cobaltstrike | 880821f2c6ec48ee5cf2aa70398d9fad76891e85f6a69bf85f284cd70d7a1eb6

Analysis

max time kernel
125s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
Size

5.9MB
MD5

eadecc9d164580d3ce636f8ca95a9145
SHA1

6381dbcc6ebd2cb4d27122888205a0f55c328491
SHA256

880821f2c6ec48ee5cf2aa70398d9fad76891e85f6a69bf85f284cd70d7a1eb6
SHA512

5fcc3d2f9ec52028adc509aed3529ae1f5af9e9ebc71bbcaf6ba3f128de5b0ecf06fd987611e339d2f513a2395dd782f26a78d9acd742585e5814e5ce05365e4
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUF:E+b56utgpPF8u/7F

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x001500000000f6b0-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000018ce8-10.dat	cobalt_reflective_dll
behavioral1/files/0x000e000000018dcf-12.dat	cobalt_reflective_dll
behavioral1/files/0x002b000000018cf2-21.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018dea-30.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018e46-38.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018e96-53.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018e65-51.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018ea1-70.dat	cobalt_reflective_dll
behavioral1/files/0x00040000000192d3-82.dat	cobalt_reflective_dll
behavioral1/files/0x00040000000192e3-92.dat	cobalt_reflective_dll
behavioral1/files/0x000400000001934f-121.dat	cobalt_reflective_dll
behavioral1/files/0x00040000000193a5-136.dat	cobalt_reflective_dll
behavioral1/files/0x00040000000193d5-144.dat	cobalt_reflective_dll
behavioral1/files/0x00040000000193b6-141.dat	cobalt_reflective_dll
behavioral1/files/0x0004000000019393-131.dat	cobalt_reflective_dll
behavioral1/files/0x0004000000019380-126.dat	cobalt_reflective_dll
behavioral1/files/0x0004000000019329-116.dat	cobalt_reflective_dll
behavioral1/files/0x0004000000019308-100.dat	cobalt_reflective_dll
behavioral1/files/0x0004000000019319-108.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000018e9f-68.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/2316-0-0x000000013FCC0000-0x0000000140014000-memory.dmp	xmrig
behavioral1/files/0x001500000000f6b0-3.dat	xmrig
behavioral1/memory/2272-9-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/files/0x0008000000018ce8-10.dat	xmrig
behavioral1/memory/1028-16-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
behavioral1/files/0x000e000000018dcf-12.dat	xmrig
behavioral1/files/0x002b000000018cf2-21.dat	xmrig
behavioral1/memory/2184-29-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2104-23-0x000000013F070000-0x000000013F3C4000-memory.dmp	xmrig
behavioral1/files/0x0007000000018dea-30.dat	xmrig
behavioral1/memory/2316-34-0x000000013FCC0000-0x0000000140014000-memory.dmp	xmrig
behavioral1/memory/2316-36-0x000000013F2C0000-0x000000013F614000-memory.dmp	xmrig
behavioral1/memory/2760-37-0x000000013F2C0000-0x000000013F614000-memory.dmp	xmrig
behavioral1/files/0x0006000000018e46-38.dat	xmrig
behavioral1/memory/2272-44-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/memory/2392-45-0x000000013F4B0000-0x000000013F804000-memory.dmp	xmrig
behavioral1/files/0x0006000000018e96-53.dat	xmrig
behavioral1/memory/3068-61-0x000000013F190000-0x000000013F4E4000-memory.dmp	xmrig
behavioral1/memory/2104-58-0x000000013F070000-0x000000013F3C4000-memory.dmp	xmrig
behavioral1/memory/2576-54-0x000000013F2C0000-0x000000013F614000-memory.dmp	xmrig
behavioral1/files/0x0006000000018e65-51.dat	xmrig
behavioral1/files/0x0007000000018ea1-70.dat	xmrig
behavioral1/memory/2612-75-0x000000013F500000-0x000000013F854000-memory.dmp	xmrig
behavioral1/memory/2180-84-0x000000013F580000-0x000000013F8D4000-memory.dmp	xmrig
behavioral1/memory/2392-83-0x000000013F4B0000-0x000000013F804000-memory.dmp	xmrig
behavioral1/files/0x00040000000192d3-82.dat	xmrig
behavioral1/memory/2576-89-0x000000013F2C0000-0x000000013F614000-memory.dmp	xmrig
behavioral1/memory/2484-93-0x000000013F880000-0x000000013FBD4000-memory.dmp	xmrig
behavioral1/files/0x00040000000192e3-92.dat	xmrig
behavioral1/memory/2160-110-0x000000013FEE0000-0x0000000140234000-memory.dmp	xmrig
behavioral1/files/0x000400000001934f-121.dat	xmrig
behavioral1/files/0x00040000000193a5-136.dat	xmrig
behavioral1/memory/2612-148-0x000000013F500000-0x000000013F854000-memory.dmp	xmrig
behavioral1/files/0x00040000000193d5-144.dat	xmrig
behavioral1/files/0x00040000000193b6-141.dat	xmrig
behavioral1/files/0x0004000000019393-131.dat	xmrig
behavioral1/memory/2180-149-0x000000013F580000-0x000000013F8D4000-memory.dmp	xmrig
behavioral1/files/0x0004000000019380-126.dat	xmrig
behavioral1/files/0x0004000000019329-116.dat	xmrig
behavioral1/memory/2580-101-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/files/0x0004000000019308-100.dat	xmrig
behavioral1/memory/2316-98-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2484-151-0x000000013F880000-0x000000013FBD4000-memory.dmp	xmrig
behavioral1/memory/2316-97-0x000000013F190000-0x000000013F4E4000-memory.dmp	xmrig
behavioral1/memory/2596-109-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	xmrig
behavioral1/files/0x0004000000019319-108.dat	xmrig
behavioral1/memory/2316-152-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2580-153-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2596-69-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	xmrig
behavioral1/files/0x0008000000018e9f-68.dat	xmrig
behavioral1/memory/1028-52-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
behavioral1/memory/2160-155-0x000000013FEE0000-0x0000000140234000-memory.dmp	xmrig
behavioral1/memory/2272-157-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/memory/1028-158-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
behavioral1/memory/2104-159-0x000000013F070000-0x000000013F3C4000-memory.dmp	xmrig
behavioral1/memory/2184-160-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2760-161-0x000000013F2C0000-0x000000013F614000-memory.dmp	xmrig
behavioral1/memory/2392-162-0x000000013F4B0000-0x000000013F804000-memory.dmp	xmrig
behavioral1/memory/3068-163-0x000000013F190000-0x000000013F4E4000-memory.dmp	xmrig
behavioral1/memory/2576-164-0x000000013F2C0000-0x000000013F614000-memory.dmp	xmrig
behavioral1/memory/2596-166-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	xmrig
behavioral1/memory/2612-165-0x000000013F500000-0x000000013F854000-memory.dmp	xmrig
behavioral1/memory/2180-167-0x000000013F580000-0x000000013F8D4000-memory.dmp	xmrig
behavioral1/memory/2484-168-0x000000013F880000-0x000000013FBD4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2272	BGcdJdY.exe
1028	GoFEAcy.exe
2104	PJqfueM.exe
2184	lODEtSW.exe
2760	ypzvgCi.exe
2392	kzflJXt.exe
2576	PprmYSb.exe
3068	QdcuZpx.exe
2596	ILCATEi.exe
2612	QztagOa.exe
2180	UQGicMD.exe
2484	VNHLJJW.exe
2580	iVrqPOy.exe
2160	kCdUOVh.exe
1708	aAAAdDO.exe
1312	htJTBBk.exe
1484	xmNkafb.exe
2256	ASGMAxv.exe
2852	GZkjoyW.exe
2912	FPTMirW.exe
2928	JcAJNTr.exe

