cobaltstrike | 5a8a4bf4dcfb980609656004f9ed1fb2e067f1b7b74fa2cda8408bf7993de6ae

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
Size

5.9MB
MD5

623fad39c0bbc1054a4cdae0468d298d
SHA1

aebbf36f3078bd718a32a49dc4895f15e2cec8f3
SHA256

5a8a4bf4dcfb980609656004f9ed1fb2e067f1b7b74fa2cda8408bf7993de6ae
SHA512

e0e6a2b715e8b6f8ccc865dc2d73a5768a755be360145d6f69ad9eeb147e96511c519fdc83658986e1b0056720c89ce0af18d98891d2aaefef049d35ed300bec
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUo:E+b56utgpPF8u/7o

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\SYCuRFT.exe	cobalt_reflective_dll
C:\Windows\system\sAjisfC.exe	cobalt_reflective_dll
\Windows\system\XjKoSEN.exe	cobalt_reflective_dll
C:\Windows\system\BgbkxTt.exe	cobalt_reflective_dll
C:\Windows\system\rapqJTx.exe	cobalt_reflective_dll
C:\Windows\system\GCyAidc.exe	cobalt_reflective_dll
C:\Windows\system\cmjSBqv.exe	cobalt_reflective_dll
C:\Windows\system\UmTCtOz.exe	cobalt_reflective_dll
\Windows\system\nCJRhKV.exe	cobalt_reflective_dll
C:\Windows\system\xZWkfju.exe	cobalt_reflective_dll
C:\Windows\system\UPOcGaj.exe	cobalt_reflective_dll
C:\Windows\system\RtBubzJ.exe	cobalt_reflective_dll
C:\Windows\system\VukioOW.exe	cobalt_reflective_dll
C:\Windows\system\HbFougP.exe	cobalt_reflective_dll
C:\Windows\system\gPidbkz.exe	cobalt_reflective_dll
C:\Windows\system\STgZcLA.exe	cobalt_reflective_dll
C:\Windows\system\eoNqbun.exe	cobalt_reflective_dll
C:\Windows\system\DAMaule.exe	cobalt_reflective_dll
C:\Windows\system\nosoKFW.exe	cobalt_reflective_dll
C:\Windows\system\oSRQzSS.exe	cobalt_reflective_dll
C:\Windows\system\uEmvirI.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 63 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2388-0-0x000000013F370000-0x000000013F6C4000-memory.dmp	xmrig
C:\Windows\system\SYCuRFT.exe	xmrig
behavioral1/memory/3068-9-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
C:\Windows\system\sAjisfC.exe	xmrig
behavioral1/memory/2524-15-0x000000013FA40000-0x000000013FD94000-memory.dmp	xmrig
\Windows\system\XjKoSEN.exe	xmrig
behavioral1/memory/2560-21-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
C:\Windows\system\BgbkxTt.exe	xmrig
behavioral1/memory/2588-27-0x000000013F1B0000-0x000000013F504000-memory.dmp	xmrig
behavioral1/memory/2564-34-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
C:\Windows\system\rapqJTx.exe	xmrig
C:\Windows\system\GCyAidc.exe	xmrig
behavioral1/memory/2548-41-0x000000013FC80000-0x000000013FFD4000-memory.dmp	xmrig
C:\Windows\system\cmjSBqv.exe	xmrig
behavioral1/memory/2672-48-0x000000013FE90000-0x00000001401E4000-memory.dmp	xmrig
behavioral1/memory/2544-55-0x000000013F030000-0x000000013F384000-memory.dmp	xmrig
behavioral1/memory/2388-54-0x000000013F370000-0x000000013F6C4000-memory.dmp	xmrig
behavioral1/memory/2932-71-0x000000013F810000-0x000000013FB64000-memory.dmp	xmrig
behavioral1/memory/1492-81-0x000000013FA60000-0x000000013FDB4000-memory.dmp	xmrig
