Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 08:22
Behavioral task
behavioral1
Sample
6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe
-
Size
155KB
-
MD5
6ddeeb36a6569a8a145e7a85a152a5d2
-
SHA1
29f9bbf8b56429bbbb3ca3d34cbd0100ce2eff25
-
SHA256
24c9154acd3eb56367df51d49ded984f64b312a048c6c72da24d28577e538116
-
SHA512
56f20d9457d64e7242f6c26ae0fc880665804853f7ab246e7f2100cfdc9a9863679165e46c7ba184c0033f900fbe3657bf13819299245fd7964d53d720d3c114
-
SSDEEP
3072:veAiXfLb9Dw86q4VRrV5tidHTY4dvoSGxsfcARUFxZJY11qQNIYK2QnmX0qoutCg:2AiH9xIRHtcokchFxLY11tHKDnooSCs5
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 23 IoCs
Processes:
javaSetup.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exejavaws.exejavaw.exejp2launcher.exejaureg.exejavaw.exejavaw.exejavaw.exejavaw.exejavaw.exejavaw.exejavaw.exejavaw.exejavaw.exepid process 2920 javaSetup.exe 1804 unpack200.exe 2076 unpack200.exe 1972 unpack200.exe 2128 unpack200.exe 2496 unpack200.exe 1512 unpack200.exe 2516 unpack200.exe 2000 unpack200.exe 1620 javaw.exe 1480 javaws.exe 2940 javaw.exe 2792 jp2launcher.exe 1676 jaureg.exe 1580 javaw.exe 1508 javaw.exe 2380 javaw.exe 1464 javaw.exe 1196 javaw.exe 2240 javaw.exe 2828 javaw.exe 1600 javaw.exe 1972 javaw.exe -
Loads dropped DLL 64 IoCs
Processes:
6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exeMsiExec.exeMsiExec.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exejavaws.exejavaw.exejp2launcher.exeMsiExec.exejavaSetup.exe6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exepid process 2412 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe 1056 MsiExec.exe 2324 MsiExec.exe 2324 MsiExec.exe 1804 unpack200.exe 2076 unpack200.exe 1972 unpack200.exe 2128 unpack200.exe 2496 unpack200.exe 1512 unpack200.exe 2516 unpack200.exe 2000 unpack200.exe 2324 MsiExec.exe 2324 MsiExec.exe 2324 MsiExec.exe 2324 MsiExec.exe 2324 MsiExec.exe 1620 javaw.exe 1620 javaw.exe 1620 javaw.exe 1620 javaw.exe 1620 javaw.exe 2324 MsiExec.exe 2324 MsiExec.exe 2324 MsiExec.exe 2324 MsiExec.exe 2324 MsiExec.exe 2324 MsiExec.exe 2324 MsiExec.exe 2324 MsiExec.exe 2324 MsiExec.exe 2324 MsiExec.exe 1480 javaws.exe 1480 javaws.exe 1480 javaws.exe 1480 javaws.exe 1480 javaws.exe 1480 javaws.exe 2940 javaw.exe 2940 javaw.exe 2940 javaw.exe 2940 javaw.exe 2940 javaw.exe 1480 javaws.exe 1480 javaws.exe 1480 javaws.exe 2792 jp2launcher.exe 2792 jp2launcher.exe 2792 jp2launcher.exe 2792 jp2launcher.exe 2792 jp2launcher.exe 2792 jp2launcher.exe 2792 jp2launcher.exe 2792 jp2launcher.exe 2792 jp2launcher.exe 2792 jp2launcher.exe 2536 MsiExec.exe 2536 MsiExec.exe 2920 javaSetup.exe 2952 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe 2952 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe 2952 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe 2952 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe 2952 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe -
Registers COM server for autorun 1 TTPs 64 IoCs
Processes:
MsiExec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0044-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0006-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0055-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0040-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0082-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0091-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0043-ABCDEFFEDCBC}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0050-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0050-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0084-ABCDEFFEDCBC}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0079-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0003-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0013-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0038-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0053-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0036-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0037-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0071-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0036-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0061-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0069-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0070-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0090-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0005-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0058-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0085-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0055-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0065-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0023-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0079-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0042-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0048-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0042-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0058-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBC}\InprocServer32 MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0045-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0039-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0024-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0076-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0012-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0027-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0064-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0034-ABCDEFFEDCBC}\InprocServer32 MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0058-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0038-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe -
Processes:
resource yara_rule behavioral1/memory/2952-0-0x0000000001380000-0x00000000013E0000-memory.dmp upx behavioral1/memory/2412-39-0x0000000001380000-0x00000000013E0000-memory.dmp upx behavioral1/memory/2952-74-0x0000000001380000-0x00000000013E0000-memory.dmp upx behavioral1/memory/2412-75-0x0000000001380000-0x00000000013E0000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\"" msiexec.exe -
Blocklisted process makes network request 3 IoCs
Processes:
msiexec.exeflow pid process 22 2072 msiexec.exe 24 2072 msiexec.exe 26 2072 msiexec.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
MsiExec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} MsiExec.exe -
Drops file in System32 directory 5 IoCs
Processes:
MsiExec.exedescription ioc process File created C:\Windows\SysWOW64\WindowsAccessBridge-32.dll MsiExec.exe File created C:\Windows\SysWOW64\javaws.exe MsiExec.exe File created C:\Windows\SysWOW64\java.exe MsiExec.exe File opened for modification C:\Windows\SysWOW64\java.exe MsiExec.exe File created C:\Windows\SysWOW64\javaw.exe MsiExec.exe -
Drops file in Program Files directory 64 IoCs
Processes:
MsiExec.exejavaw.exeunpack200.exedescription ioc process File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Sakhalin MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Perth MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Copenhagen MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\SystemV\EST5 MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\rmiregistry.exe MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\deploy\messages_de.properties MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\i386\jvm.cfg MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Bangkok MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Atlantic\Canary MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Indian\Cocos MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Rarotonga MsiExec.exe File created C:\PROGRA~2\Zona\Zona.exe javaw.exe File created C:\Program Files (x86)\Java\jre7\bin\jpicom.dll MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\deploy\ffjcext.zip MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Asuncion MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Tripoli MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Porto_Velho MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Antarctica\Mawson MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Aqtobe MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Choibalsan MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\JavaAccessBridge-32.dll MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\libxslt.dll MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\tnameserv.exe MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT-5 MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Uzhgorod MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Tongatapu MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\fonts\LucidaBrightItalic.ttf MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Hobart MsiExec.exe File created C:\PROGRA~2\Zona\zreg.dll javaw.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Godthab MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Mexico_City MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Chita MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Sydney MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT+1 MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\installer.dll MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\javaws.exe MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\calendars.properties MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Pitcairn MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\deploy.jar unpack200.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Iqaluit MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Nipigon MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Dili MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Kuala_Lumpur MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\SystemV\CST6CDT MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\nio.dll MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\sunec.dll MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\jce.jar MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\fxplugins.dll MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\t2k.dll MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\rt.pack MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Broken_Hill MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\HST MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\cmm\sRGB.pf MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\deploy\messages_zh_TW.properties MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\jvm.hprof.txt MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Argentina\Rio_Gallegos MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Belgrade MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\gstreamer-lite.dll MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\deploy\messages_es.properties MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\cmm\LINEAR_RGB.pf MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\jfr.jar MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Riyadh89 MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\CET MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\SystemV\YST9YDT MsiExec.exe -