Loads dropped DLL 21 IoCs

pid	Process
2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2316-0-0x000000013FCC0000-0x0000000140014000-memory.dmp	upx
behavioral1/files/0x001500000000f6b0-3.dat	upx
behavioral1/memory/2272-9-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
behavioral1/files/0x0008000000018ce8-10.dat	upx
behavioral1/memory/1028-16-0x000000013FB60000-0x000000013FEB4000-memory.dmp	upx
behavioral1/files/0x000e000000018dcf-12.dat	upx
behavioral1/files/0x002b000000018cf2-21.dat	upx
behavioral1/memory/2184-29-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/2104-23-0x000000013F070000-0x000000013F3C4000-memory.dmp	upx
behavioral1/files/0x0007000000018dea-30.dat	upx
behavioral1/memory/2316-34-0x000000013FCC0000-0x0000000140014000-memory.dmp	upx
behavioral1/memory/2760-37-0x000000013F2C0000-0x000000013F614000-memory.dmp	upx
behavioral1/files/0x0006000000018e46-38.dat	upx
behavioral1/memory/2272-44-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
behavioral1/memory/2392-45-0x000000013F4B0000-0x000000013F804000-memory.dmp	upx
behavioral1/files/0x0006000000018e96-53.dat	upx
behavioral1/memory/3068-61-0x000000013F190000-0x000000013F4E4000-memory.dmp	upx
behavioral1/memory/2104-58-0x000000013F070000-0x000000013F3C4000-memory.dmp	upx
behavioral1/memory/2576-54-0x000000013F2C0000-0x000000013F614000-memory.dmp	upx
behavioral1/files/0x0006000000018e65-51.dat	upx
behavioral1/files/0x0007000000018ea1-70.dat	upx
behavioral1/memory/2612-75-0x000000013F500000-0x000000013F854000-memory.dmp	upx
behavioral1/memory/2180-84-0x000000013F580000-0x000000013F8D4000-memory.dmp	upx
behavioral1/memory/2392-83-0x000000013F4B0000-0x000000013F804000-memory.dmp	upx
behavioral1/files/0x00040000000192d3-82.dat	upx
behavioral1/memory/2576-89-0x000000013F2C0000-0x000000013F614000-memory.dmp	upx
behavioral1/memory/2484-93-0x000000013F880000-0x000000013FBD4000-memory.dmp	upx
behavioral1/files/0x00040000000192e3-92.dat	upx
behavioral1/memory/2160-110-0x000000013FEE0000-0x0000000140234000-memory.dmp	upx
behavioral1/files/0x000400000001934f-121.dat	upx
behavioral1/files/0x00040000000193a5-136.dat	upx
behavioral1/memory/2612-148-0x000000013F500000-0x000000013F854000-memory.dmp	upx
behavioral1/files/0x00040000000193d5-144.dat	upx
behavioral1/files/0x00040000000193b6-141.dat	upx
behavioral1/files/0x0004000000019393-131.dat	upx
behavioral1/memory/2180-149-0x000000013F580000-0x000000013F8D4000-memory.dmp	upx
behavioral1/files/0x0004000000019380-126.dat	upx
behavioral1/files/0x0004000000019329-116.dat	upx
behavioral1/memory/2580-101-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/files/0x0004000000019308-100.dat	upx
behavioral1/memory/2484-151-0x000000013F880000-0x000000013FBD4000-memory.dmp	upx
behavioral1/memory/2596-109-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	upx
behavioral1/files/0x0004000000019319-108.dat	upx
behavioral1/memory/2580-153-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/2596-69-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	upx
behavioral1/files/0x0008000000018e9f-68.dat	upx
behavioral1/memory/1028-52-0x000000013FB60000-0x000000013FEB4000-memory.dmp	upx
behavioral1/memory/2160-155-0x000000013FEE0000-0x0000000140234000-memory.dmp	upx
behavioral1/memory/2272-157-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
behavioral1/memory/1028-158-0x000000013FB60000-0x000000013FEB4000-memory.dmp	upx
behavioral1/memory/2104-159-0x000000013F070000-0x000000013F3C4000-memory.dmp	upx
behavioral1/memory/2184-160-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/2760-161-0x000000013F2C0000-0x000000013F614000-memory.dmp	upx
behavioral1/memory/2392-162-0x000000013F4B0000-0x000000013F804000-memory.dmp	upx
behavioral1/memory/3068-163-0x000000013F190000-0x000000013F4E4000-memory.dmp	upx
behavioral1/memory/2576-164-0x000000013F2C0000-0x000000013F614000-memory.dmp	upx
behavioral1/memory/2596-166-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	upx
behavioral1/memory/2612-165-0x000000013F500000-0x000000013F854000-memory.dmp	upx
behavioral1/memory/2180-167-0x000000013F580000-0x000000013F8D4000-memory.dmp	upx
behavioral1/memory/2484-168-0x000000013F880000-0x000000013FBD4000-memory.dmp	upx
behavioral1/memory/2580-169-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/2160-170-0x000000013FEE0000-0x0000000140234000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\kCdUOVh.exe	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
File created	C:\Windows\System\JcAJNTr.exe	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
File created	C:\Windows\System\QztagOa.exe	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
File created	C:\Windows\System\PJqfueM.exe	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
File created	C:\Windows\System\kzflJXt.exe	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
File created	C:\Windows\System\UQGicMD.exe	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
File created	C:\Windows\System\xmNkafb.exe	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
File created	C:\Windows\System\ASGMAxv.exe	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
File created	C:\Windows\System\GoFEAcy.exe	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
File created	C:\Windows\System\ypzvgCi.exe	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
File created	C:\Windows\System\PprmYSb.exe	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
File created	C:\Windows\System\VNHLJJW.exe	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
File created	C:\Windows\System\GZkjoyW.exe	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
File created	C:\Windows\System\lODEtSW.exe	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
File created	C:\Windows\System\QdcuZpx.exe	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
File created	C:\Windows\System\ILCATEi.exe	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
File created	C:\Windows\System\iVrqPOy.exe	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
