cobaltstrike | 85f4af997095e815fe9120d40ad9b2bb570418b5dbbe7dad5cade7f16e65ed06

Analysis

max time kernel
137s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
Size

5.9MB
MD5

ec609ac82d53dfbd3f9a6d5b79a706c7
SHA1

c5c184711409107a55839c5591490278164ae635
SHA256

85f4af997095e815fe9120d40ad9b2bb570418b5dbbe7dad5cade7f16e65ed06
SHA512

f6e139b0fe2b30b4879bbe411549715d05be65dec4a7ba38bb88132a8772dad51b33d17c0af620336b3b961387e959b2a6266f510ec345a8862a99a77a3e4be3
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUM:E+b56utgpPF8u/7M

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0008000000012101-3.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018b4d-10.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018b54-19.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b5d-22.dat	cobalt_reflective_dll
behavioral1/files/0x0029000000018afc-40.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001904d-114.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019074-119.dat	cobalt_reflective_dll
behavioral1/files/0x000400000001915a-125.dat	cobalt_reflective_dll
behavioral1/files/0x000400000001919b-129.dat	cobalt_reflective_dll
behavioral1/files/0x00040000000191b3-133.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019044-110.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019028-93.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018ffa-91.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018fcd-89.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018b78-87.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b86-63.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001903d-98.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001901a-79.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018fe2-67.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b64-48.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b62-33.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 60 IoCs

miner

resource	yara_rule
behavioral1/memory/2276-0-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	xmrig
behavioral1/files/0x0008000000012101-3.dat	xmrig
behavioral1/memory/2812-9-0x000000013F390000-0x000000013F6E4000-memory.dmp	xmrig
behavioral1/files/0x0007000000018b4d-10.dat	xmrig
behavioral1/memory/3056-15-0x000000013F210000-0x000000013F564000-memory.dmp	xmrig
behavioral1/files/0x0007000000018b54-19.dat	xmrig
behavioral1/files/0x0006000000018b5d-22.dat	xmrig
behavioral1/memory/2656-37-0x000000013F4D0000-0x000000013F824000-memory.dmp	xmrig
behavioral1/files/0x0029000000018afc-40.dat	xmrig
behavioral1/memory/2876-103-0x000000013FD70000-0x00000001400C4000-memory.dmp	xmrig
behavioral1/files/0x000500000001904d-114.dat	xmrig
behavioral1/files/0x0005000000019074-119.dat	xmrig
behavioral1/files/0x000400000001915a-125.dat	xmrig
behavioral1/files/0x000400000001919b-129.dat	xmrig
behavioral1/files/0x00040000000191b3-133.dat	xmrig
behavioral1/memory/2868-136-0x000000013F3B0000-0x000000013F704000-memory.dmp	xmrig
behavioral1/files/0x0005000000019044-110.dat	xmrig
behavioral1/memory/2556-137-0x000000013F0E0000-0x000000013F434000-memory.dmp	xmrig
behavioral1/files/0x0005000000019028-93.dat	xmrig
behavioral1/files/0x0005000000018ffa-91.dat	xmrig
behavioral1/files/0x0005000000018fcd-89.dat	xmrig
behavioral1/memory/2276-139-0x000000013F840000-0x000000013FB94000-memory.dmp	xmrig
behavioral1/files/0x0007000000018b78-87.dat	xmrig
behavioral1/memory/2668-105-0x000000013F040000-0x000000013F394000-memory.dmp	xmrig
behavioral1/memory/2276-104-0x0000000002270000-0x00000000025C4000-memory.dmp	xmrig
behavioral1/memory/3056-74-0x000000013F210000-0x000000013F564000-memory.dmp	xmrig
behavioral1/files/0x0006000000018b86-63.dat	xmrig
behavioral1/memory/2516-102-0x000000013FF00000-0x0000000140254000-memory.dmp	xmrig
behavioral1/memory/2660-101-0x000000013F840000-0x000000013FB94000-memory.dmp	xmrig
behavioral1/memory/2536-100-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	xmrig
behavioral1/files/0x000500000001903d-98.dat	xmrig
behavioral1/memory/2868-43-0x000000013F3B0000-0x000000013F704000-memory.dmp	xmrig
behavioral1/memory/2276-42-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	xmrig
behavioral1/memory/2780-82-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/files/0x000500000001901a-79.dat	xmrig
behavioral1/memory/2276-78-0x000000013F840000-0x000000013FB94000-memory.dmp	xmrig
behavioral1/memory/2596-70-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/memory/2556-69-0x000000013F0E0000-0x000000013F434000-memory.dmp	xmrig
behavioral1/files/0x0005000000018fe2-67.dat	xmrig
behavioral1/memory/2276-58-0x0000000002270000-0x00000000025C4000-memory.dmp	xmrig
behavioral1/memory/2808-56-0x000000013F8E0000-0x000000013FC34000-memory.dmp	xmrig
behavioral1/memory/2812-51-0x000000013F390000-0x000000013F6E4000-memory.dmp	xmrig
behavioral1/files/0x0006000000018b64-48.dat	xmrig
behavioral1/memory/2668-29-0x000000013F040000-0x000000013F394000-memory.dmp	xmrig
behavioral1/files/0x0006000000018b62-33.dat	xmrig
behavioral1/memory/2788-26-0x000000013F560000-0x000000013F8B4000-memory.dmp	xmrig
behavioral1/memory/2812-142-0x000000013F390000-0x000000013F6E4000-memory.dmp	xmrig
behavioral1/memory/2788-143-0x000000013F560000-0x000000013F8B4000-memory.dmp	xmrig
behavioral1/memory/3056-144-0x000000013F210000-0x000000013F564000-memory.dmp	xmrig
behavioral1/memory/2668-145-0x000000013F040000-0x000000013F394000-memory.dmp	xmrig
behavioral1/memory/2808-147-0x000000013F8E0000-0x000000013FC34000-memory.dmp	xmrig
behavioral1/memory/2656-146-0x000000013F4D0000-0x000000013F824000-memory.dmp	xmrig
behavioral1/memory/2868-148-0x000000013F3B0000-0x000000013F704000-memory.dmp	xmrig
behavioral1/memory/2596-149-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/memory/2780-150-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/memory/2556-151-0x000000013F0E0000-0x000000013F434000-memory.dmp	xmrig
behavioral1/memory/2516-153-0x000000013FF00000-0x0000000140254000-memory.dmp	xmrig
behavioral1/memory/2876-154-0x000000013FD70000-0x00000001400C4000-memory.dmp	xmrig
behavioral1/memory/2536-152-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	xmrig
behavioral1/memory/2660-155-0x000000013F840000-0x000000013FB94000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2812	smfltOP.exe
3056	DYtoVaE.exe
2788	mdBtVqB.exe
2668	cyjQiML.exe
2656	vdsYRby.exe
2868	KhUnVPV.exe
2808	qXxNtpB.exe
2556	papBdVc.exe
2596	KlenmCD.exe
2780	VMFJodO.exe
2536	PAalddR.exe
2660	WnLDdAw.exe
2516	CAgSnNY.exe
2876	ejccVqM.exe
620	dwIcTAf.exe
1696	MJqMwSK.exe
1708	JnVzcwL.exe
1120	TrASnkI.exe
1816	HakTJwh.exe
1500	GisoPFk.exe
2008	UOnZdMX.exe

