX.XML smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe smss.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Atikokan.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME13.CSS smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690.XSL smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\ODBCR.SAM.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\currency.data smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belize.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00798_.WMF smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE.MANIFEST smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR12F.GIF smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_COL.HXC smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_K_COL.HXK.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_OliveGreen.gif smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Sakhalin smss.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Toronto smss.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\http.luac smss.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_ja.jar.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00121_.WMF.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLMAILR.FAE.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPTS.ICO.14E-AFB-3D5 smss.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR9F.GIF.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue.css.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14514_.GIF smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7es.kic smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ulaanbaatar.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Denver.14E-AFB-3D5 smss.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102002.WMF.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-heapwalker.jar.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files\Java\jre7\lib\rt.jar.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099171.WMF smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XOCR3.PSP.14E-AFB-3D5 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_COL.HXT smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp.14E-AFB-3D5 smss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1848 vssadmin.exe 1984 vssadmin.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 smss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 smss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 smss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 smss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 smss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 smss.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe 1196 smss.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2356 3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe Token: SeDebugPrivilege 2356 3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 1460 WMIC.exe Token: SeSecurityPrivilege 1460 WMIC.exe Token: SeTakeOwnershipPrivilege 1460 WMIC.exe Token: SeLoadDriverPrivilege 1460 WMIC.exe Token: SeSystemProfilePrivilege 1460 WMIC.exe Token: SeSystemtimePrivilege 1460 WMIC.exe Token: SeProfSingleProcessPrivilege 1460 WMIC.exe Token: SeIncBasePriorityPrivilege 1460 WMIC.exe Token: SeCreatePagefilePrivilege 1460 WMIC.exe Token: SeBackupPrivilege 1460 WMIC.exe Token: SeRestorePrivilege 1460 