File created	C:\Windows\System\aAAAdDO.exe	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
File created	C:\Windows\System\htJTBBk.exe	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
File created	C:\Windows\System\FPTMirW.exe	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
File created	C:\Windows\System\BGcdJdY.exe	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2272	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2272	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2272	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	30
PID 2316 wrote to memory of 1028	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	31
PID 2316 wrote to memory of 1028	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	31
PID 2316 wrote to memory of 1028	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	31
PID 2316 wrote to memory of 2104	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	32
PID 2316 wrote to memory of 2104	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	32
PID 2316 wrote to memory of 2104	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	32
PID 2316 wrote to memory of 2184	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	33
PID 2316 wrote to memory of 2184	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	33
PID 2316 wrote to memory of 2184	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	33
PID 2316 wrote to memory of 2760	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	34
PID 2316 wrote to memory of 2760	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	34
PID 2316 wrote to memory of 2760	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	34
PID 2316 wrote to memory of 2392	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	35
PID 2316 wrote to memory of 2392	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	35
PID 2316 wrote to memory of 2392	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	35
PID 2316 wrote to memory of 2576	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	36
PID 2316 wrote to memory of 2576	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	36
PID 2316 wrote to memory of 2576	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	36
PID 2316 wrote to memory of 3068	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	37
PID 2316 wrote to memory of 3068	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	37
PID 2316 wrote to memory of 3068	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	37
PID 2316 wrote to memory of 2596	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	38
PID 2316 wrote to memory of 2596	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	38
PID 2316 wrote to memory of 2596	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	38
PID 2316 wrote to memory of 2612	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	39
PID 2316 wrote to memory of 2612	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	39
PID 2316 wrote to memory of 2612	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	39
PID 2316 wrote to memory of 2180	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	40
PID 2316 wrote to memory of 2180	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	40
PID 2316 wrote to memory of 2180	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	40
PID 2316 wrote to memory of 2484	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	41
PID 2316 wrote to memory of 2484	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	41
PID 2316 wrote to memory of 2484	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	41
PID 2316 wrote to memory of 2580	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	42
PID 2316 wrote to memory of 2580	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	42
PID 2316 wrote to memory of 2580	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	42
PID 2316 wrote to memory of 2160	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	43
PID 2316 wrote to memory of 2160	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	43
PID 2316 wrote to memory of 2160	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	43
PID 2316 wrote to memory of 1708	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	44
PID 2316 wrote to memory of 1708	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	44
PID 2316 wrote to memory of 1708	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	44
PID 2316 wrote to memory of 1312	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	45
PID 2316 wrote to memory of 1312	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	45
PID 2316 wrote to memory of 1312	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	45
PID 2316 wrote to memory of 1484	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	46
PID 2316 wrote to memory of 1484	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	46
PID 2316 wrote to memory of 1484	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	46
PID 2316 wrote to memory of 2256	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	47
PID 2316 wrote to memory of 2256	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	47
PID 2316 wrote to memory of 2256	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	47
PID 2316 wrote to memory of 2852	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	48
PID 2316 wrote to memory of 2852	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	48
PID 2316 wrote to memory of 2852	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	48
PID 2316 wrote to memory of 2912	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	49
PID 2316 wrote to memory of 2912	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	49
PID 2316 wrote to memory of 2912	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	49
PID 2316 wrote to memory of 2928	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	50
PID 2316 wrote to memory of 2928	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	50
PID 2316 wrote to memory of 2928	2316	eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe	50