Drops file in Windows directory 17 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\f769608.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI994D.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\f76960e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIB49F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9A48.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9C1E.tmp msiexec.exe File opened for modification C:\Windows\Installer\f76960b.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIB8A8.tmp msiexec.exe File created C:\Windows\Installer\f769608.msi msiexec.exe File created C:\Windows\Installer\f76960b.ipi msiexec.exe File opened for modification C:\Windows\Installer\f76960e.msi msiexec.exe File created C:\Windows\Installer\f769611.ipi msiexec.exe File created C:\Windows\Installer\f769613.msi msiexec.exe File created C:\Windows\Installer\f76960d.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIB7EA.tmp msiexec.exe File opened for modification C:\Windows\Installer\f769611.ipi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msiexec.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msiexec.exe -
Processes:
MsiExec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "10669928" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA} MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3" MsiExec.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
msiexec.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F msiexec.exe -
Modifies registry class 64 IoCs
Processes:
MsiExec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0041-ABCDEFFEDCBB} MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0040-ABCDEFFEDCBB} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0049-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0081-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0059-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_59" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0069-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0069-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.1_07" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_61" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0056-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0069-ABCDEFFEDCBC} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0083-ABCDEFFEDCBC} MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0072-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0043-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0088-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0073-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_73" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0052-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0090-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_30" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0047-ABCDEFFEDCBB} MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0095-ABCDEFFEDCBC} MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0069-ABCDEFFEDCBC}\InprocServer32 MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBB} MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0025-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_25" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBB} MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0088-ABCDEFFEDCBC}\InprocServer32 MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA} MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0064-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0077-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0050-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0055-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_55" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0059-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_59" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0020-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_20" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0080-ABCDEFFEDCBC} MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0055-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0031-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0060-ABCDEFFEDCBC} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0034-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0073-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0020-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_20" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0050-ABCDEFFEDCBC}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0050-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0016-ABCDEFFEDCBA} MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0076-ABCDEFFEDCBB} MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_13" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_27" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBC}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0051-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0012-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_35" MsiExec.exe -