Loads dropped DLL 21 IoCs

pid	Process
2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2276-0-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	upx
behavioral1/files/0x0008000000012101-3.dat	upx
behavioral1/memory/2812-9-0x000000013F390000-0x000000013F6E4000-memory.dmp	upx
behavioral1/files/0x0007000000018b4d-10.dat	upx
behavioral1/memory/3056-15-0x000000013F210000-0x000000013F564000-memory.dmp	upx
behavioral1/files/0x0007000000018b54-19.dat	upx
behavioral1/files/0x0006000000018b5d-22.dat	upx
behavioral1/memory/2656-37-0x000000013F4D0000-0x000000013F824000-memory.dmp	upx
behavioral1/files/0x0029000000018afc-40.dat	upx
behavioral1/memory/2876-103-0x000000013FD70000-0x00000001400C4000-memory.dmp	upx
behavioral1/files/0x000500000001904d-114.dat	upx
behavioral1/files/0x0005000000019074-119.dat	upx
behavioral1/files/0x000400000001915a-125.dat	upx
behavioral1/files/0x000400000001919b-129.dat	upx
behavioral1/files/0x00040000000191b3-133.dat	upx
behavioral1/memory/2868-136-0x000000013F3B0000-0x000000013F704000-memory.dmp	upx
behavioral1/files/0x0005000000019044-110.dat	upx
behavioral1/memory/2556-137-0x000000013F0E0000-0x000000013F434000-memory.dmp	upx
behavioral1/files/0x0005000000019028-93.dat	upx
behavioral1/files/0x0005000000018ffa-91.dat	upx
behavioral1/files/0x0005000000018fcd-89.dat	upx
behavioral1/files/0x0007000000018b78-87.dat	upx
behavioral1/memory/2668-105-0x000000013F040000-0x000000013F394000-memory.dmp	upx
behavioral1/memory/3056-74-0x000000013F210000-0x000000013F564000-memory.dmp	upx
behavioral1/files/0x0006000000018b86-63.dat	upx
behavioral1/memory/2516-102-0x000000013FF00000-0x0000000140254000-memory.dmp	upx
behavioral1/memory/2660-101-0x000000013F840000-0x000000013FB94000-memory.dmp	upx
behavioral1/memory/2536-100-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	upx
behavioral1/files/0x000500000001903d-98.dat	upx
behavioral1/memory/2868-43-0x000000013F3B0000-0x000000013F704000-memory.dmp	upx
behavioral1/memory/2276-42-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	upx
behavioral1/memory/2780-82-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
behavioral1/files/0x000500000001901a-79.dat	upx
behavioral1/memory/2596-70-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
behavioral1/memory/2556-69-0x000000013F0E0000-0x000000013F434000-memory.dmp	upx
behavioral1/files/0x0005000000018fe2-67.dat	upx
behavioral1/memory/2808-56-0x000000013F8E0000-0x000000013FC34000-memory.dmp	upx
behavioral1/memory/2812-51-0x000000013F390000-0x000000013F6E4000-memory.dmp	upx
behavioral1/files/0x0006000000018b64-48.dat	upx
behavioral1/memory/2668-29-0x000000013F040000-0x000000013F394000-memory.dmp	upx
behavioral1/files/0x0006000000018b62-33.dat	upx
behavioral1/memory/2788-26-0x000000013F560000-0x000000013F8B4000-memory.dmp	upx
behavioral1/memory/2812-142-0x000000013F390000-0x000000013F6E4000-memory.dmp	upx
behavioral1/memory/2788-143-0x000000013F560000-0x000000013F8B4000-memory.dmp	upx
behavioral1/memory/3056-144-0x000000013F210000-0x000000013F564000-memory.dmp	upx
behavioral1/memory/2668-145-0x000000013F040000-0x000000013F394000-memory.dmp	upx
behavioral1/memory/2808-147-0x000000013F8E0000-0x000000013FC34000-memory.dmp	upx
behavioral1/memory/2656-146-0x000000013F4D0000-0x000000013F824000-memory.dmp	upx
behavioral1/memory/2868-148-0x000000013F3B0000-0x000000013F704000-memory.dmp	upx
behavioral1/memory/2596-149-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
behavioral1/memory/2780-150-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
behavioral1/memory/2556-151-0x000000013F0E0000-0x000000013F434000-memory.dmp	upx
behavioral1/memory/2516-153-0x000000013FF00000-0x0000000140254000-memory.dmp	upx
behavioral1/memory/2876-154-0x000000013FD70000-0x00000001400C4000-memory.dmp	upx
behavioral1/memory/2536-152-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	upx
behavioral1/memory/2660-155-0x000000013F840000-0x000000013FB94000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\mdBtVqB.exe	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
File created	C:\Windows\System\papBdVc.exe	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
File created	C:\Windows\System\ejccVqM.exe	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
File created	C:\Windows\System\PAalddR.exe	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
File created	C:\Windows\System\dwIcTAf.exe	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
File created	C:\Windows\System\KlenmCD.exe	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
File created	C:\Windows\System\CAgSnNY.exe	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
File created	C:\Windows\System\GisoPFk.exe	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
File created	C:\Windows\System\smfltOP.exe	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
File created	C:\Windows\System\DYtoVaE.exe	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
File created	C:\Windows\System\vdsYRby.exe	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
File created	C:\Windows\System\qXxNtpB.exe	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
File created	C:\Windows\System\WnLDdAw.exe	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
File created	C:\Windows\System\TrASnkI.exe	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
File created	C:\Windows\System\HakTJwh.exe	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
File created	C:\Windows\System\UOnZdMX.exe	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
File created	C:\Windows\System\cyjQiML.exe	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
File created	C:\Windows\System\KhUnVPV.exe	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
File created	C:\Windows\System\VMFJodO.exe	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