behavioral1/memory/1456-89-0x000000013FA00000-0x000000013FD54000-memory.dmp	xmrig
C:\Windows\system\UmTCtOz.exe	xmrig
\Windows\system\nCJRhKV.exe	xmrig
C:\Windows\system\xZWkfju.exe	xmrig
C:\Windows\system\UPOcGaj.exe	xmrig
C:\Windows\system\RtBubzJ.exe	xmrig
C:\Windows\system\VukioOW.exe	xmrig
C:\Windows\system\HbFougP.exe	xmrig
behavioral1/memory/2932-141-0x000000013F810000-0x000000013FB64000-memory.dmp	xmrig
behavioral1/memory/2484-106-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/memory/1368-96-0x000000013FB30000-0x000000013FE84000-memory.dmp	xmrig
behavioral1/memory/2616-103-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
C:\Windows\system\gPidbkz.exe	xmrig
C:\Windows\system\STgZcLA.exe	xmrig
behavioral1/memory/2544-98-0x000000013F030000-0x000000013F384000-memory.dmp	xmrig
C:\Windows\system\eoNqbun.exe	xmrig
behavioral1/memory/2564-80-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
C:\Windows\system\DAMaule.exe	xmrig
behavioral1/memory/2588-75-0x000000013F1B0000-0x000000013F504000-memory.dmp	xmrig
behavioral1/memory/2560-69-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
C:\Windows\system\nosoKFW.exe	xmrig
behavioral1/memory/2484-63-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/memory/2524-62-0x000000013FA40000-0x000000013FD94000-memory.dmp	xmrig
C:\Windows\system\oSRQzSS.exe	xmrig
C:\Windows\system\uEmvirI.exe	xmrig
behavioral1/memory/1492-143-0x000000013FA60000-0x000000013FDB4000-memory.dmp	xmrig
behavioral1/memory/1456-145-0x000000013FA00000-0x000000013FD54000-memory.dmp	xmrig
behavioral1/memory/2388-146-0x000000013FB30000-0x000000013FE84000-memory.dmp	xmrig
behavioral1/memory/1368-147-0x000000013FB30000-0x000000013FE84000-memory.dmp	xmrig
behavioral1/memory/2616-149-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/memory/3068-151-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/memory/2524-152-0x000000013FA40000-0x000000013FD94000-memory.dmp	xmrig
behavioral1/memory/2560-153-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2588-154-0x000000013F1B0000-0x000000013F504000-memory.dmp	xmrig
behavioral1/memory/2564-155-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
behavioral1/memory/2672-156-0x000000013FE90000-0x00000001401E4000-memory.dmp	xmrig
behavioral1/memory/2544-157-0x000000013F030000-0x000000013F384000-memory.dmp	xmrig
behavioral1/memory/2484-158-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/memory/2932-159-0x000000013F810000-0x000000013FB64000-memory.dmp	xmrig
behavioral1/memory/1492-160-0x000000013FA60000-0x000000013FDB4000-memory.dmp	xmrig
behavioral1/memory/2548-161-0x000000013FC80000-0x000000013FFD4000-memory.dmp	xmrig
behavioral1/memory/1456-162-0x000000013FA00000-0x000000013FD54000-memory.dmp	xmrig
behavioral1/memory/1368-163-0x000000013FB30000-0x000000013FE84000-memory.dmp	xmrig
behavioral1/memory/2616-164-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