Processes:
javaSetup.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 javaSetup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde javaSetup.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
jp2launcher.exemsiexec.exepid process 2792 jp2launcher.exe 2072 msiexec.exe 2072 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 1936 msiexec.exe Token: SeIncreaseQuotaPrivilege 1936 msiexec.exe Token: SeRestorePrivilege 2072 msiexec.exe Token: SeTakeOwnershipPrivilege 2072 msiexec.exe Token: SeSecurityPrivilege 2072 msiexec.exe Token: SeCreateTokenPrivilege 1936 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1936 msiexec.exe Token: SeLockMemoryPrivilege 1936 msiexec.exe Token: SeIncreaseQuotaPrivilege 1936 msiexec.exe Token: SeMachineAccountPrivilege 1936 msiexec.exe Token: SeTcbPrivilege 1936 msiexec.exe Token: SeSecurityPrivilege 1936 msiexec.exe Token: SeTakeOwnershipPrivilege 1936 msiexec.exe Token: SeLoadDriverPrivilege 1936 msiexec.exe Token: SeSystemProfilePrivilege 1936 msiexec.exe Token: SeSystemtimePrivilege 1936 msiexec.exe Token: SeProfSingleProcessPrivilege 1936 msiexec.exe Token: SeIncBasePriorityPrivilege 1936 msiexec.exe Token: SeCreatePagefilePrivilege 1936 msiexec.exe Token: SeCreatePermanentPrivilege 1936 msiexec.exe Token: SeBackupPrivilege 1936 msiexec.exe Token: SeRestorePrivilege 1936 msiexec.exe Token: SeShutdownPrivilege 1936 msiexec.exe Token: SeDebugPrivilege 1936 msiexec.exe Token: SeAuditPrivilege 1936 msiexec.exe Token: SeSystemEnvironmentPrivilege 1936 msiexec.exe Token: SeChangeNotifyPrivilege 1936 msiexec.exe Token: SeRemoteShutdownPrivilege 1936 msiexec.exe Token: SeUndockPrivilege 1936 msiexec.exe Token: SeSyncAgentPrivilege 1936 msiexec.exe Token: SeEnableDelegationPrivilege 1936 msiexec.exe Token: SeManageVolumePrivilege 1936 msiexec.exe Token: SeImpersonatePrivilege 1936 msiexec.exe Token: SeCreateGlobalPrivilege 1936 msiexec.exe Token: SeRestorePrivilege 2072 msiexec.exe Token: SeTakeOwnershipPrivilege 2072 msiexec.exe Token: SeRestorePrivilege 2072 msiexec.exe Token: SeTakeOwnershipPrivilege 2072 msiexec.exe Token: SeRestorePrivilege 2072 msiexec.exe Token: SeTakeOwnershipPrivilege 2072 msiexec.exe Token: SeRestorePrivilege 2072 msiexec.exe Token: SeTakeOwnershipPrivilege 2072 msiexec.exe Token: SeRestorePrivilege 2072 msiexec.exe Token: SeTakeOwnershipPrivilege 2072 msiexec.exe Token: SeRestorePrivilege 2072 msiexec.exe Token: SeTakeOwnershipPrivilege 2072 msiexec.exe Token: SeRestorePrivilege 2072 msiexec.exe Token: SeTakeOwnershipPrivilege 2072 msiexec.exe Token: SeRestorePrivilege 2072 msiexec.exe Token: SeTakeOwnershipPrivilege 2072 msiexec.exe Token: SeRestorePrivilege 2072 msiexec.exe Token: SeTakeOwnershipPrivilege 2072 msiexec.exe Token: SeRestorePrivilege 2072 msiexec.exe Token: SeTakeOwnershipPrivilege 2072 msiexec.exe Token: SeRestorePrivilege 2072 msiexec.exe Token: SeTakeOwnershipPrivilege 2072 msiexec.exe Token: SeRestorePrivilege 2072 msiexec.exe Token: SeTakeOwnershipPrivilege 2072 msiexec.exe Token: SeRestorePrivilege 2072 msiexec.exe Token: SeTakeOwnershipPrivilege 2072 msiexec.exe Token: SeRestorePrivilege 2072 msiexec.exe Token: SeTakeOwnershipPrivilege 2072 msiexec.exe Token: SeRestorePrivilege 2072 msiexec.exe Token: SeTakeOwnershipPrivilege 2072 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
jp2launcher.exepid process 2792 jp2launcher.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exejavaSetup.exemsiexec.exeMsiExec.exedescription pid process target process PID 2952 wrote to memory of 2688 2952 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe cscript.exe PID 2952 wrote to memory of 2688 2952 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe cscript.exe PID 2952 wrote to memory of 2688 2952 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe cscript.exe PID 2952 wrote to memory of 2688 2952 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe cscript.exe PID 2952 wrote to memory of 2412 2952 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe PID 2952 wrote to memory of 2412 2952 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe PID 2952 wrote to memory of 2412 2952 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe PID 2952 wrote to memory of 2412 2952 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe PID 2952 wrote to memory of 2412 2952 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe PID 2952 wrote to memory of 2412 2952 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe PID 2952 wrote to memory of 2412 2952 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe PID 2412 wrote