WMIC.exe Token: SeShutdownPrivilege 1460 WMIC.exe Token: SeDebugPrivilege 1460 WMIC.exe Token: SeSystemEnvironmentPrivilege 1460 WMIC.exe Token: SeRemoteShutdownPrivilege 1460 WMIC.exe Token: SeUndockPrivilege 1460 WMIC.exe Token: SeManageVolumePrivilege 1460 WMIC.exe Token: 33 1460 WMIC.exe Token: 34 1460 WMIC.exe Token: 35 1460 WMIC.exe Token: SeIncreaseQuotaPrivilege 1460 WMIC.exe Token: SeSecurityPrivilege 1460 WMIC.exe Token: SeTakeOwnershipPrivilege 1460 WMIC.exe Token: SeLoadDriverPrivilege 1460 WMIC.exe Token: SeSystemProfilePrivilege 1460 WMIC.exe Token: SeSystemtimePrivilege 1460 WMIC.exe Token: SeProfSingleProcessPrivilege 1460 WMIC.exe Token: SeIncBasePriorityPrivilege 1460 WMIC.exe Token: SeCreatePagefilePrivilege 1460 WMIC.exe Token: SeBackupPrivilege 1460 WMIC.exe Token: SeRestorePrivilege 1460 WMIC.exe Token: SeShutdownPrivilege 1460 WMIC.exe Token: SeDebugPrivilege 1460 WMIC.exe Token: SeSystemEnvironmentPrivilege 1460 WMIC.exe Token: SeRemoteShutdownPrivilege 1460 WMIC.exe Token: SeUndockPrivilege 1460 WMIC.exe Token: SeManageVolumePrivilege 1460 WMIC.exe Token: 33 1460 WMIC.exe Token: 34 1460 WMIC.exe Token: 35 1460 WMIC.exe Token: SeBackupPrivilege 668 vssvc.exe Token: SeRestorePrivilege 668 vssvc.exe Token: SeAuditPrivilege 668 vssvc.exe Token: SeIncreaseQuotaPrivilege 3044 WMIC.exe Token: SeSecurityPrivilege 3044 WMIC.exe Token: SeTakeOwnershipPrivilege 3044 WMIC.exe Token: SeLoadDriverPrivilege 3044 WMIC.exe Token: SeSystemProfilePrivilege 3044 WMIC.exe Token: SeSystemtimePrivilege 3044 WMIC.exe Token: SeProfSingleProcessPrivilege 3044 WMIC.exe Token: SeIncBasePriorityPrivilege 3044 WMIC.exe Token: SeCreatePagefilePrivilege 3044 WMIC.exe Token: SeBackupPrivilege 3044 WMIC.exe Token: SeRestorePrivilege 3044 WMIC.exe Token: SeShutdownPrivilege 3044 WMIC.exe Token: SeDebugPrivilege 3044 WMIC.exe Token: SeSystemEnvironmentPrivilege 3044 WMIC.exe Token: SeRemoteShutdownPrivilege 3044 WMIC.exe Token: SeUndockPrivilege 3044 WMIC.exe Token: SeManageVolumePrivilege 3044 WMIC.exe Token: 33 3044 WMIC.exe Token: 34 3044 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2356 wrote to memory of 1196 2356 3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe 29 PID 2356 wrote to memory of 1196 2356 3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe 29 PID 2356 wrote to memory of 1196 2356 3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe 29 PID 2356 wrote to memory of 1196 2356 3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe 29 PID 2356 wrote to memory of 1296 2356 3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe 30 PID 2356 wrote to memory of 1296 2356 3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe 30 PID 2356 wrote to memory of 1296 2356 3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe 30 PID 2356 wrote to memory of 1296 2356 3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe 30 PID 2356 wrote to memory of 1296 2356 3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe 30 PID 2356 wrote to memory of 1296 2356 3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe 30 PID 2356 wrote to memory of 1296 2356 3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe 30 PID 1196 wrote to memory of 1248 1196 smss.exe 31 PID 1196 wrote to memory of 1248 1196 smss.exe 31 PID 1196 wrote to memory of 1248 1196 smss.exe 31 PID 1196 