C:\Users\Admin\AppData\Local\Temp\eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eadecc9d164580d3ce636f8ca95a9145_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\System\BGcdJdY.exe
  C:\Windows\System\BGcdJdY.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\GoFEAcy.exe
  C:\Windows\System\GoFEAcy.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System\PJqfueM.exe
  C:\Windows\System\PJqfueM.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System\lODEtSW.exe
  C:\Windows\System\lODEtSW.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System\ypzvgCi.exe
  C:\Windows\System\ypzvgCi.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\kzflJXt.exe
  C:\Windows\System\kzflJXt.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\PprmYSb.exe
  C:\Windows\System\PprmYSb.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\System\QdcuZpx.exe
  C:\Windows\System\QdcuZpx.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\ILCATEi.exe
  C:\Windows\System\ILCATEi.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\QztagOa.exe
  C:\Windows\System\QztagOa.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\UQGicMD.exe
  C:\Windows\System\UQGicMD.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\VNHLJJW.exe
  C:\Windows\System\VNHLJJW.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System\iVrqPOy.exe
  C:\Windows\System\iVrqPOy.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\kCdUOVh.exe
  C:\Windows\System\kCdUOVh.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\aAAAdDO.exe
  C:\Windows\System\aAAAdDO.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System\htJTBBk.exe
  C:\Windows\System\htJTBBk.exe
  2⤵
  - Executes dropped EXE
  PID:1312
- C:\Windows\System\xmNkafb.exe
  C:\Windows\System\xmNkafb.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\System\ASGMAxv.exe
  C:\Windows\System\ASGMAxv.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System\GZkjoyW.exe
  C:\Windows\System\GZkjoyW.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\FPTMirW.exe
  C:\Windows\System\FPTMirW.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\JcAJNTr.exe
  C:\Windows\System\JcAJNTr.exe
  2⤵
  - Executes dropped EXE
  PID:2928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\ASGMAxv.exe