to memory of 2920 2412 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe javaSetup.exe PID 2412 wrote to memory of 2920 2412 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe javaSetup.exe PID 2412 wrote to memory of 2920 2412 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe javaSetup.exe PID 2412 wrote to memory of 2920 2412 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe javaSetup.exe PID 2412 wrote to memory of 2920 2412 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe javaSetup.exe PID 2412 wrote to memory of 2920 2412 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe javaSetup.exe PID 2412 wrote to memory of 2920 2412 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe javaSetup.exe PID 2920 wrote to memory of 1936 2920 javaSetup.exe msiexec.exe PID 2920 wrote to memory of 1936 2920 javaSetup.exe msiexec.exe PID 2920 wrote to memory of 1936 2920 javaSetup.exe msiexec.exe PID 2920 wrote to memory of 1936 2920 javaSetup.exe msiexec.exe PID 2920 wrote to memory of 1936 2920 javaSetup.exe msiexec.exe PID 2920 wrote to memory of 1936 2920 javaSetup.exe msiexec.exe PID 2920 wrote to memory of 1936 2920 javaSetup.exe msiexec.exe PID 2072 wrote to memory of 1056 2072 msiexec.exe MsiExec.exe PID 2072 wrote to memory of 1056 2072 msiexec.exe MsiExec.exe PID 2072 wrote to memory of 1056 2072 msiexec.exe MsiExec.exe PID 2072 wrote to memory of 1056 2072 msiexec.exe MsiExec.exe PID 2072 wrote to memory of 1056 2072 msiexec.exe MsiExec.exe PID 2072 wrote to memory of 1056 2072 msiexec.exe MsiExec.exe PID 2072 wrote to memory of 1056 2072 msiexec.exe MsiExec.exe PID 2072 wrote to memory of 2324 2072 msiexec.exe MsiExec.exe PID 2072 wrote to memory of 2324 2072 msiexec.exe MsiExec.exe PID 2072 wrote to memory of 2324 2072 msiexec.exe MsiExec.exe PID 2072 wrote to memory of 2324 2072 msiexec.exe MsiExec.exe PID 2072 wrote to memory of 2324 2072 msiexec.exe MsiExec.exe PID 2072 wrote to memory of 2324 2072 msiexec.exe MsiExec.exe PID 2072 wrote to memory of 2324 2072 msiexec.exe MsiExec.exe PID 2324 wrote to memory of 1804 2324 MsiExec.exe unpack200.exe PID 2324 wrote to memory of 1804 2324 MsiExec.exe unpack200.exe PID 2324 wrote to memory of 1804 2324 MsiExec.exe unpack200.exe PID 2324 wrote to memory of 1804 2324 MsiExec.exe unpack200.exe PID 2324 wrote to memory of 2076 2324 MsiExec.exe unpack200.exe PID 2324 wrote to memory of 2076 2324 MsiExec.exe unpack200.exe PID 2324 wrote to memory of 2076 2324 MsiExec.exe unpack200.exe PID 2324 wrote to memory of 2076 2324 MsiExec.exe unpack200.exe PID 2324 wrote to memory of 1972 2324 MsiExec.exe unpack200.exe PID 2324 wrote to memory of 1972 2324 MsiExec.exe unpack200.exe PID 2324 wrote to memory of 1972 2324 MsiExec.exe unpack200.exe PID 2324 wrote to memory of 1972 2324 MsiExec.exe unpack200.exe PID 2324 wrote to memory of 2128 2324 MsiExec.exe unpack200.exe PID 2324 wrote to memory of 2128 2324 MsiExec.exe unpack200.exe PID 2324 wrote to memory of 2128 2324 MsiExec.exe unpack200.exe PID 2324 wrote to memory of 2128 2324 MsiExec.exe unpack200.exe PID 2324 wrote to memory of 2496 2324 MsiExec.exe unpack200.exe PID 2324 wrote to memory of 2496 2324 MsiExec.exe unpack200.exe PID 2324 wrote to memory of 2496 2324 MsiExec.exe unpack200.exe PID 2324 wrote to memory of 2496 2324 MsiExec.exe unpack200.exe PID 2324 wrote to memory of 1512 2324 MsiExec.exe unpack200.exe PID 2324 wrote to memory of 1512 2324 MsiExec.exe unpack200.exe PID 2324 wrote to memory of 1512 2324 MsiExec.exe unpack200.exe PID 2324 wrote to memory of 1512 2324 MsiExec.exe unpack200.exe PID 2324 wrote to memory of 2516 2324 MsiExec.exe unpack200.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\cscript.execscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs2⤵PID:2688
-
C:\Users\Admin\AppData\Local\Temp\6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe" /asService2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\javaSetup.exe"C:\Users\Admin\AppData\Local\Temp\javaSetup.exe" /s REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=03⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi" REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0 /qn METHOD=joff4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1936 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\AU\au.msi" ALLUSERS=1 /qn4⤵PID:908
-
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe"C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" -r jre 1.7.0_80-b154⤵
- Executes dropped EXE
PID:1676 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Roaming\Zona\tmp\Zona.7z" "C:\PROGRA~2\Zona" "C:\Users\Admin\AppData\Local\Temp\zonaErr_core_1716539024671.log"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1196 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Roaming\Zona\tmp\appdata.7z" "C:\Users\Admin\AppData\Roaming\Zona" "C:\Users\Admin\AppData\Local\Temp\zonaErr_plugin_1716539025903.log"3⤵
- Executes dropped EXE
PID:2828 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" ru.megamakc.core.JavaArch2⤵
- Executes dropped EXE
PID:1580 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" ru.megamakc.core.JavaArch2⤵
- Executes dropped EXE