File created	C:\Windows\System\MJqMwSK.exe	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
File created	C:\Windows\System\JnVzcwL.exe	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2812	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2812	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2812	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	30
PID 2276 wrote to memory of 3056	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	31
PID 2276 wrote to memory of 3056	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	31
PID 2276 wrote to memory of 3056	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	31
PID 2276 wrote to memory of 2788	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	32
PID 2276 wrote to memory of 2788	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	32
PID 2276 wrote to memory of 2788	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	32
PID 2276 wrote to memory of 2668	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	33
PID 2276 wrote to memory of 2668	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	33
PID 2276 wrote to memory of 2668	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	33
PID 2276 wrote to memory of 2656	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	34
PID 2276 wrote to memory of 2656	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	34
PID 2276 wrote to memory of 2656	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	34
PID 2276 wrote to memory of 2868	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	35
PID 2276 wrote to memory of 2868	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	35
PID 2276 wrote to memory of 2868	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	35
PID 2276 wrote to memory of 2808	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	36
PID 2276 wrote to memory of 2808	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	36
PID 2276 wrote to memory of 2808	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	36
PID 2276 wrote to memory of 2536	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	37
PID 2276 wrote to memory of 2536	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	37
PID 2276 wrote to memory of 2536	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	37
PID 2276 wrote to memory of 2556	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	38
PID 2276 wrote to memory of 2556	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	38
PID 2276 wrote to memory of 2556	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	38
PID 2276 wrote to memory of 2660	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	39
PID 2276 wrote to memory of 2660	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	39
PID 2276 wrote to memory of 2660	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	39
PID 2276 wrote to memory of 2596	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	40
PID 2276 wrote to memory of 2596	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	40
PID 2276 wrote to memory of 2596	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	40
PID 2276 wrote to memory of 2516	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	41
PID 2276 wrote to memory of 2516	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	41
PID 2276 wrote to memory of 2516	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	41
PID 2276 wrote to memory of 2780	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	42
PID 2276 wrote to memory of 2780	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	42
PID 2276 wrote to memory of 2780	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	42
PID 2276 wrote to memory of 2876	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	43
PID 2276 wrote to memory of 2876	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	43
PID 2276 wrote to memory of 2876	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	43
PID 2276 wrote to memory of 620	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	44
PID 2276 wrote to memory of 620	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	44
PID 2276 wrote to memory of 620	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	44
PID 2276 wrote to memory of 1696	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	45
PID 2276 wrote to memory of 1696	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	45
PID 2276 wrote to memory of 1696	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	45
PID 2276 wrote to memory of 1708	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	46
PID 2276 wrote to memory of 1708	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	46
PID 2276 wrote to memory of 1708	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	46
PID 2276 wrote to memory of 1120	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	47
PID 2276 wrote to memory of 1120	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	47
PID 2276 wrote to memory of 1120	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	47
PID 2276 wrote to memory of 1816	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	48
PID 2276 wrote to memory of 1816	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	48
PID 2276 wrote to memory of 1816	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	48
PID 2276 wrote to memory of 1500	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	49
PID 2276 wrote to memory of 1500	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	49
PID 2276 wrote to memory of 1500	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	49
PID 2276 wrote to memory of 2008	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	50
PID 2276 wrote to memory of 2008	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	50
PID 2276 wrote to memory of 2008	2276	ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe	50