Filesize
5.9MB

MD5
6bf3b1498fa3e9d00fc07f6c753e6d9f

SHA1
55151fc8bd3c5a38bd9073c4e5034d033eb2828e

SHA256
82167be1e4ca155c90bcdcd06cbed33d14a95771fc369695f5184d6fa5c6636b

SHA512
07c87754749aa30c7604ea0a624ec521b94ab7de019a2088b29b74fbc83531d1f989721d2acac626cc95167eca940edd5c64d35053f2d843e35b92b2f3c1e00b

Download Submit
C:\Windows\system\FPTMirW.exe

Filesize
5.9MB

MD5
900130283efd6657bc151a10f3ffe6aa

SHA1
7d31cc73ee62a2d54f12472d94aa62a58e35cf30

SHA256
caa47f94e41df2b69e98b75d895d29bf3bc6dc87b665cccc59424897437320c4

SHA512
961bb841e533ff54cb674a320ab9c45b369e6766a4379f68b3715e94c04a6833a6cba69d494bce550ecb8e1da13f75d627d903a852b814a471e240f5a1b40ae9

Download Submit
C:\Windows\system\GZkjoyW.exe

Filesize
5.9MB

MD5
74dd1425efe5a683132123a1b53e589f

SHA1
81399e5ca1a13b67cc68b68fe014c871ee29a2ed

SHA256
df679697d80fdcd0aa8855068414db4af1fbc22694c47644ed822d8bde57a60d

SHA512
846ca2569058c2d671d2d13b6426a617e06dbd5eda9df39d14251291fcf9fedf644bf18c771f504ca7e4d5f1bfc864803fce85ce517727ae151370e117e94c7d

Download Submit
C:\Windows\system\ILCATEi.exe

Filesize
5.9MB

MD5
f31e055b73309bc9a88c47820caea55c

SHA1
eacf8e6cd00aa2af5f72c6a747765919503c547f

SHA256
b52d97e5d8d88f1efdd0375793471b4865427968302d71d1ede83246d6cbc758

SHA512
81d42097cbb5ee188c0ca801b6f5112f4fb6b3f02e7979f7a69fcb51aa2ce8b44d6a4d4c73cd0032566f0b7da038255d0d6f3dfd2e816676c64090e2386a308b

Download Submit
C:\Windows\system\PJqfueM.exe

Filesize
5.9MB

MD5
91048025138e12bfd6dddb201701047e

SHA1
c5fc64e0df52246806f7c101a07661f9657abf67

SHA256
48045a00c1e51b2d12662f0a2ef24bf8157354f63be9c50e6d33caed39764673

SHA512
22d3ae65e7158b79a8842a098234d02728c9ffae38d71a8d6fed98f80ea49b5277b84e88dd1039f732928bfff85fb7f00dc4ad8bee0d0df42751f2f0dc941e21

Download Submit
C:\Windows\system\PprmYSb.exe

Filesize
5.9MB

MD5
89bd1359b1dc93805b3c498e8e7f797c

SHA1
a6787a5a7878b0d141a2da64296789b486962f39

SHA256
54c6cac9e14c71dcdd0adb61076aa1baff44a8245a16b5868ad76383c6c61bda

SHA512
76228a704fbb1b3b954a13289af024ded7464ed755d18271ae79b460b50b2dc300059b982d6d95427125382e96419693bb248e3b5643371a93f80af547d01f6a