SYCuRFT.exesAjisfC.exeXjKoSEN.exeBgbkxTt.exerapqJTx.exeGCyAidc.execmjSBqv.exeuEmvirI.exeoSRQzSS.exenosoKFW.exeDAMaule.exeeoNqbun.exegPidbkz.exeSTgZcLA.exeHbFougP.exeVukioOW.exeRtBubzJ.exeUPOcGaj.exexZWkfju.exeUmTCtOz.exenCJRhKV.exe

pid	process
3068	SYCuRFT.exe
2524	sAjisfC.exe
2560	XjKoSEN.exe
2588	BgbkxTt.exe
2564	rapqJTx.exe
2548	GCyAidc.exe
2672	cmjSBqv.exe
2544	uEmvirI.exe
2484	oSRQzSS.exe
2932	nosoKFW.exe
1492	DAMaule.exe
1456	eoNqbun.exe
1368	gPidbkz.exe
2616	STgZcLA.exe
2336	HbFougP.exe
2340	VukioOW.exe
1012	RtBubzJ.exe
1560	UPOcGaj.exe
2744	xZWkfju.exe
340	UmTCtOz.exe
2532	nCJRhKV.exe

Loads dropped DLL 21 IoCs

Processes:

623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe

pid	process
2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2388-0-0x000000013F370000-0x000000013F6C4000-memory.dmp	upx
C:\Windows\system\SYCuRFT.exe	upx
behavioral1/memory/3068-9-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
C:\Windows\system\sAjisfC.exe	upx
behavioral1/memory/2524-15-0x000000013FA40000-0x000000013FD94000-memory.dmp	upx
\Windows\system\XjKoSEN.exe	upx
behavioral1/memory/2560-21-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
C:\Windows\system\BgbkxTt.exe	upx
behavioral1/memory/2588-27-0x000000013F1B0000-0x000000013F504000-memory.dmp	upx
behavioral1/memory/2564-34-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
C:\Windows\system\rapqJTx.exe	upx
C:\Windows\system\GCyAidc.exe	upx
behavioral1/memory/2548-41-0x000000013FC80000-0x000000013FFD4000-memory.dmp	upx
C:\Windows\system\cmjSBqv.exe	upx
behavioral1/memory/2672-48-0x000000013FE90000-0x00000001401E4000-memory.dmp	upx
behavioral1/memory/2544-55-0x000000013F030000-0x000000013F384000-memory.dmp	upx
behavioral1/memory/2388-54-0x000000013F370000-0x000000013F6C4000-memory.dmp	upx
behavioral1/memory/2932-71-0x000000013F810000-0x000000013FB64000-memory.dmp	upx
behavioral1/memory/1492-81-0x000000013FA60000-0x000000013FDB4000-memory.dmp	upx
behavioral1/memory/1456-89-0x000000013FA00000-0x000000013FD54000-memory.dmp	upx
C:\Windows\system\UmTCtOz.exe	upx
\Windows\system\nCJRhKV.exe	upx
C:\Windows\system\xZWkfju.exe	upx
C:\Windows\system\UPOcGaj.exe	upx
C:\Windows\system\RtBubzJ.exe	upx
C:\Windows\system\VukioOW.exe	upx
C:\Windows\system\HbFougP.exe	upx
behavioral1/memory/2932-141-0x000000013F810000-0x000000013FB64000-memory.dmp	upx
behavioral1/memory/2484-106-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/memory/1368-96-0x000000013FB30000-0x000000013FE84000-memory.dmp	upx
behavioral1/memory/2616-103-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
C:\Windows\system\gPidbkz.exe	upx
C:\Windows\system\STgZcLA.exe	upx
behavioral1/memory/2544-98-0x000000013F030000-0x000000013F384000-memory.dmp	upx
C:\Windows\system\eoNqbun.exe	upx
behavioral1/memory/2564-80-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
C:\Windows\system\DAMaule.exe	upx
behavioral1/memory/2588-75-0x000000013F1B0000-0x000000013F504000-memory.dmp	upx
behavioral1/memory/2560-69-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
C:\Windows\system\nosoKFW.exe	upx
behavioral1/memory/2484-63-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/memory/2524-62-0x000000013FA40000-0x000000013FD94000-memory.dmp	upx
C:\Windows\system\oSRQzSS.exe	upx
C:\Windows\system\uEmvirI.exe	upx
behavioral1/memory/1492-143-0x000000013FA60000-0x000000013FDB4000-memory.dmp	upx
behavioral1/memory/1456-145-0x000000013FA00000-0x000000013FD54000-memory.dmp	upx
behavioral1/memory/1368-147-0x000000013FB30000-0x000000013FE84000-memory.dmp	upx
behavioral1/memory/2616-149-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
behavioral1/memory/3068-151-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/memory/2524-152-0x000000013FA40000-0x000000013FD94000-memory.dmp	upx
behavioral1/memory/2560-153-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/2588-154-0x000000013F1B0000-0x000000013F504000-memory.dmp	upx
behavioral1/memory/2564-155-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
behavioral1/memory/2672-156-0x000000013FE90000-0x00000001401E4000-memory.dmp	upx
behavioral1/memory/2544-157-0x000000013F030000-0x000000013F384000-memory.dmp	upx
behavioral1/memory/2484-158-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/memory/2932-159-0x000000013F810000-0x000000013FB64000-memory.dmp	upx
behavioral1/memory/1492-160-0x000000013FA60000-0x000000013FDB4000-memory.dmp	upx
behavioral1/memory/2548-161-0x000000013FC80000-0x000000013FFD4000-memory.dmp	upx
behavioral1/memory/1456-162-0x000000013FA00000-0x000000013FD54000-memory.dmp	upx
behavioral1/memory/1368-163-0x000000013FB30000-0x000000013FE84000-memory.dmp	upx
behavioral1/memory/2616-164-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\System\HbFougP.exe	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
File created	C:\Windows\System\RtBubzJ.exe	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
File created	C:\Windows\System\UPOcGaj.exe	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
File created	C:\Windows\System\XjKoSEN.exe	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
File created	C:\Windows\System\DAMaule.exe	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
File created	C:\Windows\System\GCyAidc.exe	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
File created	C:\Windows\System\eoNqbun.exe	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
File created	C:\Windows\System\STgZcLA.exe	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
File created	C:\Windows\System\xZWkfju.exe	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
File created	C:\Windows\System\SYCuRFT.exe	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
File created	C:\Windows\System\rapqJTx.exe	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
File created	C:\Windows\System\nosoKFW.exe	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
File created	C:\Windows\System\gPidbkz.exe	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
File created	C:\Windows\System\VukioOW.exe	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
File created	C:\Windows\System\UmTCtOz.exe	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
File created	C:\Windows\System\nCJRhKV.exe	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
File created	C:\Windows\System\BgbkxTt.exe	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
File created	C:\Windows\System\oSRQzSS.exe	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
File created	C:\Windows\System\uEmvirI.exe	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
File created	C:\Windows\System\sAjisfC.exe	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
File created	C:\Windows\System\cmjSBqv.exe	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe

description	pid	process
Token: SeLockMemoryPrivilege	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe

description	pid	process	target process
PID 2388 wrote to memory of 3068	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	SYCuRFT.exe
PID 2388 wrote to memory of 3068	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	SYCuRFT.exe
PID 2388 wrote to memory of 3068	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	SYCuRFT.exe
PID 2388 wrote to memory of 2524	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	sAjisfC.exe
PID 2388 wrote to memory of 2524	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	sAjisfC.exe
PID 2388 wrote to memory of 2524	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	sAjisfC.exe
PID 2388 wrote to memory of 2560	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	XjKoSEN.exe
PID 2388 wrote to memory of 2560	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	XjKoSEN.exe
PID 2388 wrote to memory of 2560	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	XjKoSEN.exe
PID 2388 wrote to memory of 2588	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	BgbkxTt.exe
PID 2388 wrote to memory of 2588	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	BgbkxTt.exe
PID 2388 wrote to memory of 2588	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	BgbkxTt.exe
PID 2388 wrote to memory of 2564	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	rapqJTx.exe
PID 2388 wrote to memory of 2564	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	rapqJTx.exe
PID 2388 wrote to memory of 2564	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	rapqJTx.exe
PID 2388 wrote to memory of 2548	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	GCyAidc.exe
PID 2388 wrote to memory of 2548	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	GCyAidc.exe
PID 2388 wrote to memory of 2548	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	GCyAidc.exe
PID 2388 wrote to memory of 2672	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	cmjSBqv.exe
PID 2388 wrote to memory of 2672	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	cmjSBqv.exe
PID 2388 wrote to memory of 2672	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	cmjSBqv.exe
PID 2388 wrote to memory of 2544	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	uEmvirI.exe
PID 2388 wrote to memory of 2544	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	uEmvirI.exe
PID 2388 wrote to memory of 2544	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	uEmvirI.exe
PID 2388 wrote to memory of 2484	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	oSRQzSS.exe
PID 2388 wrote to memory of 2484	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	oSRQzSS.exe
PID 2388 wrote to memory of 2484	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	oSRQzSS.exe
PID 2388 wrote to memory of 2932	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	nosoKFW.exe
PID 2388 wrote to memory of 2932	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	nosoKFW.exe
PID 2388 wrote to memory of 2932	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	nosoKFW.exe
PID 2388 wrote to memory of 1492	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	DAMaule.exe
PID 2388 wrote to memory of 1492	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	DAMaule.exe
PID 2388 wrote to memory of 1492	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	DAMaule.exe
PID 2388 wrote to memory of 1456	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	eoNqbun.exe
PID 2388 wrote to memory of 1456	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	eoNqbun.exe
PID 2388 wrote to memory of 1456	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	eoNqbun.exe
PID 2388 wrote to memory of 1368	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	gPidbkz.exe
PID 2388 wrote to memory of 1368	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	gPidbkz.exe
PID 2388 wrote to memory of 1368	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	gPidbkz.exe
PID 2388 wrote to memory of 2616	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	STgZcLA.exe
PID 2388 wrote to memory of 2616	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	STgZcLA.exe
PID 2388 wrote to memory of 2616	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	STgZcLA.exe
PID 2388 wrote to memory of 2336	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	HbFougP.exe
PID 2388 wrote to memory of 2336	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	HbFougP.exe
PID 2388 wrote to memory of 2336	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	HbFougP.exe
PID 2388 wrote to memory of 2340	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	VukioOW.exe
PID 2388 wrote to memory of 2340	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	VukioOW.exe
PID 2388 wrote to memory of 2340	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	VukioOW.exe
PID 2388 wrote to memory of 1012	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	RtBubzJ.exe
PID 2388 wrote to memory of 1012	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	RtBubzJ.exe
PID 2388 wrote to memory of 1012	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	RtBubzJ.exe
PID 2388 wrote to memory of 1560	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	UPOcGaj.exe
PID 2388 wrote to memory of 1560	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	UPOcGaj.exe
PID 2388 wrote to memory of 1560	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	UPOcGaj.exe
PID 2388 wrote to memory of 2744	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	xZWkfju.exe
PID 2388 wrote to memory of 2744	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	xZWkfju.exe
PID 2388 wrote to memory of 2744	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	xZWkfju.exe
PID 2388 wrote to memory of 340	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	UmTCtOz.exe
PID 2388 wrote to memory of 340	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	UmTCtOz.exe
PID 2388 wrote to memory of 340	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	UmTCtOz.exe
PID 2388 wrote to memory of 2532	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	nCJRhKV.exe
PID 2388 wrote to memory of 2532	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	nCJRhKV.exe
PID 2388 wrote to memory of 2532	2388	623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe	nCJRhKV.exe

