cobaltstrike | 945320347b70f5063f8e95cf605eb290ef6c2e7f6d4e563bea9db6f6bdc29a26

Analysis

max time kernel
126s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-09-2024 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
Size

5.9MB
MD5

f96807d70f64c81ed5cc7ba0c5e6e8a7
SHA1

61c80fce7a937ea7d1b41ff9fabb5aaf9f45b1c7
SHA256

945320347b70f5063f8e95cf605eb290ef6c2e7f6d4e563bea9db6f6bdc29a26
SHA512

f5dae19766311724c4160ec2d0011d077a6acbd1e8e47c069cd0b4a3b38c39e4fc7ad28c693628ff6649af7b3747a97e0e070ecdab2ff920c2b4e041d6db2521
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lU+:E+b56utgpPF8u/7+

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0008000000012101-3.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000171a9-9.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017236-16.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016e88-23.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017415-30.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017444-42.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001754e-51.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000174d5-45.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018dcf-68.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018d1e-65.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018dea-84.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018e65-113.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018eba-136.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018ed5-141.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018eb2-133.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018ea1-128.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018e9f-123.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018e96-118.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018e25-96.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018e46-105.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018ddd-80.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/1980-0-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/files/0x0008000000012101-3.dat	xmrig
behavioral1/memory/2680-8-0x000000013FC60000-0x000000013FFB4000-memory.dmp	xmrig
behavioral1/files/0x00080000000171a9-9.dat	xmrig
behavioral1/memory/2204-15-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig
behavioral1/files/0x0006000000017236-16.dat	xmrig
behavioral1/memory/2740-22-0x000000013F7D0000-0x000000013FB24000-memory.dmp	xmrig
behavioral1/files/0x0007000000016e88-23.dat	xmrig
behavioral1/memory/2864-29-0x000000013FCE0000-0x0000000140034000-memory.dmp	xmrig
behavioral1/files/0x0006000000017415-30.dat	xmrig
behavioral1/memory/3032-35-0x000000013FE40000-0x0000000140194000-memory.dmp	xmrig
behavioral1/memory/1980-34-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/files/0x0006000000017444-42.dat	xmrig
behavioral1/memory/2680-44-0x000000013FC60000-0x000000013FFB4000-memory.dmp	xmrig
behavioral1/files/0x000700000001754e-51.dat	xmrig
behavioral1/memory/2992-56-0x000000013F920000-0x000000013FC74000-memory.dmp	xmrig
behavioral1/files/0x00080000000174d5-45.dat	xmrig
behavioral1/files/0x0005000000018dcf-68.dat	xmrig
behavioral1/memory/3028-50-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/2588-67-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig
behavioral1/files/0x0005000000018d1e-65.dat	xmrig
behavioral1/memory/2288-62-0x000000013FB90000-0x000000013FEE4000-memory.dmp	xmrig
behavioral1/memory/1980-61-0x000000013FB90000-0x000000013FEE4000-memory.dmp	xmrig
behavioral1/memory/1348-73-0x000000013F7E0000-0x000000013FB34000-memory.dmp	xmrig
behavioral1/memory/2864-72-0x000000013FCE0000-0x0000000140034000-memory.dmp	xmrig
behavioral1/files/0x0005000000018dea-84.dat	xmrig
behavioral1/memory/624-90-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
behavioral1/memory/1980-89-0x000000013FB90000-0x000000013FEE4000-memory.dmp	xmrig
behavioral1/memory/2588-102-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig
behavioral1/memory/1184-106-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
behavioral1/files/0x0005000000018e65-113.dat	xmrig
behavioral1/files/0x0005000000018eba-136.dat	xmrig
behavioral1/files/0x0005000000018ed5-141.dat	xmrig
behavioral1/files/0x0005000000018eb2-133.dat	xmrig
behavioral1/files/0x0005000000018ea1-128.dat	xmrig
behavioral1/files/0x0005000000018e9f-123.dat	xmrig
behavioral1/files/0x0005000000018e96-118.dat	xmrig
behavioral1/memory/1980-111-0x0000000002420000-0x0000000002774000-memory.dmp	xmrig
behavioral1/memory/1740-145-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig
behavioral1/memory/1348-110-0x000000013F7E0000-0x000000013FB34000-memory.dmp	xmrig
behavioral1/memory/2944-98-0x000000013F5F0000-0x000000013F944000-memory.dmp	xmrig
behavioral1/files/0x0005000000018e25-96.dat	xmrig
behavioral1/memory/1980-146-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
behavioral1/files/0x0005000000018e46-105.dat	xmrig
behavioral1/memory/624-147-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
behavioral1/memory/2992-85-0x000000013F920000-0x000000013FC74000-memory.dmp	xmrig
behavioral1/memory/1740-81-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig
behavioral1/files/0x0005000000018ddd-80.dat	xmrig
behavioral1/memory/3032-78-0x000000013FE40000-0x0000000140194000-memory.dmp	xmrig
behavioral1/memory/2944-149-0x000000013F5F0000-0x000000013F944000-memory.dmp	xmrig
behavioral1/memory/1980-150-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
behavioral1/memory/1184-151-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
behavioral1/memory/1980-152-0x0000000002420000-0x0000000002774000-memory.dmp	xmrig
behavioral1/memory/2680-153-0x000000013FC60000-0x000000013FFB4000-memory.dmp	xmrig
behavioral1/memory/2204-154-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig
behavioral1/memory/2740-155-0x000000013F7D0000-0x000000013FB24000-memory.dmp	xmrig
behavioral1/memory/2864-156-0x000000013FCE0000-0x0000000140034000-memory.dmp	xmrig
behavioral1/memory/3032-157-0x000000013FE40000-0x0000000140194000-memory.dmp	xmrig
behavioral1/memory/3028-158-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/2992-160-0x000000013F920000-0x000000013FC74000-memory.dmp	xmrig
behavioral1/memory/2288-159-0x000000013FB90000-0x000000013FEE4000-memory.dmp	xmrig
behavioral1/memory/2588-161-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig
behavioral1/memory/1348-162-0x000000013F7E0000-0x000000013FB34000-memory.dmp	xmrig
behavioral1/memory/1740-163-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2680	PnCftiI.exe
2204	xGHtiht.exe
2740	GNxYdMm.exe
2864	LbqJcsF.exe
3032	eXtKbcb.exe
3028	VHdMsYZ.exe
2992	SCVPlEo.exe
2288	ArMyuMA.exe
2588	dUPNHAc.exe
1348	SMNQzsw.exe
1740	GdXYGgZ.exe
624	iwXUvGw.exe
2944	mWScxcI.exe
1184	HVSsgVM.exe
2896	aFJghua.exe
2644	abXDpcR.exe
2960	KKNbuBF.exe
1308	MTQkMFy.exe
2016	mKaCPUk.exe
2976	aSlDePt.exe
2980	YhgvDxk.exe