C:\Users\Admin\AppData\Local\Temp\ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec609ac82d53dfbd3f9a6d5b79a706c7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\System\smfltOP.exe
  C:\Windows\System\smfltOP.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\DYtoVaE.exe
  C:\Windows\System\DYtoVaE.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System\mdBtVqB.exe
  C:\Windows\System\mdBtVqB.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\cyjQiML.exe
  C:\Windows\System\cyjQiML.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System\vdsYRby.exe
  C:\Windows\System\vdsYRby.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\KhUnVPV.exe
  C:\Windows\System\KhUnVPV.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\qXxNtpB.exe
  C:\Windows\System\qXxNtpB.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System\PAalddR.exe
  C:\Windows\System\PAalddR.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\papBdVc.exe
  C:\Windows\System\papBdVc.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\WnLDdAw.exe
  C:\Windows\System\WnLDdAw.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\KlenmCD.exe
  C:\Windows\System\KlenmCD.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\CAgSnNY.exe
  C:\Windows\System\CAgSnNY.exe
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\System\VMFJodO.exe
  C:\Windows\System\VMFJodO.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\ejccVqM.exe
  C:\Windows\System\ejccVqM.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\dwIcTAf.exe
  C:\Windows\System\dwIcTAf.exe
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Windows\System\MJqMwSK.exe
  C:\Windows\System\MJqMwSK.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\System\JnVzcwL.exe
  C:\Windows\System\JnVzcwL.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System\TrASnkI.exe
  C:\Windows\System\TrASnkI.exe
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\System\HakTJwh.exe
  C:\Windows\System\HakTJwh.exe
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\System\GisoPFk.exe
  C:\Windows\System\GisoPFk.exe
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\System\UOnZdMX.exe
  C:\Windows\System\UOnZdMX.exe
  2⤵
  - Executes dropped EXE
  PID:2008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CAgSnNY.exe