C:\Users\Admin\AppData\Local\Temp\623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\623fad39c0bbc1054a4cdae0468d298d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\System\SYCuRFT.exe
C:\Windows\System\SYCuRFT.exe
2⤵
- Executes dropped EXE
PID:3068

C:\Windows\System\sAjisfC.exe
C:\Windows\System\sAjisfC.exe
2⤵
- Executes dropped EXE
PID:2524

C:\Windows\System\XjKoSEN.exe
C:\Windows\System\XjKoSEN.exe
2⤵
- Executes dropped EXE
PID:2560

C:\Windows\System\BgbkxTt.exe
C:\Windows\System\BgbkxTt.exe
2⤵
- Executes dropped EXE
PID:2588

C:\Windows\System\rapqJTx.exe
C:\Windows\System\rapqJTx.exe
2⤵
- Executes dropped EXE
PID:2564

C:\Windows\System\GCyAidc.exe
C:\Windows\System\GCyAidc.exe
2⤵
- Executes dropped EXE
PID:2548

C:\Windows\System\cmjSBqv.exe
C:\Windows\System\cmjSBqv.exe
2⤵
- Executes dropped EXE
PID:2672

C:\Windows\System\uEmvirI.exe
C:\Windows\System\uEmvirI.exe
2⤵
- Executes dropped EXE
PID:2544

C:\Windows\System\oSRQzSS.exe
C:\Windows\System\oSRQzSS.exe
2⤵
- Executes dropped EXE
PID:2484

C:\Windows\System\nosoKFW.exe
C:\Windows\System\nosoKFW.exe
2⤵
- Executes dropped EXE
PID:2932

C:\Windows\System\DAMaule.exe
C:\Windows\System\DAMaule.exe
2⤵
- Executes dropped EXE
PID:1492

C:\Windows\System\eoNqbun.exe
C:\Windows\System\eoNqbun.exe
2⤵
- Executes dropped EXE
PID:1456

C:\Windows\System\gPidbkz.exe
C:\Windows\System\gPidbkz.exe
2⤵
- Executes dropped EXE
PID:1368

C:\Windows\System\STgZcLA.exe
C:\Windows\System\STgZcLA.exe
2⤵
- Executes dropped EXE
PID:2616

C:\Windows\System\HbFougP.exe
C:\Windows\System\HbFougP.exe
2⤵
- Executes dropped EXE
PID:2336

C:\Windows\System\VukioOW.exe
C:\Windows\System\VukioOW.exe
2⤵
- Executes dropped EXE
PID:2340

C:\Windows\System\RtBubzJ.exe
C:\Windows\System\RtBubzJ.exe
2⤵
- Executes dropped EXE
PID:1012

C:\Windows\System\UPOcGaj.exe
C:\Windows\System\UPOcGaj.exe
2⤵
- Executes dropped EXE
PID:1560

C:\Windows\System\xZWkfju.exe
C:\Windows\System\xZWkfju.exe
2⤵
- Executes dropped EXE
PID:2744

C:\Windows\System\UmTCtOz.exe
C:\Windows\System\UmTCtOz.exe
2⤵
- Executes dropped EXE
PID:340

C:\Windows\System\nCJRhKV.exe
C:\Windows\System\nCJRhKV.exe
2⤵
- Executes dropped EXE
PID:2532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BgbkxTt.exe
Filesize
5.9MB

MD5
82541e4a022646ff46c1bb71d2293ff0

SHA1
35bb10818ae1c0c5007e3a0001a8ddd25483306e

SHA256
aaeda26c5428b0c4e3e4f40d61bd3a573aaed45b6a2eb93d7e530b2d1f073e7c

SHA512
b652b86da84f7f6d4af04601bd663ef3d7fe1a5ec822b223f13a2562317a7db9018eff276d575195d0383980596630d40c157e25e2379212e904fe3cd1a16123

Download Submit
C:\Windows\system\DAMaule.exe
Filesize
5.9MB

MD5
0c0550a31dfdd8717c81e1bbfb484618

SHA1
30611051f402b6c0b704467ce7aa70184649d3a6

SHA256
fb954fdb88fa3eb15e836a158155144a1daee20715ee32b60e38c21fc0dc724f

SHA512
e55163fc7e30499b28fcc018ed9d86d3ddceed6e839dd8374b88e899126ecc1a0636a44316ff1d9c53c3c0feb47a1d8a995a61ff50ed73e7885e495b6ebaae07