Download Submit
C:\Windows\system\UQGicMD.exe

Filesize
5.9MB

MD5
979fceb53224ac44ec72524d786f87ef

SHA1
4339db3ccd30f4cf751e7915b82373c8a87e33bc

SHA256
63d0cfe2766fbbf2012455a5b4d1797f2835be6825017e2487995fb5dd9501a6

SHA512
988a13f411a14481405587ca779c399965ec98a5b647ac6b80f261bc10a34d3c3292e85054c8341bb45fdce6ef283788a90ed6e80d21b3a35da1c3235643edcb

Download Submit
C:\Windows\system\VNHLJJW.exe

Filesize
5.9MB

MD5
f1c355c9b92bcc5deeb4f0bf97d1083c

SHA1
edaf77b542bd378998c41dea2e7b70912816b840

SHA256
948e36648c19f778426386b483dafcc3113f5ba3f124b09bdb7cd5edbdaa6f8a

SHA512
9a72e33420fc2d469fea5d06f03ae079e89c32ea81ff7cc267a0db904e683d59fe33e11ca744ef6d18bb4ec875cc9dde4c7249af22176af3d56fd98ef49a5c69

Download Submit
C:\Windows\system\aAAAdDO.exe

Filesize
5.9MB

MD5
a7b883b9f0156169494942035f995fd9

SHA1
d4052d5d61e8b733bcac21e340d9a7562241daee

SHA256
c435f629d2995af1152a4e7503caa47869f185bbe918857e0bbf4ac5bc414228

SHA512
729af7756ff667d9fa6122cce2d5fc241e9468bd7c2a0a05919ca24c20253f017d80118092ac339850bd980aa2a4b30a8bff8cffa75c86ec6cc5db5acf9f1540

Download Submit
C:\Windows\system\htJTBBk.exe

Filesize
5.9MB

MD5
22e9eda021373f30f3db734c80bc0511

SHA1
469c12ce78d3988f972ab715ffc3100d07cd2f25

SHA256
5bba597ae79ed163e73916e6c40afb32e9f31f9ffe86e6e384432efc9ea3eaef

SHA512
ab719e830cbc04b486f83d98334922ab68e604c6afc099d26e5407ce74c3a15e11bf3402e251d4ca3422950808cb1af03f007b7eef26d53177684ee19999d89e

Download Submit
C:\Windows\system\iVrqPOy.exe

Filesize
5.9MB

MD5
7c3fa4116ac2b3ad1ce942f295dc24d0

SHA1
5c9a96479c6bc7e2caf707f4a22f5ce6b9894e68

SHA256
958bfa56e231ebba608dc9102b9101b950d92791a1f0f725eaefc0fb1360a56e

SHA512
adf620355f1bd8ba21aaec2bb0c0a36c79536a95e4c3a4ac2469e096db23ee93016c597633741bbfb9516806d516c443ede3282e22da18c022b522c17ae59ccc

Download Submit
C:\Windows\system\kCdUOVh.exe

Filesize
5.9MB

MD5
b945f279dbcf5e3ced3f3789967b246e

SHA1
e16ce8e3a57232d5d706f876ed56dc66a6558411

SHA256
14ba4236fa9427ee482e24c1d4abf55fb5e5759e554ae30ed099d714f253ce21

SHA512
b687687f3abe84d92f3cbf41a6e2f969ca8c6674458a6f80614c9f47b479ed1637f331d46642b7ab9ec8aacc6979b41bf155d5de2a7dd85fceebd5746b5c349d

Download Submit
C:\Windows\system\xmNkafb.exe

Filesize
5.9MB

MD5
c9f8a0f40aaeb6bb6c9601b4d4c9024b

SHA1
419630c7680fa3666b559ed3ddcd2a4dd7a3a261

SHA256
87c9c7731b2e763dd21d0be3280803cc6187a33267d77afe296e4516b0c170d5

SHA512
244fe9732616e01cd1b2fcc0fbd5adfcb2b72dce840ec9562e9867f08fa6894d1ef23bbb089f353e37ec4c7503c71d0dd71ae5534e5d9ecf93fee27d45e52bd2

Download Submit
\Windows\system\BGcdJdY.exe

Filesize
5.9MB

MD5
6e7c8c8046d3d47011bbe4546e6b02f8

SHA1
52b0169dc7aab78c1442df54c3aa38037e77f533

SHA256
285c3055c6f897484673940016deb756a4f24540809ccfc54da1dca11ee2c400

SHA512
629043eea3545e8d10ea3bf291cd802addd93382e6f0c7cc3d9913ee1f97b77ca675b4dea916ac6e2436733e4fbe3496533ef796b488ae2dd454995ea47e81be