Filesize
5.9MB

MD5
a8a4b3bede2c0342bab4fca1fb707732

SHA1
bc31729e5c2087864b95f40da801a25d338463e6

SHA256
5a730fbe50a1ebe7cc40d1d656a14aa816a33ed4f6027ed7146c05a0b9a5d5d7

SHA512
32eeb9ff480dde8fe3b23179db0dd46ac3dab32fc80efa163080ca5f79d140b6993f21c3b4a614eacf93bef4212580d102db328ace33a63cc13e798e05360c20

Download Submit
C:\Windows\system\GisoPFk.exe

Filesize
5.9MB

MD5
692578eeb32c92bfa54fa93f234158d7

SHA1
d4ad7d66fe67079ad460b86dfe6f60f6ade8a6cb

SHA256
3fe54777b65e6c65e047a08c2114b004ff1d5567ea5fcfd19c37fc5e3bddcb51

SHA512
8aca45c1c5a7c6dd1b8d1f2178f29e813a6b28942869fad501c859cc684a4149a9a1b839e5d5e8ffc59e903f78b662613abda3c79e8ff3df8c79ba5e4952ae1f

Download Submit
C:\Windows\system\HakTJwh.exe

Filesize
5.9MB

MD5
e1f75baed1cb2d91b99ad7e004c9718f

SHA1
8f50758ccef7851734ed7c51d16e190cf8f6059c

SHA256
c25839b729b1e8b4c535ddc4556c55ecbfe27796803d7fa6c0073f687f8779db

SHA512
adb5ab876cb2a5408e9aa263e7e37a6bb9156278cded6c46467fa03879e54cd23e8aec91e09bff638efd59db95a277af768df10fcfa2bd7e028f1525e205d2a0

Download Submit
C:\Windows\system\JnVzcwL.exe

Filesize
5.9MB

MD5
086e990be3c729c16d3fcea29c86b660

SHA1
86eb3918c895b0c5de2943b9391d5d0e51bd53a3

SHA256
3f531eb360ba1f5073f267de6fd772b627ca1b1def516e35f3f756db5b5f52f5

SHA512
b7e4fe042c317fc3f9efb1186f2620cb69914fb9a104bc0a5dddf00bd023e80593953834a9b23b9ca8999b280be8030d7ef2a5f59cdec0169f8cf2ba0bb871eb

Download Submit
C:\Windows\system\KhUnVPV.exe

Filesize
5.9MB

MD5
ef5cb0768416c948e4fffef32ff83ca2

SHA1
3c34e7e2e5041849515e1b74525305af3e3ab7db

SHA256
ac5f5792fea461437cccaf8c60fc3ddad714b8c537d0f836da7c5f48f8acd7a0

SHA512
24969e85e479f418006e5ecda4bed0564222f78ad97e47d74902b2b402c51089fc6a0bc5aabd1cc91909137dc427f1171f041c767b32ed37ecfe15fd80a005d9

Download Submit
C:\Windows\system\KlenmCD.exe

Filesize
5.9MB

MD5
ffdc13e8d12f2223190954dfdd491bbe

SHA1
e3da772b6e9a4590d5869d803a04c5ec42ac53c9

SHA256
f37ccef0dd57de70282f5ef8f74e5b25a6ea11544d49c40c9ff5a9e7d1cf36f7

SHA512
f23271f5e7cf632d9640f404b6b1c6694028c34c58922133eefa73d8d7732df92d18e2abaa63b63e7cc2c30ec65f668b898ee809d0e0327b62cdc089a3f81240