Download Submit
C:\Windows\system\GCyAidc.exe
Filesize
5.9MB

MD5
d9c31c0022c8d0c931891bbfb4e83eb1

SHA1
79b3287559dba93c749c4d8fbbf7ee16a87ae117

SHA256
ad36e99dc28f6aa8a4ceefbfc8388f3add8ba69c6b9f3bee9238f80084dffe52

SHA512
f36c83572ee2a0f9787ccd09d9588caabf6739dadc4a4827a7b244db71632ef75c1adbe0365cc1d0eae76d8ae846b912995810588b625d7a5343eeafba503cf3

Download Submit
C:\Windows\system\HbFougP.exe
Filesize
5.9MB

MD5
ad20d995fc899ca8d008babd5bae72a9

SHA1
41207f580a30675e7373aa4e7d470415abd041a5

SHA256
06c38cd8580eceaf9c6baec4f654e36c8ec5863aa17b1f60affab2d6e8a34f5b

SHA512
e5974506aac764954a4e51d148397603cfc158493903260539e83134bd4c96630b99f86cf2f6e0198e7cd9c3581e4c1ec4372c5ba81196a876104468c40db8bf

Download Submit
C:\Windows\system\RtBubzJ.exe
Filesize
5.9MB

MD5
f60e83769e475b5a31762f19f8b61959

SHA1
6c6cb46b2e68adc4ea5fb04ac3da933ff5d41698

SHA256
b0a3b1aa6baa9012add469c70d5603c1e0659294928335d4dc5a67526c39495a

SHA512
f17daf944ba155c1dcafe560ff584c2837559bda013bd59de2517cc56eafc818166e90d5bb7a333106932ba1d5323bafdfbce96885ddbc8ba63ce2a4cbd8623a

Download Submit
C:\Windows\system\STgZcLA.exe
Filesize
5.9MB

MD5
417884b82fa7ef93fc872282d26eb5b9

SHA1
7c4075074b04a4e3a045bf60da57b7173608c609

SHA256
46b0693c1dd104f93b6e9e192976dae7e4bbb296fb478e8c0495edb4e88a053d

SHA512
c30711389d65a8dcfd05b9c926907b1d8885bdaca268a53b102252a1cd344266efa96cf480555caae98fa7126d212104d84666312ea819ec9c397b0ae1991789

Download Submit
C:\Windows\system\SYCuRFT.exe
Filesize
5.9MB

MD5
477854df7b22cb7a787b0b6f1668a3b6

SHA1
2a8ab1105dcc8b16bb0dc5aedee4ad44616fb1a9

SHA256
a3fd9d3201e6e3592fcc3eb1ac2adf3995026272d18f5a69e7e518a50fecbe29

SHA512
a03680aed00a07c497b7fba38915c2cefb43671029642f66ff65953853b0e73d3bb2ff3f12d5c13c8828e13e1eceb04de9b8d02fa1178f020f866721b848f5a3

Download Submit
C:\Windows\system\UPOcGaj.exe
Filesize
5.9MB

MD5
1829dbf11ab92d7af8b3061f970a4248

SHA1
9c979e32f1e1885ca59661475ca75011805764d7

SHA256
0082a696b6f2d11d8772eddaa70a2047093138f50979f5d64442b018f16d718e

SHA512
995d1493664322ab3a57e1c96aee2155f87e35fbb3461188d4c64a310d0f54d315b14ae11c398440a7ad67466de18a0bd4f54585f14f3b309a905189d9940b11

Download Submit
C:\Windows\system\UmTCtOz.exe
Filesize
5.9MB

MD5
03ad0f658a9ea0bb0869043deca7010d

SHA1
ffb334dfb716f4c5ca11b24ec2de17e2e9ddadfb

SHA256
a92a5ec618f5aa08b7449ad81cd8b65db0edffd6897e6ab994276b97d4fce434

SHA512
3d90fc32f3e6b5c36ee00aeb2a78fe1ec6cfc3628411b4f63ada922a27035bfc898632fb8799a14aa9e0b5b0662160bb0ed3723f219bc5a1ea0190c201572b84

Download Submit
C:\Windows\system\VukioOW.exe
Filesize
5.9MB

MD5
ce4e2ceda9f7f0460fd11b7e6f47d018

SHA1
8c9160af4db9eb279c14c4a91277ba4ac7c82f6f

SHA256
42fca9b056b812bd2c4a9ee1516781cbb874da92113b15736a6d59dde4e6ac8e

SHA512
3c850a4f55b7fc241d8ff37a20098c8f49fa3daa793e8ab90a07b961042afbed89c774fca34a24c4130d93a5b659bc35f9702ae86ede836c6e7e82c147c191e6