PID:1508 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" ru.megamakc.core.JavaArch2⤵
- Executes dropped EXE
PID:2380 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" ru.megamakc.core.JavaArch2⤵
- Executes dropped EXE
PID:1464 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" ru.megamakc.core.JavaArch2⤵
- Executes dropped EXE
PID:2240 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" ru.megamakc.core.JavaArch2⤵
- Executes dropped EXE
PID:1600 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants2⤵
- Executes dropped EXE
PID:1972
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Adds Run key to start application
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 86F105B132C90E1C99817D241B713F032⤵
- Loads dropped DLL
PID:1056 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C78EAAD07BDF3103125124915E96BC71 M Global\MSI00002⤵
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\rt.pack" "C:\Program Files (x86)\Java\jre7\lib\rt.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\charsets.pack" "C:\Program Files (x86)\Java\jre7\lib\charsets.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\deploy.pack" "C:\Program Files (x86)\Java\jre7\lib\deploy.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1972 -
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\javaws.pack" "C:\Program Files (x86)\Java\jre7\lib\javaws.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\plugin.pack" "C:\Program Files (x86)\Java\jre7\lib\plugin.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jsse.pack" "C:\Program Files (x86)\Java\jre7\lib\jsse.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -Xshare:dump3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Program Files (x86)\Java\jre7\bin\javaws.exe"C:\Program Files (x86)\Java\jre7\bin\javaws.exe" -fix -permissions -silent3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Java\jre7\lib\deploy.jar" com.sun.deploy.panel.JreLocator4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe"C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre7" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTdcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW5camF2YXcuZXhl -ma LWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2792 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding ADC0D9E9D343545CDFD0B227B22763DE2⤵
- Loads dropped DLL
PID:2536
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD56f7290f82b6e118d07ecba84ae870671
SHA1f8d7eeeb03205834f9a58addb90eec3a91410a7a
SHA256f2560369f1ad5733a4a206c9258b44c7914256df6c317f40fa673c53d4371748
SHA51273b588ee7d79b44e8d85f17ad2f505d08d99624874cc294721538ab2f0438eb9ce7c0975508be927c49b4a51922c80e4a012cc893300e8ad8d18b0c0de8f291b
-
Filesize
8KB
MD58f98a4732e74a82e75cf1711ee2994df
SHA194d69b9d241c8ce0bdc2af1a9bc12955f9505955
SHA2569c19e580d3b472263b4484e26d09f966d2be2fb1b5a017b5d04591ab83a27a79
SHA512cdd158b2bba7ef995b737dce7511456b784beb8330a7ce307a4f9f995db6a3f1e64c777c0b7e2089deda159dc5aba6c4adef3a5df7ce53a7883a2d2ff0f4a140
-
Filesize
864KB
MD5bc3a575dfb1a58d35e8617f2966bf1ea
SHA16353630f62e246d7f462134e8d10a7a42935e20f
SHA256c029fd3c6ffd2158d0633fc122786838a6f5d3cc7ef78bbe934697015c8c63dd
SHA512c976da30d343f8e104bec72300dc0c17e582e380f0a3ae85b242dbf2d5b40459feb4a3b7789fb8d755b21cbaa0940038d20dbbf1296a48e77b461092abbbe514
-
Filesize
171KB
MD564e2bb67ea740860510dcc5c2b6ffa2d
SHA16c5996358264624cdb4a075acc4f0b46177cd259
SHA256844ab2231f45fad60d81770ea36d9937da9aa72cd905ce06e7471ddf9d69263b
SHA512ed24331883ada44d8b034f5c8bc458e53234109d5cd02a27989972033f5b3305d23365106ce80be81caa16e472c14c103e457a1e0d138eb0d95036e58d877462
-
Filesize
266KB
MD52b4493bb1f94580c41def972ea9a887e
SHA1880ca8b20c6df9a6a176b91cc50304cb0fe66d06
SHA256841339373958786d9c93a7dad5de8fd213ed6b5ad69623f5a5762a453c48e0a5
SHA512b43e54f2c1f3e0a3c3d2fcee518e47d17476bb735606351e41b49e97e10af758ea9a539ac370a2d12cffa93e3e752e829db969968664c59386f65b732c29e40e
-
Filesize
38KB
MD5cb89b1d71061f5ec52468528ecc0b1fc
SHA16feb23a8b5719c8997de92c7da644807fcba8819
SHA25687d8d59972e73700507c07cee8750b0053c6a0899410338722a00c2803d39ee6
SHA5122ff0ed38c7f28eb7ea16f24a0841dfb3306c4fec48ded5fddec8c3140f1a425433a444fe6b6cc4c17b3a39841c8ab0c23d7c9525c119c1b9d6daac2c17a4e4b0
-
Filesize
1.3MB
MD5549bbcd204914b543dafee670f110834
SHA1012461935191a55482e8c3d453d245e965a10a2a
SHA2568ea5af036ec067a0abcf87b8f5921e2281ff9d259e1d4c3bbe7fa9037cd87d02
SHA512b0346a2ec52ce47351286f27f347f5fea99e160aedde52bcf74e1629739704bd975c9c99d8db6be3b6bd45e7fa933616fa081eda49e9b911efcc031c7241400e
-
Filesize
1.7MB
MD5b2a448112b7c886ccce9b6a3d5efd8a0
SHA1660bc9efe960015b208a421b1a63443e7151024f
SHA256928f6b847f94b920c462a08c43f0dfd3f7c40076b1cd60545523a5c27a4870ca
SHA512871da63f4eaf16d77ba6c19c10d8ddd8e94f744c20a70e24793f837023d20e56698d85f67498bc06ec37b73a8f376c220afbe7f3884b00536b710ff49c339b3f
-
Filesize
736KB
MD5c8dc1cfeaf0fefc39ed0f1de4eaa175c
SHA111cacbb9e5724d37789455de37a225d8e0c648a1
SHA256da2803a283d28882182e1e280b4f25ee1579a5805e73fcc9882e63968f102a8f
SHA5126b419ba94ae90f8caa3a57690f2ec7e249c9fb8ab86819439621cde1243c7636ee76820622ce32ed483ce76976f7ced74778898fc2725b1a2407b039fb53508c
-
Filesize
686B
MD55147cce789cd18ad6b2996eb89e5d866
SHA1756f1fffe96ef581f0d4d47253523544c89a2622