wrote to memory of 1248 1196 smss.exe 31 PID 1196 wrote to memory of 1028 1196 smss.exe 32 PID 1196 wrote to memory of 1028 1196 smss.exe 32 PID 1196 wrote to memory of 1028 1196 smss.exe 32 PID 1196 wrote to memory of 1028 1196 smss.exe 32 PID 1196 wrote to memory of 1428 1196 smss.exe 34 PID 1196 wrote to memory of 1428 1196 smss.exe 34 PID 1196 wrote to memory of 1428 1196 smss.exe 34 PID 1196 wrote to memory of 1428 1196 smss.exe 34 PID 1248 wrote to memory of 1460 1248 cmd.exe 38 PID 1248 wrote to memory of 1460 1248 cmd.exe 38 PID 1248 wrote to memory of 1460 1248 cmd.exe 38 PID 1248 wrote to memory of 1460 1248 cmd.exe 38 PID 1196 wrote to memory of 2548 1196 smss.exe 36 PID 1196 wrote to memory of 2548 1196 smss.exe 36 PID 1196 wrote to memory of 2548 1196 smss.exe 36 PID 1196 wrote to memory of 2548 1196 smss.exe 36 PID 1196 wrote to memory of 2744 1196 smss.exe 39 PID 1196 wrote to memory of 2744 1196 smss.exe 39 PID 1196 wrote to memory of 2744 1196 smss.exe 39 PID 1196 wrote to memory of 2744 1196 smss.exe 39 PID 1196 wrote to memory of 1916 1196 smss.exe 40 PID 1196 wrote to memory of 1916 1196 smss.exe 40 PID 1196 wrote to memory of 1916 1196 smss.exe 40 PID 1196 wrote to memory of 1916 1196 smss.exe 40 PID 1196 wrote to memory of 2008 1196 smss.exe 41 PID 1196 wrote to memory of 2008 1196 smss.exe 41 PID 1196 wrote to memory of 2008 1196 smss.exe 41 PID 1196 wrote to memory of 2008 1196 smss.exe 41 PID 1196 wrote to memory of 1504 1196 smss.exe 42 PID 1196 wrote to memory of 1504 1196 smss.exe 42 PID 1196 wrote to memory of 1504 1196 smss.exe 42 PID 1196 wrote to memory of 1504 1196 smss.exe 42 PID 2744 wrote to memory of 1848 2744 cmd.exe 46 PID 2744 wrote to memory of 1848 2744 cmd.exe 46 PID 2744 wrote to memory of 1848 2744 cmd.exe 46 PID 2744 wrote to memory of 1848 2744 cmd.exe 46 PID 1916 wrote to memory of 3044 1916 cmd.exe 49 PID 1916 wrote to memory of 3044 1916 cmd.exe 49 PID 1916 wrote to memory of 3044 1916 cmd.exe 49 PID 1916 wrote to memory of 3044 1916 cmd.exe 49 PID 1916 wrote to memory of 1984 1916 cmd.exe 50 PID 1916 wrote to memory of 1984 1916 cmd.exe 50 PID 1916 wrote to memory of 1984 1916 cmd.exe 50 PID 1916 wrote to memory of 1984 1916 cmd.exe 50 PID 1196 wrote to memory of 2876 1196 smss.exe 51 PID 1196 wrote to memory of 2876 1196 smss.exe 51 PID 1196 wrote to memory of 2876 1196 smss.exe 51 PID 1196 wrote to memory of 2876 1196 smss.exe 51 PID 1196 wrote to memory of 2876 1196 smss.exe 51 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵PID:1028
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵PID:1428
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵PID:2548
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1848
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1984
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2008
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 13⤵
- Executes dropped EXE
PID:1504
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵PID:2876
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
PID:1296
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:668
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Indicator Removal
2File Deletion
2Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD5a5bbc9c29fb277dfc82f3558ac96ae7c
SHA1e3ecbc7701d2c849d166c132ae92b5fa70ee58fe