Download Submit
\Windows\system\GoFEAcy.exe

Filesize
5.9MB

MD5
d9cc8c52fde667c2778a4cca4e58eb3c

SHA1
ab53afe5f83d30f61970e02aca0cd4c027a34471

SHA256
2d7f046090a6577f096fae9cdaa74e1ec1351cddce649bdcd091bc62b4ccb435

SHA512
5a78c496e9e1428c9fd5122487eddd6f58bec5555655e8d99d328ab0cea4ca5a36f1ee7b8518da5ef49c7d03e8977af88f0014b7effeeb3fb67f15ddbd7bbf80

Download Submit
\Windows\system\JcAJNTr.exe

Filesize
5.9MB

MD5
5d571d1b929100ff332ec5fb9ed6955f

SHA1
471b6d724f057a4f97b71a4b2d411dd9f22935b7

SHA256
c24131307148ab7425c0def13c4731fa9bd5989eeb72957694f35f995f3a984b

SHA512
2aa9bc649ff423f74511b6169807302881fa8b16b8509d9470b16f3a1fc50b86d46b00b342c2e5708ddf633e6c9055138582ae96f65780fd9dffc57244983a66

Download Submit
\Windows\system\QdcuZpx.exe

Filesize
5.9MB

MD5
735f4463c3f0812734c29c7b6b2d1536

SHA1
d1a5c454c2f7f148b79d8ba9480e1d9a98ffff8e

SHA256
b3a8d109fbec7af87f14bec2304e160315d3b9837a45f64766082b8e749a6089

SHA512
0d5ac1485ebe87521c05d227a9b0fad4720f1ec9c97dab28094592963e015f37dd8ad32c315ce44874807497107e2fdbe817280350346f520cacddbc8ae208e2

Download Submit
\Windows\system\QztagOa.exe

Filesize
5.9MB

MD5
9666db2bcef7cacc2a4a9c9c9bcde439

SHA1
31e22b0d72bb4e86bd02be7df41542e96a44495a

SHA256
fce7204e2077f2530ef69db77021930c82d895eb60152f7d18bbec2085719891

SHA512
cd795b8b9bdd1086340234a9665e4cf3bccf2c96b28d6f9592722d614d0bcd9e831146d649b4fd82c07535a23ff103cde69fa865c4d18c099a28866f19d6569e

Download Submit
\Windows\system\kzflJXt.exe

Filesize
5.9MB

MD5
281c9ec300d9b62e98861b0cb6906a62

SHA1
d26fe4283b97c750c90ceb0b423a42335af1832a

SHA256
feab74945550db8ee6b2e268e4d086abafa1794cf08467023cbed99629670a53

SHA512
8384c5c6d24be93bf07770792859759da68ec613935da8fa48002ffe2eae7ad3f6222d29572a78226bb2776f5cbe3022113b430a95208da635dbfbbb2d63e59e

Download Submit
\Windows\system\lODEtSW.exe

Filesize
5.9MB

MD5
63858947349d9a1eac55d4f080b6e159

SHA1
fb1b63920b18c23dee3a6d73c43bc94624eb87cf

SHA256
0a687c55364c55c3b54f3cb67729880a721edae902bcd5ec403faecfa7f9ab42

SHA512
02a2bc5b4be4df66b29c1122dc982a67357d2c14f6cb9225d7ad3756c068ed2676fb7f11ae3eb6a6b37bf0c07405383c3d04a9a9557cc44ce2c1fba7796e3ed8

Download Submit
\Windows\system\ypzvgCi.exe

Filesize
5.9MB

MD5
f804329d0c7af382610a0ad9d141823c

SHA1
86a592edbdbb946cdb25e7fc2e49752f8cf4d020

SHA256
ca05559891ae0169e3971427238d514af245693b1fb082acb3785462a723993b

SHA512
40b21ebde574cc1b5501c0b81ca91701f501fb2d2e21d70e991a563b29e726891d5c660dd05dfd6b2d677aae7c153490f7859882f7fa3b371b6fdf30d0072928

Download Submit
memory/1028-52-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/1028-158-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/1028-16-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/2104-159-0x000000013F070000-0x000000013F3C4000-memory.dmp