Download Submit
C:\Windows\system\MJqMwSK.exe

Filesize
5.9MB

MD5
9b199e50581a451d3ffb660c3f2c8e9c

SHA1
6e7dc9a27c21e2aaa196297c72e4d7bfff7fa0b3

SHA256
1ecb274b1c4eccb23c6fec929da989f76062f17a0b2f76da15c06171248c7563

SHA512
25c6698cd50642136f8c2eb901572653d61863bce3b65e9d3f40f5f7d552b893930e2518723b14068f0e875497163c4e15a79aa1032750e9cf39a137d710b19a

Download Submit
C:\Windows\system\PAalddR.exe

Filesize
5.9MB

MD5
3847803de55b840b33b15f5b838e4597

SHA1
33c5b5cdb74b08afabbb792ba1812a0f18f23f27

SHA256
f245514139fb901300d0f183f2878e1e2576274a9771bc1a1623463ded3402d2

SHA512
1daac2e626e7db9b76b8262a5b642a51faad40dc5960728a2746efda642a8c659d9e55460bd192c00eb7d67bd4ca4a4cfc494a2d2e06c2829e603da54a3886c3

Download Submit
C:\Windows\system\TrASnkI.exe

Filesize
5.9MB

MD5
ebc1d1316eeeec0c97b136f9f435bfd7

SHA1
b2749e16dc8df997dde0c0b16a8463370422dfa9

SHA256
1dcc45b9db7610db2fdaee2ad91ddf1a76d60b86816121d07a989575f7d1861c

SHA512
7df7b13df607be4b461189850d057ebe8f57c44506b031ccc07ce8020095f24329c9621809eecbc085ba48729dac244ace0dca6ab948e07da00821a39314aac3

Download Submit
C:\Windows\system\UOnZdMX.exe

Filesize
5.9MB

MD5
ee3487f22fb8d7708bfb359aa87bc4a5

SHA1
b285b8c07ca11b4505a393d756ffd77b0ea308c2

SHA256
19b95c3f728510e78850c5532422e1a66dc8f3f0563581d452020c562f1f7256

SHA512
dc0c9dd08ce84df71feef927ebb35f006aca07a0118146a5baaa365005843cfc63effcef3e97cae641e35c5d2f98d00aac1c754656a5956f79c20d0991e4034a

Download Submit
C:\Windows\system\VMFJodO.exe

Filesize
5.9MB

MD5
122628dca2a5a3c7e8112db222ab20cc

SHA1
a278944ddc74fcf7031cb9465bd26c12c4cde853

SHA256
5850d08df29c8c9212363daad1850d18fa824c4dcea183f098fabc307973cfda

SHA512
f501331e216a6f6a5c55237bde453882e34c0e02dd39f741f6c8335eb19f680e5d56b2fd181600c60650b8d74d371fb868ec69eaf3ae1708bbdea4161529e57c

Download Submit
C:\Windows\system\WnLDdAw.exe

Filesize
5.9MB

MD5
dc32ddd88d41e83e0c2ad25aee3940c4

SHA1
33d9700dac1a7ad5c705a4ba85aae2885c14b9d6

SHA256
96137c249f89d2059f0acbe580b0f5078cd86882895ad9cf1587118ebfaa3c65

SHA512
9c823b02aa710b060062cf67cf86ca81b5dfe300044cee9dceff05d388c4519959921fde09e08ea541f10153a7daa605fec6c4198b9acf55ffbe6ce42ed2e9ce

Download Submit
C:\Windows\system\dwIcTAf.exe

Filesize
5.9MB

MD5
a1fec39f85d7814275c29c0d8aa23aec

SHA1
abc9e1713cd95a2e11833ca4870ac0bd0d94502f

SHA256
6dd1db617a2b6a81a482ac5adb3d1648031ad04192705560679a20c9141b3c8d

SHA512
d90f6af45da2a4045355a76874ed433207001bd60a85ad649d58044827529e6dbb2f4c7b4f9dbc668cbeb126d3d2df446028e3f1d8c97b5d5d382c295cc5a695

Download Submit
C:\Windows\system\ejccVqM.exe

Filesize
5.9MB

MD5
23a5990f4b9d0ec3ed1abe6fbf55c784

SHA1
3f357a7a7f917045d98237836fea0df3cfb33ead

SHA256
c551b244dbcbd9bd23c6332f1680df789f8e36d023b757b0c5bfb4a7c3da79a6

SHA512
a830a13308a8ce6a97396a0a1c70de56d57a91dc2a88d44dabb15ac35e36878169959a42278e39983feb44fe85d2165ca8d8cb55c1482d86c3f09b8045097236