SHA25618b28dbdd1126941f7799e5f3b56b0cf932d21af2e1c60e5725de6e296b1d69b
SHA51204e095bd2a17f70d7979e1ed78ce6d5d255ac7267cf89343b890d52aa2a0ab13064d45abc1745c80d6f20e7e6fe4b3fbd76d9baf3a3b3c7e1fede2e1999e21e3
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt
Filesize29KB
MD56896925b1fb91e7a49f4e8b38e272368
SHA193106de64eeeb9b05f3bbcdd523f525f3d331dfe
SHA256045cd18bad678c94176dea1a0131f5de34ee2ba5cb546e2afe428fc7cd801c01
SHA512b02db9e2dc58809617f1f898f754712a9aa40df842f50f98cd904f001397e7a4511c07cd63c34d4cab534c050466ec495393e78a39d16244c174b2007810c92b
-
Filesize
125KB
MD556038f65034ce7e3d3cb6fbaf58d8fb0
SHA19ec19cef50ebd625f6fac9b567f9bcda8dcacca0
SHA2560b33c9a0e3b80f2264538f530e3c4a4b025c3be55303ecd17dd9e9834f71e2ca
SHA512a9ebad7ea860e15b0c34057767275e33f19bb4e579374b54c608eef8c1ab069fd1840fc337d7fb0f80f4da4ab0ea87ee0d0d9d3c8b3cd51d20e77e3fa422e37d
-
Filesize
78KB
MD537ad3bc45e791829d64645243b6cdff3
SHA195a734d0117ff73a6d497d0a09104be817720fb3
SHA2569ea048e5050baf703bb62f0e1cda15e2b32009c902fad75bce9465b73cacb95b
SHA512bb99a4eaf880f549d411d6e82c2cb80f33503768a1bb11cd5c32876ae260b2ff50e69e47e67feb94fcde933a7daa479f49fafeca02b8c09526c97b057d9ad3d9
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp
Filesize8KB
MD5d0484fdb94dd67bc655d0cefcdd4b091
SHA1ea46e90917cee6e0cf8ef3c4d5dd58e24b3976ed
SHA256301a51e930bd53cb9e5619d91ec59c781ace9cebd6455d9663148c43295f98a7
SHA5125765ced9439bb55103cd8b09d85a237da66e9cc8eab8dc7bffcfd7d3a270662c522f23e0ccb383a08780a7cbc87c78464dc16515c5e1e004eea36092b7bc2109
-
Filesize
78KB
MD593a94e722ff52b7c17dd5f95fdb817f9
SHA1d2d2459c254b7392d382bf929bc4b4a8283f9830
SHA256034a58202cc0f3cd83f6c10ceb86013952c78bf4c073121bcaf484c3d344fcf5
SHA512f4ffd71aa715474c4a33283e1b7be360e2b109dc536055b127784e1326e4e5683d6de9ea4ae8fdda34cc97792cbf55382798f4a8444619dfa96b077715b4e268
-
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml
Filesize249KB
MD5e11b4cf2728c1f78f5487126ece7b2ed
SHA19a28d293d9910b575eb0d15df7f1f61cfdec5538
SHA256a8c164de2a9ae312f807869f25a097e944a6fc9bfdcc3d6968a8dbf8f5926ffa
SHA512a8acd8f57a1acf79c61879284ea57422ae4aa136c61f78e0468cd11e5c76a0658b37046d2f1556b419215f805815e29a189f7b14e7a21cbc18d61a261ae46e48
-
Filesize
78KB
MD52b99134b425b046ef90069340721a341
SHA10b7c71eba857d5d2681d693a1770fcdd02379965
SHA256fee72633f7d28ba5730361ea49f30c6f1e20e0e099dd68413696e831404f5d98
SHA512dd067c3b92459580915a5f67739a34b94b2d775c8ef704347bbe9392d29f97e0447e88ea3aa3520e3fbc41ef57d471ed27cc7e69f2bb7b40df68d23bc7b36f6d
-
Filesize
78KB
MD5cc14d689c06c7d2a3c0b4e7141bb9062
SHA103e08872afe6bfe49a57f33b6c926d68285e0879
SHA256fa5f9626f94a2a5ac4eb514cef18a23df4d79598b015dc56e5c9993a996642ba
SHA51217715621883a099c84df4c63b4652f56774b9ed6a2209179d4ca8c1b405c8e2d66f24cb2c030fbfe8ed9dc22739d21ea3bb2b1fe4c6349f9643a28696a21112f
-
Filesize
946B
MD562c1a28d988e2e3c9ff0b10b85e8638a
SHA168381870942f86ab64f80310e1efc8fd6154497e
SHA256dc413d38cc1d9cac0482e3aab9c40ba47a4d5848ad88bd5601f823c404565463
SHA51292575b499f9546720d5f0ff7c12c7ee74e9cf4fa230f00913620039cef1aedfe30b2f1d2534ba7a8f04e4952a9a56b7232e4f55707ad204cc0f124c3ea4b0180
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html
Filesize10KB
MD5100eeca90212de3ac8a2e2e2e2612d97
SHA1c040cbfec2ba3c9a7190a8247f94cdbe2894c3ca
SHA256c65aaa811751a3de05b8c6c72f8b5174d86dd1c47813dce8a588007c2c7ddbfe