SHA256c471d622198461715f245d478484fc7c8de533313c56e922931a875460a5aa88
SHA51255f53adb70b1cf741cdf0dee74d92d2bf4c96954a760afae289972a0ea9bb27bc5eb4df1bd41829c7c484211fcb294fe296a4d560d8a1cdbb8c707b3bf2a79a6
-
Filesize
205KB
MD5491bce42c6cd8af88a2e11f37711ed4f
SHA13de7c18fee44465a6afe34e068f2a64dea9fa324
SHA256ee43869ee94eefe241d661101ff6a03cc276f8e558967b1b350ea088f1dad2e2
SHA5121e5f99466b77b5a82c23449434272acf5746811ef96b98105f89b3339ccd86734d7713c94b773755219345d673a761a356fbe846a38e7893bd8894e43cf102e4
-
Filesize
3.2MB
MD5dfaa6429468d56ef77932cf26a495f75
SHA18a21a29225640f1829ae328a24ef9cb5e215a4e0
SHA2568c481a549acfa58b1bac0385906febe33a928d004a529fec505b6a9228678fed
SHA5126c19ed573b111315648de0646441486729b304452c15b2282938460a2339db0be4e1eb19cf6f2bf17f73037811ca2553a15957ea96b9d9af64a93045407c1148
-
Filesize
141KB
MD531b4d9c29d29567b0ae3037fac9fbdc6
SHA18b5d1b1a309177466d71a742414d441f600ea38e
SHA2569f031f2f1292bb311c400b0a93a11b78a08f013332b1263ea58617b6548862eb
SHA512b4a8a3a1e837f98a3164e19a6fe939819eb336892335de975822890b52b5923d85fee4c4e5464ccb0d46c847f37f7da98a839aadbf4d20fca355f396a53836c0
-
Filesize
489KB
MD547d6cfa1b01a6d41885504bbc3b1919a
SHA13838060f9d530c972d65f36fa38b265120a218aa
SHA25693defaaf7f82e2e9565b27dd31a41c89e02d1b7719d0da0b940a55dcc75b91e5
SHA512b0df9b174624234aaeb2b50cf611f698377925a0ae5c5ee9da46c65fcecf4d28941d1bf2332316d9327981c1f8c6c4fecf750e013f04eef63f5df52d27593135
-
Filesize
13.1MB
MD5b6d75e8c90c79af1579769f10b1e5c88
SHA1146cb3f05fa161885e8faf079fa2bbd89b5c5b18
SHA25682dc6806d9ec9eb16604f90a5c78d0d882b69a0e718d8f6c3c6b7c9719887b7e
SHA51202cdd0c0d6e71bc09120db2cd3b9471c0176567d92bb74a08c13e82c1d23722eb4afac41583a11dee3fc531fd442754ee0f5cb964898ec036ddd432947996037
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51cac3b2fb2f2c74e58f708d1af9bfcb9
SHA1ec0432cac2ea6631b2e009ba23ce4e4ab6154489
SHA256cfe001fbf970f33649adb675dd18a3fb0482e4e5a0c368f7aec8282737d1ad93
SHA512d4e27eeff3bf4482a4afcd19d9eb9464e658154efad1f68e22b42b6727f76db391c39c3b663c95a9ad1f3c010552f3ef3cc5d45e2c2a58cecb95628371aa45f2
-
Filesize
1KB
MD535717c778e9005b420388a22ecd1ab3e
SHA1a9f11309700063bfa5d21ce36b38855bd1af1b52
SHA25646b2c97da7b746338dfc351640a717a8e354f35f7f7451eff041eeb2b022e777
SHA512bc7f2b340ec0a1d543fd227c88d32b76d8ccc4c3f123ce0e24720d449e020c4663d9a43de202e17e26eb4b91f746757ce4aa21eb7704d2b9e691bd304fc50cf0
-
Filesize
24.6MB
MD5003a488a2139105704566b47eb29520d
SHA152d672a592cd52ad5e2e7239421f2659e0d17afa
SHA256a84262dd486cf59049d0d2d9a1b00dfb5aa5271592edd8de0e052f12496dec67
SHA512ab34061f8e04bb1d59f1b35e0e1848a176f2b119095e79015130da3a4384c70fa35ecbe1625e07c0eb0de49c67bcdbba59f10fa1dfbbb2066dcb6ee6825215de
-
Filesize
898KB
MD5e24d9b483ce7a3a6a4406111883457f7
SHA10d5efff0d110c48f5e6f5d438967427f1e2dbf84
SHA256dbf28e21d55dd662cccf4d422a1a645a6a3dbfd6914942dde417d20c4d2fe01c
SHA512b614b023ce683e78ee685be028fa06d7df90f10360d55de2a8c1214200b0b85998683502f377b01584bf23b72b168c33ef560a78d7abdf68aa3af87beca59398
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
4KB
MD5a21622604abf7b519d55c10806872a05
SHA1c45814fddf61503d1abc289b94417e59cfb64d57
SHA256f7537e1397e941aac02e53d7271deef707b93d2f1e59548abbbcd9b52726eaed
SHA512c4a313f22fe0d4e4a63868eac79efb88ce7341cd7d0a0579018924adaeb587bf6dc231bb8ba9e61afd3b5be2cf1567dfa491d7064fb93491b871475eaee98fdd
-
Filesize
4KB
MD5647de502d25e3d165dcf6776d1c07358
SHA1ee345d1f2bbdb5cc0b752ee946108691d548e2dd
SHA256b3a9b47eac77dee7a58de5c35d2092cd06b9dc001351a6c6e84b67432daf5444
SHA512acf018c09daab46cf96dc9b066793e5174c2a57be761e6dc9aad8e7b38fcac568380b48ba84bfd2b89212ef10013dfb7f6d64f3a68d533eac48ee270529dd9d7
-
Filesize
1KB
MD51325681eaf40afe81bb8187a6aa9074e
SHA19f5243e77b770986008d4f8418a9f9ec1dc71cda
SHA2562d4bea66900319606cc666d03825db8a743452a14c99bf5a6f146960644f1130
SHA512ae28bd2e572f713f8267237ffe07434dedcbc6c33849642649b8c66ecb567e6f88a4b38e78c78da4ef1e349a1a5201b8e9f4c6d070caef75d0ca8e1b64f579d7
-
Filesize
5KB
MD5304ee7d6e767d10290b18ac1866373e5
SHA1d52062d3778b41329f93e4066b995972df371902
SHA25657b53c2dcfba36cce5be9f277a5789e3c2152c0f10f765ab89c7dbcbd02e219b
SHA512e316580f3d324446aa311c78b17784d9366c1d1ef57931e6f76328061e84cfde5ebbc0f7f1f4b0be1df7d051e428fa534be2291811247d7049f120eaf6cc12ec
-
Filesize
6KB
MD5e7003b240e5be14db87f88ab93444c39
SHA17dc079aa0f9f0a17ee9de1a165b67cd08bce959c
SHA256d568f54115162d1349f0ac3ba5fa887eabf9c5807126e68ce3e5e72287dc64f4
SHA5122c91c5950149e7675314c224b1c0c0249728e87f715fb8f741f955ec084fee60ef69b8e87aaf43f975e5a16496931d112a7b1267648ed76dd3e1efd634ce5ad2
-
Filesize
245B
MD5d8682d715a652f994dca50509fd09669
SHA1bb03cf242964028b5d9183812ed8b04de9d55c6e
SHA2564bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba
SHA512eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca
-
Filesize
28.1MB
MD5f2fd417b6d5c7ffc501c7632cc811c3e
SHA1305c1493fca53ab63ba1686c9afdfb65142e59d3
SHA256a87adf22064e2f7fa6ef64b2513533bf02aa0bf5265670e95b301a79d7ca89d9
SHA512289ee902156537e039636722ad5ac8b0592cf5cffda3d03cf22240003627b049382b95db1b24cf6a2f7134b0df93ede65a80a86381fc161b54c84a76ed04458b
-
Filesize
193KB
MD56a86e8d216a77baa9084e18e231204a6
SHA16c1e488a58c0776519fb5eb4161d0f929aecb188
SHA25649c96e06d4d875bd04d6dba41567347e0ca43f712b54dfcb240bbf8da12506d3