Download Submit
C:\Windows\system\cmjSBqv.exe
Filesize
5.9MB

MD5
afecc732538bfe47386886a26545bc77

SHA1
71deccaf88d2a85f99ef4453b42d7ccab1e3220c

SHA256
cd6f2c46871888e1dc8219ab7efce8f0c90006c010d4360995f83c429cbedcae

SHA512
3ee0fdad5c24581a601fd8b649130da48528572f29097a2ea7b13e8b80f3817d0698befb8bf5bc8e9ee11ba94bbfba83c7dfaf6cc6602a42bbd39e58ef0e0a9d

Download Submit
C:\Windows\system\eoNqbun.exe
Filesize
5.9MB

MD5
1115a894fc03600bf063ecfa532eb3cf

SHA1
5b9c97c81c082ccdcc34eab0d393fc572358bf65

SHA256
82b094454919e2392d932994109ef394534705a55162de7cef486a92007e04c2

SHA512
755254ff31520391aae765d1cb7d1813d8e8aa7b0e07f8c88f8702e629b2706e59f7cbe588a6c3415ffb61c1e5437debdc4ddc074740c64314747811c3acf1e2

Download Submit
C:\Windows\system\gPidbkz.exe
Filesize
5.9MB

MD5
9ed96d01c68726bee503862ec46cf4af

SHA1
09890cf69be7d04b1bdd68c449f252ae4f3bba4d

SHA256
98d9e11569f80b1530aaf26d8f47f9e3ab7dde557dc565ba50474609a1c54c22

SHA512
c5a1a2dafc1b2dccf24c1df7c66bb5fbeb9cceda51aa72430d09ba334cf4fd0730380a28fd62c892a4a992bb05273482a2a3899734ea76bbf5fefc996611343f

Download Submit
C:\Windows\system\nosoKFW.exe
Filesize
5.9MB

MD5
36d789ee41567376edbcd433cab7d57c

SHA1
ad9f38e34cb5e1a401c7fa37f08366453bab24cd

SHA256
8d023a120b8427e298d49cf5a16da2b77250a437a7d9c9f01d336264898775e2

SHA512
fb649cd2e3f3a917fa753d742c93fe2ee76eac43c8343ef5097d2373b5762ed336694af5052703a9b9eb2a01b78b91be4cb97256733d484cce998fc3c89a3aca

Download Submit
C:\Windows\system\oSRQzSS.exe
Filesize
5.9MB

MD5
639f12391b21f69fcd913a086f7e70bb

SHA1
55505fec966de7589b05e9bcccb910051b9c560f

SHA256
ce0e86ecc08375ad979bd417e0eaafbcca3d9a0734bfaa6045386a9137557648

SHA512
e6e69c83b713d5b8643bd4ef416faac7ff739d48deb9d294b90cff82956ba30cddb9d7412c6158b7c549fe65ff15fa8fe0a72c7b2b64be6787d563061d78b515

Download Submit
C:\Windows\system\rapqJTx.exe
Filesize
5.9MB

MD5
4130b6b5b4934375eb8e4944af5e9924

SHA1
3a8220592b75079d92b4c259a94a7243ccb56fb0

SHA256
905addf734e390736cf073b1c13704f030fa513c6816e659d0d691cb1977527d

SHA512
18ab7f4868924c6d5a552e94ddcdd22dd1f8a0e896f5c5e6e9683a9d03a6d080fb736728f3978ccf8f84f3a29873d99462dca21301ac5e6bdd3d1031ce40e7b2

Download Submit
C:\Windows\system\sAjisfC.exe
Filesize
5.9MB

MD5
ca456ee9bdc48133f6dd1c7fc1a8a620

SHA1
6748c6657a9c75fe12bf40327f53ef7e02d714f8

SHA256
3c29b752567866aaae1e1a1ca58859e43b057543dd5717725182ba34ff2bb10c

SHA512
9868b9a9920dfbb1da57fa547c6bda09a42f7fbcbbab4e196f4dacea5e8faa59235a8548196723d7a73c4d35404d31727ac49f6a44e24edac61d12fec0475952

Download Submit
C:\Windows\system\uEmvirI.exe
Filesize
5.9MB

MD5
908d662be4b04500091ff43d2230fb96

SHA1
2b756ed5dab7aad3f650bb82b7fd52022c8daf78

SHA256
f15ed641c9ac3fb12722a3bc57c6a0dcfc69af1726e4798311040052d4b71142

SHA512
715e70509d08c9ef9359330deb8bbf66a56cde8166af5794c0efb4998b0946d040bdad93057744a23ff73cc8b3935e4e4840ed93c4276df7c1671c876dc3c700

Download Submit
C:\Windows\system\xZWkfju.exe
Filesize
5.9MB

MD5
f36dc7877f96a2cfdc0ba284543e4411

SHA1
55b5e795c4c4e7299474639ef4f52e7b67ac7a8a

SHA256
4ada65a775e0a17af10c0b76aee97200d2f43496eab8befcf7b08f7030bb37f0

SHA512
c3a6f3b2a5f81de59685278831c4e4da0cb27db1738b2e2fd9b51a9d33dd93ae91332a183aed7f1a26c8270b6813dea26f214c3420b75a1e58f72e3b177cdca3