SHA512827898d7b3f861821f38be44dfa7a6fc86a7a3237121342577fc097e7e6eadd46f86999af511576d7893d3ac2d796fae2bbe1fd9d8795fd656fcea2594ce1b49
-
Filesize
604KB
MD5269460fe31165ebc55a570320c75449b
SHA1fdd35583a96a6fe1f9b6725bb944436bfe83cc25
SHA25616d645ffbcd9490867bacf166b19eb712246b6358dbe47d10daac126fa307ea7
SHA512c34727d40f0f85fae358c40868e9e7e043c9702dbcb64cfbdb19a04d57c0d75165f118487ac440564d09a6db19fe5b330e251a58a8014db3cfbecc89682a0ee8
-
Filesize
785KB
MD506b0ed7f13d39321a2032b38435e03a7
SHA1f72b20da8b75ff5b16cd3cfdcb1fa1c11054a517
SHA25654d636052be8a2a2b46344c829b69c97b9ef212d27b80ef6988fa6ac180dfac9
SHA5126730df5ae5160ebd0c9d96a42a74cf3d9717a980f9ad0a8d2dd2071fa48896205c75ce26b2ce936c2dabc92a025915bf6d165c8202b679001d38e1ca641a9c7a
-
Filesize
600KB
MD5beb26d4ef9ecdeba5c6d439e84da6dae
SHA192f0f6a97c5b02a037ff11814927a626fcca52ea
SHA256002c48d0226c1bce9734e7019d4ccb57d11e11d8974d132ac50a40cc87dcf154
SHA5127cbee62b51aebe03973d48d3c20b329767a81aec5d0387d6d54803c0e33a1690ed283581f07a7d345a60b0d1c61e1d6a176b9da0959e1836b282d0f4fb42ff58
-
Filesize
621KB
MD57b6339ce74473709dedf5881d99a2061
SHA1d44ca3c5b8cd757d74dbe075fb45607ae849c927
SHA256780f43bcd1cde93716c65a35aa705a3aa6870e7e3215020e00149c1a18aee5c2
SHA512cd0ae85de3cfeeb1a2f68738cdcf8eb843fd088dc8983ada1a1a91b6b0d03905c0b20cdf63792db02424d535bd3f022eda50ec7b349ca5721afb205aa1843e25
-
Filesize
771KB
MD5bee6b2939ba766563435dcf1743caa6b
SHA1710b3791b17b17d7d31cb6b3358dc210cd1f5b5c
SHA256c8b8dccd4c9d8164193d18d3ea0a5014603e8e726184979c524a60552934d766
SHA5127c8505302ddceed2946801ee28fd864170dbfcb168ccaf54267af38276f037d63204304f0b8a0d5cfacd67960f899b82bcb85ce11e18e93cabe90572c5005c7f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
Filesize2KB
MD5793f91b724d85cfbee31286611d24276
SHA17ea041859f49b0ddbe169ba8cfae7a012566e901
SHA2561670d1c6d9364e85bbcc0fed25ee15d08f776ff0cda2faa922d2332bbdefe8e2
SHA5121a2a569ea31e129b74d72c88a82c4fababbaf1594035587be2c4605635cbe5b208ee8cc5320ff14b9381861be6eba06423c928bc097c9fd7ef6278bb9b4feec3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4
Filesize472B
MD528441017ed2172f154d6a0eb6ee6cd87
SHA1b2a96dc105d2603b76c8a06da371fe207f44ada7
SHA2560eb597a1106d9f406c3a235763137119b0c2ecbf4c5ed4776b38742f85cddcb0
SHA51269f5ad19f1104a9d2918ba113e49bd27f9047a9c5a9300a06dcfbeb76e6cc5161cf53225816d6df1b4b3b680e86e9eb0ad1791189dfd0f1a351250924b6d3923
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize1KB
MD5a26045c60badc3ea12344117b7bc4403
SHA1e042d0cb3844ca44869d5e01a2e427144b458556
SHA25669872c2a3c0bdca24598431943ea06f46d2a28bee615698ae09ba335b1cfa925
SHA5127b0e7562480066d929e4dce2201ced8be9e7d309d28ada04d7779a9ab232ee4bf5a8ba89317865eb382250f8f529c0c0b95d8eb80cff800e595280f2f395d7bb
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
Filesize484B
MD5f2a7bef3c890748b52e2fc35b32663c2
SHA17c5538bfb0fe21c17bbaa3183d1a081d5eea906d
SHA256a6db3fb549254bfae69b44499d5ef43d1b9c245b3098d9c159cdbbb1c218a683
SHA5128755efb2c0141414abe270d5ba107cfb26e1961e0b12675c5c8e27eedc434bcb3679a019c75fda6a643a191705db52b59618e4a5308d035c48ac5a1e2facdfe9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4
Filesize488B
MD57485735150780d51c94b8e79b49801be
SHA12aa1a8e5add2a90c096d21fb2f0d711746d06294
SHA25643d1c6e1ebcc2bf7bd5dfb48a82efed786d7311055fdb713d407d15398c73ce9