Download Submit
C:\Windows\system\mdBtVqB.exe

Filesize
5.9MB

MD5
63e311556d2e2895476ff0273bc9e5c1

SHA1
daa694c07738b3478aa888631905a518c9a015b6

SHA256
821402fa4de823697c3288d57d7db2f39d807a17153179de8f12dd0f7592dfb2

SHA512
31dbdf1a475c5fca4e523ca70f7f82c0f6b63ae56b936bd96161c7297830ca7105a39b48faead0034f6d9fe654dcb77ea9bc07d603faf09d82b607b06cfd3865

Download Submit
C:\Windows\system\papBdVc.exe

Filesize
5.9MB

MD5
62cf316cb0b0da41eaac896152e5ad41

SHA1
884791ea9a11f57bed7e31a3bb11d0494baa3cf2

SHA256
6a18b06912acb4e46362a8a80d975b73526b36cc35d88d43a53e106d88a7eeab

SHA512
56be84198c6d95e7f7c6d34db3bd93492dd82658d542a37d69be8ad43a612775a0004ddf74cdf46712fa9de702e454dcf88e505605c1b7e9d5b94b9cd4006a5e

Download Submit
C:\Windows\system\qXxNtpB.exe

Filesize
5.9MB

MD5
e822fdb641f22ef1da326da036371a78

SHA1
72b53fd34703ac1adfb6be25261e471672f947e3

SHA256
3bfd2ac601c755b895e23561888f591fd3e046cca827d7c2c577e50a1adb3ec6

SHA512
57292692bbf21cc61a1be4e8b6d01f505200bcd577e18669ba0e6190499e4b2750fefae75eafa27009ee13d410e8227b1e145c8bbd31fe285266c776bb444d07

Download Submit
C:\Windows\system\vdsYRby.exe

Filesize
5.9MB

MD5
a25b044ef6c094c4319b81506b6188cc

SHA1
1bc0b819789daa48a74a8d905fa7ac1b6c58c06b

SHA256
bdd6b9bed485a64d187433f5c5566a7f8463c3e5d0ab43ed3d9f82e9bb198a22

SHA512
e94ce0e981b7bbc59c95613884d64cd6e1f8a9d8ce78a7a9229b70964e2763e92b069f320af024e6755ef3d902e8cff6634c8a43ae16c5f5e980865165dfe0dd

Download Submit
\Windows\system\DYtoVaE.exe

Filesize
5.9MB

MD5
8fa59e1e1b70e5917eea96264ca5086c

SHA1
3368f13fcb680179386f51e81b5d0ee01424610c

SHA256
1f659c81fb734eb1b19587d3e779a764a258cc4f9596bd7cf9a4488e8672ea31

SHA512
923ca02278ddf03e966704cbd6e33b32d8e67d39aa0732e97441d2ac933f4b92238c69adf5803c36a2804f9c527db4156d42a8237157b545da734d65bfc08640

Download Submit
\Windows\system\cyjQiML.exe

Filesize
5.9MB

MD5
66d2a8cc5cc448d9cc55969e2ac243b0

SHA1
c439f028652941eeff473bce10c85144825d14ab

SHA256
febfc3a726e2349f7fb2544d5c24e98e4b50edcbd7a09a3b2371ca64387b7ef8

SHA512
2c206066afc14fc19a5e1e1425b8dc748713325cfb65f9e135f36885df4f35206f988ba91a2d8b0d0b582e19c4573bdbfc78548ca72badae9793070b73c23b33

Download Submit
\Windows\system\smfltOP.exe

Filesize
5.9MB

MD5
7619cbc8a38ff4a3609edeee5ca3e3df

SHA1
5132033dbc1e6d39ed049cc3e44ee0ae155f0c27

SHA256
c5ffe30ab834ec979ade027e0656357af37d674055b1b9ef63f88486ff77c97a

SHA512
368b5451d5057740231f13315aa848d08f820d256996ff05490d158851bb9d7dcc87bb5ab5df1af8e48df73d066f97b25200fb1a5670809b6e129f0c6468ccb7

Download Submit
memory/2276-99-0x0000000002270000-0x00000000025C4000-memory.dmp

Filesize
3.3MB

Download
memory/2276-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2276-138-0x0000000002270000-0x00000000025C4000-memory.dmp