Filesize
3.3MB

Download
memory/2104-58-0x000000013F070000-0x000000013F3C4000-memory.dmp

Filesize
3.3MB

Download
memory/2104-23-0x000000013F070000-0x000000013F3C4000-memory.dmp

Filesize
3.3MB

Download
memory/2160-155-0x000000013FEE0000-0x0000000140234000-memory.dmp

Filesize
3.3MB

Download
memory/2160-110-0x000000013FEE0000-0x0000000140234000-memory.dmp

Filesize
3.3MB

Download
memory/2160-170-0x000000013FEE0000-0x0000000140234000-memory.dmp

Filesize
3.3MB

Download
memory/2180-149-0x000000013F580000-0x000000013F8D4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-84-0x000000013F580000-0x000000013F8D4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-167-0x000000013F580000-0x000000013F8D4000-memory.dmp

Filesize
3.3MB

Download
memory/2184-160-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2184-29-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2272-9-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2272-44-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2272-157-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2316-40-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2316-26-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2316-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2316-80-0x000000013F580000-0x000000013F8D4000-memory.dmp

Filesize
3.3MB

Download
memory/2316-6-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2316-13-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/2316-34-0x000000013FCC0000-0x0000000140014000-memory.dmp

Filesize
3.3MB

Download
memory/2316-74-0x000000013F4B0000-0x000000013F804000-memory.dmp

Filesize
3.3MB

Download
memory/2316-48-0x000000013F2C0000-0x000000013F614000-memory.dmp

Filesize
3.3MB

Download
memory/2316-36-0x000000013F2C0000-0x000000013F614000-memory.dmp

Filesize
3.3MB

Download
memory/2316-150-0x000000013F880000-0x000000013FBD4000-memory.dmp

Filesize
3.3MB

Download
memory/2316-156-0x000000013F270000-0x000000013F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/2316-114-0x000000013F500000-0x000000013F854000-memory.dmp

Filesize
3.3MB

Download
memory/2316-154-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/2316-60-0x000000013F190000-0x000000013F4E4000-memory.dmp

Filesize
3.3MB

Download
memory/2316-98-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2316-43-0x000000013F4B0000-0x000000013F804000-memory.dmp

Filesize
3.3MB

Download
memory/2316-97-0x000000013F190000-0x000000013F4E4000-memory.dmp

Filesize
3.3MB

Download
memory/2316-63-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2316-0-0x000000013FCC0000-0x0000000140014000-memory.dmp

Filesize
3.3MB

Download
memory/2316-106-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/2316-105-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/2316-152-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2316-90-0x000000013F880000-0x000000013FBD4000-memory.dmp

Filesize
3.3MB

Download
memory/2316-88-0x000000013F2C0000-0x000000013F614000-memory.dmp

Filesize
3.3MB

Download
memory/2316-71-0x000000013F2C0000-0x000000013F614000-memory.dmp

Filesize
3.3MB

Download
memory/2316-65-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/2392-45-0x000000013F4B0000-0x000000013F804000-memory.dmp

Filesize
3.3MB

Download
memory/2392-162-0x000000013F4B0000-0x000000013F804000-memory.dmp

Filesize
3.3MB

Download
memory/2392-83-0x000000013F4B0000-0x000000013F804000-memory.dmp

Filesize
3.3MB

Download
memory/2484-93-0x000000013F880000-0x000000013FBD4000-memory.dmp

Filesize
3.3MB

Download
memory/2484-168-0x000000013F880000-0x000000013FBD4000-memory.dmp

Filesize
3.3MB

Download
memory/2484-151-0x000000013F880000-0x000000013FBD4000-memory.dmp

Filesize
3.3MB

Download
memory/2576-164-0x000000013F2C0000-0x000000013F614000-memory.dmp

Filesize
3.3MB

Download
memory/2576-54-0x000000013F2C0000-0x000000013F614000-memory.dmp

Filesize
3.3MB

Download
memory/2576-89-0x000000013F2C0000-0x000000013F614000-memory.dmp

Filesize
3.3MB

Download
memory/2580-153-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2580-169-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2580-101-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2596-166-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2596-109-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2596-69-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2612-165-0x000000013F500000-0x000000013F854000-memory.dmp

Filesize
3.3MB

Download
memory/2612-148-0x000000013F500000-0x000000013F854000-memory.dmp

Filesize
3.3MB

Download
memory/2612-75-0x000000013F500000-0x000000013F854000-memory.dmp

Filesize
3.3MB

Download
memory/2760-161-0x000000013F2C0000-0x000000013F614000-memory.dmp

Filesize
3.3MB

Download
memory/2760-37-0x000000013F2C0000-0x000000013F614000-memory.dmp

Filesize
3.3MB

Download
memory/3068-163-0x000000013F190000-0x000000013F4E4000-memory.dmp

Filesize
3.3MB

Download
memory/3068-61-0x000000013F190000-0x000000013F4E4000-memory.dmp

Filesize
3.3MB

Download