SHA5126c4dddca4bcad858ff042a9f15da6226cf8c4a7c84215a1cba8b6625ef192d74451fb11a9ceb6c5a6450b71fec24c69d404505717c008c9009ca8e0a8a57c37e
-
Filesize
193KB
MD55da1b3686b8239c4278b11288b0b441d
SHA1fde3ebc5be1347693b9a66877f78d40929383ff8
SHA256c2e1e432f32ceaef9be282ed1216275604f03a9fc514781161eaa89c32046f56
SHA512a5a118bc340169f36c7b69a1d5e20b23be6132be6926664d67839357c40ac7a9337014a9aa570b72f3f3ce816a3b003915516effb764ac00f3959a75a9d05b1d
-
Filesize
194KB
MD5a4a7a1bb494c3808f6c61b7a016b0e1b
SHA178c93a6cb226ae9fec29eb5727737b88457c09ad
SHA256415da94b6e737947ad017a683a71fa1ab41229ae062f46e18ad8b427dc63b6b9
SHA5129cf5f993f137024edfe2c35186beaffd891cfc8122d527a95cc42eb098026766ae35f2c53625f50b4821f54b055f21dbe99e6da3dc4c08ffa49419b58553be93
-
Filesize
195KB
MD5a256804cf7979b72a2e05766cdc6e6a4
SHA17318c80b4ff40c397a27cd2fce6c157bea503be6
SHA2560ce92642049b8d6cd1925f5697eb4fd699594fc329d590fb482f9430a449c4a5
SHA5128c8fd367f8e990ae1d291b66ae34efd76dc547e53d3e80b334ce00fc05a703c9a4316025426363106f614ecf64567bb98b918ab019ed084ba47e06f634c397f8
-
Filesize
195KB
MD595b6db47d83e1c43fe0a6dfa89b6cf4c
SHA1ce67c5f379dca2775815dba04875bee40dcc8c14
SHA256c3fccdfe60a45a816f9389a8ed5678862bb151d10d58d5ed7275a7d0e3714388
SHA5124c9df5f9d618bb0d6827ff187b0f7ba1bc7b17fb34635a84a37353837b5afc6c0c4ff0c913608edb6ec478c540d79084fe2aaa15f45628ab4a53938a223dbbe6
-
Filesize
196KB
MD5b0949b14d1ae9196d12eaccaa0b62107
SHA14acd9a8d1411037d73667808f243572d2239c436
SHA256295f8c8bb8e6a16f72874ca3bffdf21b7f4050cdab3bdc1bf055f6a86ce3ea95
SHA512b25bcaa9dcb3491a98c799d3281fc88988fec2d6a50c2c127c89a5fea789ec657ab3da53ce54b3f1dd40d33c7f415935bc57b101c23b07d7298864c9047cc906
-
Filesize
196KB
MD55b2120b15b094ab218e799bfff61dc14
SHA1e28431d7b6e4b553a5d1d16ec3b8f97e4c99e3e9
SHA256890825362b7fc3c0d04d28220a0448db13ed45caf20fb07e24cad7cfc89b8af5
SHA5129e7938223631f324d5b7729f0957a9369d864df6d1ef8075419c626b5873e81a39775cb6a2e1a08d8da66b3f444f2eb6699c6b9dee076fdb2a8feacc590eb49b
-
Filesize
197KB
MD52b86d39053fc6e56bd766e03b26a52c0
SHA1ef3dc18b0959019ac4501feb955921fb0053907f
SHA256a0c4e58373a32071c13ea9d822f62773b50746a310cd371e425a2156963e0548
SHA512b156b87ba767de35d4be1738eebd393fc584c2294f529834f20d63d5179c6b198925c68b94af63243bc667fd5f87792886af2225c1f3d7933e311b75ad1bc173
-
Filesize
4KB
MD5b8fb107bd13db98220f268c8934f9966
SHA19ae449edd077dbe9fc765619a318359a03284b18
SHA25654319cb0aa82dc67dffada8af6e5fdb235b0c27575f4c7ddfe7a6f834243d3eb
SHA512af996421da8f6655c62693db73770777b981334e368c0a288b8e7ba5dc20577adc7605336cb0a1d65ae41f0e4cae09e572ccf657c9c35aed679b0ccf17e1941d
-
Filesize
602B
MD5920e66dfb079d1fc70d98823a10d84ef
SHA1091631efbcea2eadd706fbd3e43ed197cdbc2aeb
SHA2568d9c147a901dbc4e03da42472817a14409f8b87a35553277237f171319c9af05
SHA51284c3c735e5c7ebc714322a9cfa2813097588eddc051fe8cb5015a5aaf112e389e335ca9e1042707ab19b2f8f5a522ddc84423b38c27a630ac95a753d447d7994
-
Filesize
890B
MD5f8cc766f45089fe76f6ae2f1dcf6f45f
SHA1c75de5e89c8f8e7167e0ee0f40fdd39e6851fc80
SHA2569b19396464603a56b09e46e67e99c6b38d68af8e2a4c491edc3d9f6a5870ccf4
SHA5123c4d10678c7f52fffef55f1198cb981477ea990fbdfe87372868991708215a25f788cca2fe7eda40e6d754beac55db60b0d28718170d750482fd284a12ee58b6
-
Filesize
155KB
MD555d7e66e49c3994eb5e1004a5efd22b1
SHA1aa8a045dc0c161e95804f76efe27f1f572072fa8
SHA2560a833d92b4d4aa068b0cb256b87c0d3495c3cc4a021be86c072095fee467b379
SHA5122492ca442c4f6aab1f085a54bbbc1a95b836f033f1c8748fa6c3873997a397020baedfc1f661d751afe30ade3ab14b66a676a4731696b6c90c5c3adfa6c2bd2b
-
Filesize
3.4MB
MD527147e1e3faf9b5ccda882cd96f2a85c
SHA17103f60121727917f812bfc7cdff5347fc17cc8e
SHA256500d359211ece211cf672de328345876f016fb4a476b2a03cbc3b8b89023ae1f
SHA5120866c604911e243687e7fe721142eb882b19691c902736b59ba304933463d8c9154ecc319b91c9771cee8139e151cc2a2e960bc7a93ed97352cf5232a0964194
-
Filesize
117KB
MD5a258a133f7d565600647a248ab95792c
SHA11c6a855ca1fc04413b906b0b17609eff38317161
SHA25681ad5696a6fcad89127fc7a428636d431b446ff1ee0c37bf87e8d513a8bae7af
SHA512bf9dd97947eb0c71243ae28255af54b06d9e17af7ade666538dd93f9fdf6d8fbc3855f48bfaf6522dbd9ce3c6cff655581f092709670606d033f2321b1f4a5e7
-
Filesize
138KB
MD54cf2dff54d2e12e3ab637fcafa7d4c9d
SHA1dcbd0a027b8017ac396741698dfc3b3f4d1b4c39
SHA2568ff2bc130db2f1fef2e6470adb58bcdba1d2133f9ad21ebd7d80fedd3e537e21
SHA512a206001ceaed2df91428f1b7094246e4e7318bf4e7b19c475d4887b5eae49714ff7fa3cfab4133004a51280cf36549b73eecc87428b0b38294297545e9493e67
-
Filesize
755KB
MD5bf38660a9125935658cfa3e53fdc7d65
SHA10b51fb415ec89848f339f8989d323bea722bfd70
SHA25660c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA51225f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1
-
Filesize
145KB
MD50d46182b6134aa9c7acd16133d67e4c3
SHA17b5be3d65e5e744723bf55a08f9dc1042585d5eb
SHA256c89091f2a4de2fcf10b30e54a74ec5764e2dfc0577f4f1d879ac8816e3b08bcc
SHA512735b6c6bd69b22a71c15ae44c6fa1693700321dc3b4b2367ce05d5c37df62e45d1d3836c2c0f5e44be1036aeb11a533c2a4dbec55163b4a15adfa1c8ef75673b
-
Filesize
202KB
MD59f84d910602183954bed6d9660600783
SHA182e3b122dc63e0a333bca531dd16667d5fafbf23
SHA256bf4e4c75d148cb412e28a0b4e665919fd5ac6b9aa6bc3fa75401394759218d5e
SHA51209fb450e6c6f22a32d5e06f470070aab17d4973afe307b529093af7fa29ab96b61a89814e4964d005459f8ebb25716134a5e1c41f6ea7d260361b135306544b9