Download Submit
\Windows\system\XjKoSEN.exe
Filesize
5.9MB

MD5
8a05d1fa753092ecd5cd9d861547c2fc

SHA1
fe08141775a1cabe5f6cd63dbc0bf4ea8dd9791e

SHA256
9842b63444b6f82f0d740be4dcea49e2dbd5220351475e48c16f854899f7c781

SHA512
170a38546bc75a25e0d7da1884bc47c9646d9ca5689ce7d995b50bdb92d37b80eb6239e5e54c5d480a7b6ccc7b05d9ed8ae043e724a013137e83ffadebbec768

Download Submit
\Windows\system\nCJRhKV.exe
Filesize
5.9MB

MD5
a2bc4d511e737347edd05a81f826f3ab

SHA1
fdeddebce2a6b7c747cd998e444eed062e25d93a

SHA256
3966771e0361c38d2fe48f8920482fa45cd5ca79291cdf1abf640f512b118046

SHA512
3d78e9a448e469d74c140695328d4f69b3c76c86079bed4ec32065bba76a347b686d4ea3ecb2d050dddfa0f58d4e54111d0511d2847c7bfc5b7091ded1838057

Download Submit
memory/1368-96-0x000000013FB30000-0x000000013FE84000-memory.dmp

Filesize
3.3MB

Download
memory/1368-147-0x000000013FB30000-0x000000013FE84000-memory.dmp

Filesize
3.3MB

Download
memory/1368-163-0x000000013FB30000-0x000000013FE84000-memory.dmp

Filesize
3.3MB

Download
memory/1456-145-0x000000013FA00000-0x000000013FD54000-memory.dmp

Filesize
3.3MB

Download
memory/1456-162-0x000000013FA00000-0x000000013FD54000-memory.dmp

Filesize
3.3MB

Download
memory/1456-89-0x000000013FA00000-0x000000013FD54000-memory.dmp

Filesize
3.3MB

Download
memory/1492-143-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/1492-160-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/1492-81-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2388-92-0x000000013FB30000-0x000000013FE84000-memory.dmp

Filesize
3.3MB

Download
memory/2388-0-0x000000013F370000-0x000000013F6C4000-memory.dmp

Filesize
3.3MB

Download
memory/2388-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2388-68-0x0000000002410000-0x0000000002764000-memory.dmp

Filesize
3.3MB

Download
memory/2388-54-0x000000013F370000-0x000000013F6C4000-memory.dmp

Filesize
3.3MB

Download
memory/2388-8-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/2388-140-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/2388-33-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/2388-43-0x000000013FE90000-0x00000001401E4000-memory.dmp

Filesize
3.3MB

Download
memory/2388-70-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/2388-150-0x000000013FC10000-0x000000013FF64000-memory.dmp

Filesize
3.3MB

Download
memory/2388-61-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/2388-50-0x0000000002410000-0x0000000002764000-memory.dmp

Filesize
3.3MB

Download
memory/2388-148-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2388-146-0x000000013FB30000-0x000000013FE84000-memory.dmp

Filesize
3.3MB

Download
memory/2388-85-0x000000013FA00000-0x000000013FD54000-memory.dmp

Filesize
3.3MB

Download
memory/2388-144-0x000000013FA00000-0x000000013FD54000-memory.dmp

Filesize
3.3MB

Download
memory/2388-142-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2388-40-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2388-76-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2388-26-0x0000000002410000-0x0000000002764000-memory.dmp

Filesize
3.3MB

Download
memory/2484-158-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2484-106-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2484-63-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2524-152-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/2524-15-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/2524-62-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/2544-55-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/2544-157-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/2544-98-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/2548-41-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2548-161-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2560-21-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2560-153-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2560-69-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2564-34-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/2564-155-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/2564-80-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/2588-27-0x000000013F1B0000-0x000000013F504000-memory.dmp

Filesize
3.3MB

Download
memory/2588-75-0x000000013F1B0000-0x000000013F504000-memory.dmp

Filesize
3.3MB

Download
memory/2588-154-0x000000013F1B0000-0x000000013F504000-memory.dmp

Filesize
3.3MB

Download
memory/2616-149-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2616-164-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2616-103-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2672-48-0x000000013FE90000-0x00000001401E4000-memory.dmp

Filesize
3.3MB

Download
memory/2672-156-0x000000013FE90000-0x00000001401E4000-memory.dmp

Filesize
3.3MB

Download
memory/2932-159-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/2932-141-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/2932-71-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/3068-9-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/3068-151-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download