SHA512ff10c15b69e329dd89e8e0ca8d856d901bf1b209951d9d9325129ea068cf35ad7a21ea87e194f0ac67c631974fc6084ff9a6d9c2d601a014199b731b005cb5a9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ee5ed88f64c8f32e00f1a82796f42efe
SHA1344cc85598729a6e2ec411e0b8777c8cf19d42bf
SHA256d98e21f2cb0bfde16f6ff91e553dc595260d46eb6dee218c588e057a8a19e5c1
SHA51272abc3e0cb7b2cd4347d057afe7d990cef4ad7b096e5c03a6d9621c3fdda4fb398301ac8be8f0c14306afbdcdd036fa92659da97ef974e82714b1b4bb1fd864b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e523894127efd959dd309a3ccfc5e5e2
SHA113e8163eb3ef4b0a83069e327c22f12c6d295f98
SHA256c9488e7ca289b2e77afa81712c83cdc43eccc722dbd3e1bdf66e9b8c0a274f07
SHA512cff8bd16b77e7024d7047a124bf31f58481d42119cd162a46c25b7d4bbd47bcf2cb6daad16a2eab5cc2f9b0616d5a5db9f94127d02b8a729af4e0ec2e9144d80
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize482B
MD5e774e9649d12cdd6ce3d3b68cc37b326
SHA1810956c31a76191d9767ac8dc280b2c93da4adf9
SHA2565cd32da3672c8721b4ce359b9ca0f885a8bc7d3f92da90ca9dcc7c72d4926920
SHA512cc4aba2f73d6d916edb8e3aaf68d655de61227120552a702799c38c70284cc7a5b132ec60bde67878a24b8afdba3630075ea321c0d28c2a3058954c7689eab8c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD559d27db22acf717c6d6e35890a9cbf00
SHA143d961acafb7226bef97c09cab996496a17eac23
SHA256dc9056a03c71474fff14b5138e7a448644ebb188865c2a122046989d6c25632c
SHA512ae4fc25a5c3dab8809c3dd086f65591ef51e1f3463a16fa06a55665c44f7f158cdeef8aaec00c2a18d732c05a3ab7f459bbc347be18a1b2cb01f827304daa20b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\10EQ14HQ\86H149ZM.htm
Filesize18KB
MD546e7f28a55cdab07533424725a04b9e5
SHA148a915fe8958b0882f364b1e0ceb37e7b7948319
SHA256e40cc25f9a709e182c284705b0b50b448deb4b1b81b456a633638003db77068b
SHA512717be51be74aa8b36d714f35942d40c8c18bea13a49d293681e16f1b10dfbdf3887a887ca40688348eee38b10ec80c96a17c338378c315c70d4abebfd42e9076
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A9HMGN4E\ATG2T6O4.htm
Filesize190B
MD56ebbeb8c70d5f8ffc3fb501950468594
SHA1c06e60a316e48f5c35d39bcf7ed7e6254957ac9e
SHA256a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1
SHA51275cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
406B
MD5ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
Filesize
262KB
MD5ac8b0a68260a56996c171ee4530d323c
SHA1d0f1f8a775e264b610c3ecf2e8a48782b1fd9530
SHA256386454730542ca8e45f482dd672619c0d5409b433f82c628c63df2f3966a5743
SHA5124baea9d06d85229cb3f6a18b59f7cc43851518c6636aee04f137b86f618198d762afa1f305b98a7987e093208fdfb1c1965fb92537dd94643b0d150dacbf6f5a
-
Filesize
412KB
MD5e8773ec3b87a29b60de2d982c9173d4f
SHA1c5d75fb52bb9d0922d1ddbcd617bd470604b365e
SHA2569f719f0ffbdde1526058b2a39b55ddc49fd8db4ae89cf48b48594c782d66d673
SHA512c69317ff8b8acba1c63028b78f41b3171db1676e94bd005a6dcc14cb934bf87aa995bb6f219d386c852bd1bebdb28d3faf8025e8240499f1eff8d4133387a267
-
Filesize
275KB
MD57e8b1402bb433eda4d250bcae92d6add
SHA1de24bb72ce6373e6d22aa2cccd97fc0d0fc9247b
SHA2563ac611dcc3c2a17a36cc7b24658c6640ca76dc9d1870d343655c9ded6636fb87
SHA51224a5b66e5503ddaa3c9dff9e0f02cf263231cd8d69fb42b929aa7e216407436c434643289f6ffc3b806614740653cde15aef1bef78d6172267a23066e02f1b08
-
Filesize
337KB
MD5da460cceb7d21bb1b777172886f00b36
SHA1f8892964a345cf1b5ad4b1295a9222a63df8beec
SHA256d2b993c891f6ffc4198a63a77e5b318d10a3cd1ca2487c991493ecae11b87bb3
SHA512b9d43cfa9e8b2167841acefe224e4e38b6d81385dddbbb964509eea7ca3867de59cdd83691cdb98299a0df056dbb7a932598cbfe4d37263157ab2487f638104d