Filesize
3.3MB

Download
memory/2276-78-0x000000013F840000-0x000000013FB94000-memory.dmp

Filesize
3.3MB

Download
memory/2276-139-0x000000013F840000-0x000000013FB94000-memory.dmp

Filesize
3.3MB

Download
memory/2276-58-0x0000000002270000-0x00000000025C4000-memory.dmp

Filesize
3.3MB

Download
memory/2276-81-0x0000000002270000-0x00000000025C4000-memory.dmp

Filesize
3.3MB

Download
memory/2276-104-0x0000000002270000-0x00000000025C4000-memory.dmp

Filesize
3.3MB

Download
memory/2276-140-0x0000000002270000-0x00000000025C4000-memory.dmp

Filesize
3.3MB

Download
memory/2276-21-0x000000013F560000-0x000000013F8B4000-memory.dmp

Filesize
3.3MB

Download
memory/2276-141-0x0000000002270000-0x00000000025C4000-memory.dmp

Filesize
3.3MB

Download
memory/2276-27-0x000000013F040000-0x000000013F394000-memory.dmp

Filesize
3.3MB

Download
memory/2276-6-0x000000013F390000-0x000000013F6E4000-memory.dmp

Filesize
3.3MB

Download
memory/2276-42-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2276-36-0x000000013F4D0000-0x000000013F824000-memory.dmp

Filesize
3.3MB

Download
memory/2276-0-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2276-13-0x000000013F210000-0x000000013F564000-memory.dmp

Filesize
3.3MB

Download
memory/2276-44-0x000000013F390000-0x000000013F6E4000-memory.dmp

Filesize
3.3MB

Download
memory/2516-102-0x000000013FF00000-0x0000000140254000-memory.dmp

Filesize
3.3MB

Download
memory/2516-153-0x000000013FF00000-0x0000000140254000-memory.dmp

Filesize
3.3MB

Download
memory/2536-100-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

Filesize
3.3MB

Download
memory/2536-152-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

Filesize
3.3MB

Download
memory/2556-69-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/2556-151-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/2556-137-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/2596-70-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2596-149-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2656-37-0x000000013F4D0000-0x000000013F824000-memory.dmp

Filesize
3.3MB

Download
memory/2656-146-0x000000013F4D0000-0x000000013F824000-memory.dmp

Filesize
3.3MB

Download
memory/2660-155-0x000000013F840000-0x000000013FB94000-memory.dmp

Filesize
3.3MB

Download
memory/2660-101-0x000000013F840000-0x000000013FB94000-memory.dmp

Filesize
3.3MB

Download
memory/2668-145-0x000000013F040000-0x000000013F394000-memory.dmp

Filesize
3.3MB

Download
memory/2668-105-0x000000013F040000-0x000000013F394000-memory.dmp

Filesize
3.3MB

Download
memory/2668-29-0x000000013F040000-0x000000013F394000-memory.dmp

Filesize
3.3MB

Download
memory/2780-150-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/2780-82-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/2788-143-0x000000013F560000-0x000000013F8B4000-memory.dmp

Filesize
3.3MB

Download
memory/2788-26-0x000000013F560000-0x000000013F8B4000-memory.dmp

Filesize
3.3MB

Download
memory/2808-56-0x000000013F8E0000-0x000000013FC34000-memory.dmp

Filesize
3.3MB

Download
memory/2808-147-0x000000013F8E0000-0x000000013FC34000-memory.dmp

Filesize
3.3MB

Download
memory/2812-142-0x000000013F390000-0x000000013F6E4000-memory.dmp

Filesize
3.3MB

Download
memory/2812-9-0x000000013F390000-0x000000013F6E4000-memory.dmp

Filesize
3.3MB

Download
memory/2812-51-0x000000013F390000-0x000000013F6E4000-memory.dmp

Filesize
3.3MB

Download
memory/2868-148-0x000000013F3B0000-0x000000013F704000-memory.dmp

Filesize
3.3MB

Download
memory/2868-43-0x000000013F3B0000-0x000000013F704000-memory.dmp

Filesize
3.3MB

Download
memory/2868-136-0x000000013F3B0000-0x000000013F704000-memory.dmp

Filesize
3.3MB

Download
memory/2876-103-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/2876-154-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/3056-74-0x000000013F210000-0x000000013F564000-memory.dmp

Filesize
3.3MB

Download
memory/3056-144-0x000000013F210000-0x000000013F564000-memory.dmp

Filesize
3.3MB

Download
memory/3056-15-0x000000013F210000-0x000000013F564000-memory.dmp

Filesize
3.3MB

Download