Loads dropped DLL 21 IoCs

pid	Process
1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1980-0-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/files/0x0008000000012101-3.dat	upx
behavioral1/memory/2680-8-0x000000013FC60000-0x000000013FFB4000-memory.dmp	upx
behavioral1/files/0x00080000000171a9-9.dat	upx
behavioral1/memory/2204-15-0x000000013FD40000-0x0000000140094000-memory.dmp	upx
behavioral1/files/0x0006000000017236-16.dat	upx
behavioral1/memory/2740-22-0x000000013F7D0000-0x000000013FB24000-memory.dmp	upx
behavioral1/files/0x0007000000016e88-23.dat	upx
behavioral1/memory/2864-29-0x000000013FCE0000-0x0000000140034000-memory.dmp	upx
behavioral1/files/0x0006000000017415-30.dat	upx
behavioral1/memory/3032-35-0x000000013FE40000-0x0000000140194000-memory.dmp	upx
behavioral1/memory/1980-34-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/files/0x0006000000017444-42.dat	upx
behavioral1/memory/2680-44-0x000000013FC60000-0x000000013FFB4000-memory.dmp	upx
behavioral1/files/0x000700000001754e-51.dat	upx
behavioral1/memory/2992-56-0x000000013F920000-0x000000013FC74000-memory.dmp	upx
behavioral1/files/0x00080000000174d5-45.dat	upx
behavioral1/files/0x0005000000018dcf-68.dat	upx
behavioral1/memory/3028-50-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/2588-67-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
behavioral1/files/0x0005000000018d1e-65.dat	upx
behavioral1/memory/2288-62-0x000000013FB90000-0x000000013FEE4000-memory.dmp	upx
behavioral1/memory/1348-73-0x000000013F7E0000-0x000000013FB34000-memory.dmp	upx
behavioral1/memory/2864-72-0x000000013FCE0000-0x0000000140034000-memory.dmp	upx
behavioral1/files/0x0005000000018dea-84.dat	upx
behavioral1/memory/624-90-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
behavioral1/memory/2588-102-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
behavioral1/memory/1184-106-0x000000013F6C0000-0x000000013FA14000-memory.dmp	upx
behavioral1/files/0x0005000000018e65-113.dat	upx
behavioral1/files/0x0005000000018eba-136.dat	upx
behavioral1/files/0x0005000000018ed5-141.dat	upx
behavioral1/files/0x0005000000018eb2-133.dat	upx
behavioral1/files/0x0005000000018ea1-128.dat	upx
behavioral1/files/0x0005000000018e9f-123.dat	upx
behavioral1/files/0x0005000000018e96-118.dat	upx
behavioral1/memory/1740-145-0x000000013F690000-0x000000013F9E4000-memory.dmp	upx
behavioral1/memory/1348-110-0x000000013F7E0000-0x000000013FB34000-memory.dmp	upx
behavioral1/memory/2944-98-0x000000013F5F0000-0x000000013F944000-memory.dmp	upx
behavioral1/files/0x0005000000018e25-96.dat	upx
behavioral1/files/0x0005000000018e46-105.dat	upx
behavioral1/memory/624-147-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
behavioral1/memory/2992-85-0x000000013F920000-0x000000013FC74000-memory.dmp	upx
behavioral1/memory/1740-81-0x000000013F690000-0x000000013F9E4000-memory.dmp	upx
behavioral1/files/0x0005000000018ddd-80.dat	upx
behavioral1/memory/3032-78-0x000000013FE40000-0x0000000140194000-memory.dmp	upx
behavioral1/memory/2944-149-0x000000013F5F0000-0x000000013F944000-memory.dmp	upx
behavioral1/memory/1184-151-0x000000013F6C0000-0x000000013FA14000-memory.dmp	upx
behavioral1/memory/2680-153-0x000000013FC60000-0x000000013FFB4000-memory.dmp	upx
behavioral1/memory/2204-154-0x000000013FD40000-0x0000000140094000-memory.dmp	upx
behavioral1/memory/2740-155-0x000000013F7D0000-0x000000013FB24000-memory.dmp	upx
behavioral1/memory/2864-156-0x000000013FCE0000-0x0000000140034000-memory.dmp	upx
behavioral1/memory/3032-157-0x000000013FE40000-0x0000000140194000-memory.dmp	upx
behavioral1/memory/3028-158-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/2992-160-0x000000013F920000-0x000000013FC74000-memory.dmp	upx
behavioral1/memory/2288-159-0x000000013FB90000-0x000000013FEE4000-memory.dmp	upx
behavioral1/memory/2588-161-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
behavioral1/memory/1348-162-0x000000013F7E0000-0x000000013FB34000-memory.dmp	upx
behavioral1/memory/1740-163-0x000000013F690000-0x000000013F9E4000-memory.dmp	upx
behavioral1/memory/624-164-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
behavioral1/memory/1184-166-0x000000013F6C0000-0x000000013FA14000-memory.dmp	upx
behavioral1/memory/2944-165-0x000000013F5F0000-0x000000013F944000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\SMNQzsw.exe	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
File created	C:\Windows\System\GdXYGgZ.exe	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
File created	C:\Windows\System\iwXUvGw.exe	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
File created	C:\Windows\System\mWScxcI.exe	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
File created	C:\Windows\System\abXDpcR.exe	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
File created	C:\Windows\System\GNxYdMm.exe	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
File created	C:\Windows\System\LbqJcsF.exe	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