-
Filesize
424KB
MD5385cd401da3db25d291102680c9a255b
SHA16fb2e99eb50f236197466f057fdc474a5d6cef4e
SHA256e43ae87a5df20a9a14fa4a0586d8716429b96e1b6846d5bad2091ee4c6350a02
SHA512222c7ab5576fb952bab15655440b1fcbb516b7eaab59189c3f48609f397644a1e7d4687ce87c513f00c2a535c913ab08c128b667dae6bd1794929b632f97e199
-
Filesize
200KB
MD5e92e03456726a3e0d1b5191a49665f5e
SHA1652fe6106455013710e6511edb1777cdf0e7b0fb
SHA256cd9f16c5005dabc552aed853b0e63c76b3ef73d380350f48f05c149cac779d1f
SHA5124d664ccf4f6cfd1570836fab159aefb01b9cad8b626e172c4a89bd9efb820e7062803f07941917d15759c93a6181f5a75266659dbe012580d6ffd36652ba1b0b
-
Filesize
238KB
MD5ea785fe3b21a51d17801dc733f161723
SHA17eb1705b5d2773f4c55cf298f4dce886bd94295f
SHA2567700843bc5e3012d440443bc16b074e9f8b6ee9262c000752d9b114b6b0b5492
SHA512708c5e7d82e538e444078ec34e6a7e1202ab99c25bf27c218a7fdd82bb0fe77cdb40b739030bc27f05e72788317fb8176c14d5d5e5bd03a63895ea75c94f7bfb
-
Filesize
312KB
MD52ae8e7e8c5b1437d88847cb8c67b2a50
SHA1c20c137f2031c452a37bff536d71a98cb7af13c1
SHA2565c8ad92af527ece1939a6ca793de572f94381e8c01d26e7a729ee904e8b180cb
SHA5125b2b2b277e00922bb06180271fdc1f36ceed7787f9c57cbad1e4ac7cc4a002d035243123c463ff4d20c1ea80e878124cbb1eb662b0c9c001af7855290f119778
-
Filesize
325KB
MD56ae3f0cad507530f59d294664ed758c9
SHA13afec150ffbd7be07cca83b4bc9961e20723aec3
SHA256d50f3bc10a7181e8cca130981977c3e27e384ae50f4b10989822de5f9a67ca60
SHA51213b1f6affb20182263e276643ac48ae271a57ef03ea787ca39ae36790be13de848bcceaeed419c33482ee0f56370e79d7f1061db81f723f20bce79454292e461
-
Filesize
362KB
MD5e209219e7690389d8c3c0b88c1dc9d9d
SHA1f4b12160de659ce8bc78b0dd7434814fbaf415bb
SHA2567735e08fe56fe2ca74983963951b73b516d5be321dd27884105ea1cb895d070b
SHA51262868ba9ab4a751b3dff6cb2ffc0a1644917bbfabf5ac2d915ef313d77c2a2afcf887f3d009765915666d70079f26611d802819e21d96050c3ddc76af1e5d8a2
-
Filesize
175KB
MD58766071c3ab359f0ed6074644b01526f
SHA1608013f0a975b184a5c7ac987d5890ba994261db
SHA256d0b29872f4cd13670967bb0729dc12982feba128473740bb0fdfdfed27a0ccd5
SHA5121e2b76d98f025e167cbc8690796bbf460969913ebf1a39d93ef1b83e15301fafe5271a91627eb10498aeaa31cad72f77a5e4f2b2a0711fba3ef0801ea4ca9fb9
-
Filesize
350KB
MD56b8586b91b11334d6c61e6c0c59513d4
SHA11f7bf37d9618cb0e845fefe369888653e851da43
SHA25680d3634905de82110e8d6174dcba575a3a5d4866b0e47217864b5bf361a3b314
SHA51236b1e88faffa1f484bccfd8c009374cdfa9abe1c79025701524565b04fa74f5fbcee76eb700f27cb141437bdb8227b4ad3be6a39f9210f01e35ebc289ca03bbe
-
Filesize
287KB
MD53737d44f4fbdc6dd721921b851622d07
SHA16df2d05f4f33d3ac51bb9cf8acf7d9812b3ba079
SHA25649cfe4314dbf58ece3e2403683f3b3ed32b286de85cb56a4bd79b8ca6be3b732
SHA51277c0f75dcbba208c381be711552d967aea8d67616d2ccd534e6b899d488775ed177fa59db387fd07317af8a17590798d47661bef145913f8826fb16959485a45
-
Filesize
250KB
MD5ffd53f3d6a038bc5623f6940bb825928
SHA18aa69cd657dd8956ed38efec3abc1c88bfec95ac
SHA256fd3cbae61c7a8297d917e6ee47c2d334bcd97507ccc7dcb3107be8719dbf9809
SHA5129a09b0c9a2496aa11afccdf396fe7cfcd494d3a89fbb1a6ca32b79744f6ed80c8013e50760ac415dc47b42eaace4c9af8049548d4a30f54446c70e0a40de3b0f
-
Filesize
188KB
MD5ef0830edc81cf125c4fcd36a14624bca
SHA1698b7bcf60f840eb0e422a3f6b918e918b547ed2
SHA256210846a90f3bc5a275764562bf84ccba29dcdaa8e7d0dabe1362f9e1d9299ce6
SHA512576b10b9b662766d033ba86961c19cf82a5e3121e1965028d4c092cacc82d4029d62029a8874b8ffb94cc46112ccd61c1567aa2926494d09053777910f819173
-
Filesize
213KB
MD5bd6aaeeace7363f0b357cb735ce5582f
SHA118eeb15df857ed208ee88d13a2a3b99d60599725
SHA2567ae1b886c9e782d5710c6001e0a978aaff11191821b8892dd44cb925a6e376fd
SHA512f7917b6288092a4a0f061628763c435c3e146f45ad24b4c0df78e35befb086688d584471c0a9b7707e4ecb0d6f03772f54f192d14b992907fbd7bf574c3e0661
-
Filesize
586KB
MD53134dbae039a3c1149a3a84e32bac127
SHA1ad8310eac5a88ce68ffad808a913a18990113125
SHA256005976543e92e760053e7f1c7f04b24e463b9e3c42f2a634052c538c9780ec09
SHA512ce6dd1b8463b56cf2d2d385511ee36833ef6dbac76ae8e4984c69f69c5f7ff768b9320bb57df0020e754e3d2d9c8185aff294036befb5b56eb7a7277dcc88b40
-
Filesize
225KB
MD59c4269893d1cfe6c9ce4de5435451eca
SHA1e67cb5105a6803c2b51fc7ac5b9d494ee47f133e
SHA256e04578697bff496930bd7685742e957e3aa622032130c7d331d16bfc16c8d413
SHA5127a723da8f1251f9c69691c4dc220a7fd93d697211b14c760bd75fe439b8aa485fc58b8f2434343bcc91a1c703926c6a63ea9a73e1c0c54c16e93212551124ef4
-
Filesize
374KB
MD541cf3de7efc443ba1a5a30833cb18ab6
SHA14d14db2b3fa6b3673db74884ef6c512b11ad66f4
SHA2560cbc30801ab952762d2e808e22ca3855e686742371b04e8c9edf5d48b90580c9
SHA512466f7c6684fa5ce164bb32e6cc50d2325e6204cee18b945ba4b83bfa29e739e99c8119eb511777cd5a24e74a15c1e4bc219b7ee33cf348556d80776c35f245fc
-
Filesize
300KB
MD5db87c2c184eded56ac2786b5e9a20b99
SHA1813c6db5dab2b44d77a8db7ed51865208451c774
SHA256a8e2b89cb64668903582b6c2b6255ac45af464ae66a835d899a15e533077add6
SHA512ee0eda15167ca08110ca9e0b283b7bbadc67b5bcd55979bab3dd5ac6a5ceee42b823c5cdd114be439eceba5e81c728539a67be3a805143119b62b273790763c2
-
Filesize
163KB
MD507d99587c4bbd2e449f0173fec690e7d
SHA1ddb2d1953e6ca01514f7cf767ae7eb64cbb64fbe
SHA256c51f831b96b2a4580de04f5851ec6f9f0813bc84d40476fac23fe6c4a0180049
SHA5129b22160a328ff5048ba7c779d9b4fb7a6a7950ce3df317fc12bd4ad960f96008fee54d060efa01583ef961147bdd010b30c8189dff41069d39bde805e501bae7
-
Filesize
399KB
MD5a55cf521ea4c84515b75ec892e02d43e
SHA1637adb6fc5acf494ea9bf8f1e3e173def2b02d64
SHA256fde86f4ec6984fc02c81eb02eea3a71b56959e188b3b96a5db9cd9a91d85ae2e
SHA512189a81af5d950ad510b4c553b055b914d425577d0dbd0255084e08c0f4ebdefce5c8e038d0ad030e2b1dbd855f2541f8d654f4e6f46354f099120557d96ce166
-
Filesize
150KB
MD5ac24c393b45c3fc606559896bc0f3d29
SHA1324b83b549a172120f6590d9756adc0aba62b3f8
SHA2566d08c8d19c4845f0d857ca1d557928a753de4d7776206e18374dc01bb9e96d03
SHA5126d43adf5a2fae90d9b00548b3838f855ac7c8ce41a65157e29829c655d70d2c66f28963c9e96a9c7dbf273b243cb8c42bd03fcf88828128cfc12b27aa31b9040
-
Filesize
387KB
MD545037db8ffd9e0670be1a1d45341afda
SHA14ee84bc28d926a35c9ee7a963e91593d6617e603
SHA256e1d6421b3d138e376368d00685704b6b2f836f99a012e550705970d7179d0277
SHA5128c46119b2675fd963231add6acabb793959ac944eb55357b0249f74ba78c4e18dac54dea4f3e23d8bd2011c86cda58aa06344525f1dbe3412ccbd4638ec9ff9f
-
Filesize
83KB
MD52d5421cc20161ad59dcde312e4679433
SHA16d11660e1b7fa33db1e41a0bc2047df9bb4f68cc
SHA256a07055334dc7cb968f21dc75f5e9d486e65f9fe4856ca6572cd468c68cebde65
SHA512776385880013a50ffa9c2f7c98571e79c864b5652451ecb69feaa6dbe774656073a8b634c1c1bcd429316d0c9de676cb0412e8b4a0765c82bae4375376389807
-
Filesize
212KB
MD53ac926d3bca5450ce48d10c253700ae4
SHA10a918e434b1f8e125fb23a71c7317e6b16f3df23
SHA256b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa
SHA512ef62bc011a2fdff15b466f798bcbe5c4308e925fb1240d7621f65ede89432a329e00c80a917cc5be401b7029a2c5a497a9bc09436c3f1c05259a2e3479c581c5