File created	C:\Windows\System\eXtKbcb.exe	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
File created	C:\Windows\System\SCVPlEo.exe	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
File created	C:\Windows\System\ArMyuMA.exe	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
File created	C:\Windows\System\dUPNHAc.exe	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
File created	C:\Windows\System\HVSsgVM.exe	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
File created	C:\Windows\System\KKNbuBF.exe	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
File created	C:\Windows\System\mKaCPUk.exe	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
File created	C:\Windows\System\aSlDePt.exe	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
File created	C:\Windows\System\PnCftiI.exe	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
File created	C:\Windows\System\xGHtiht.exe	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
File created	C:\Windows\System\VHdMsYZ.exe	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
File created	C:\Windows\System\aFJghua.exe	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
File created	C:\Windows\System\MTQkMFy.exe	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
File created	C:\Windows\System\YhgvDxk.exe	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2680	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	32
PID 1980 wrote to memory of 2680	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	32
PID 1980 wrote to memory of 2680	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	32
PID 1980 wrote to memory of 2204	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	33
PID 1980 wrote to memory of 2204	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	33
PID 1980 wrote to memory of 2204	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	33
PID 1980 wrote to memory of 2740	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	34
PID 1980 wrote to memory of 2740	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	34
PID 1980 wrote to memory of 2740	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	34
PID 1980 wrote to memory of 2864	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	35
PID 1980 wrote to memory of 2864	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	35
PID 1980 wrote to memory of 2864	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	35
PID 1980 wrote to memory of 3032	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	36
PID 1980 wrote to memory of 3032	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	36
PID 1980 wrote to memory of 3032	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	36
PID 1980 wrote to memory of 3028	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	37
PID 1980 wrote to memory of 3028	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	37
PID 1980 wrote to memory of 3028	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	37
PID 1980 wrote to memory of 2992	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	38
PID 1980 wrote to memory of 2992	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	38
PID 1980 wrote to memory of 2992	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	38
PID 1980 wrote to memory of 2288	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	39
PID 1980 wrote to memory of 2288	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	39
PID 1980 wrote to memory of 2288	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	39
PID 1980 wrote to memory of 2588	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	40
PID 1980 wrote to memory of 2588	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	40
PID 1980 wrote to memory of 2588	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	40
PID 1980 wrote to memory of 1348	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	41
PID 1980 wrote to memory of 1348	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	41
PID 1980 wrote to memory of 1348	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	41
PID 1980 wrote to memory of 1740	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	42
PID 1980 wrote to memory of 1740	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	42
PID 1980 wrote to memory of 1740	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	42
PID 1980 wrote to memory of 624	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	43
PID 1980 wrote to memory of 624	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	43
PID 1980 wrote to memory of 624	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	43
PID 1980 wrote to memory of 2944	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	44
PID 1980 wrote to memory of 2944	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	44
PID 1980 wrote to memory of 2944	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	44
PID 1980 wrote to memory of 1184	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	45
PID 1980 wrote to memory of 1184	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	45
PID 1980 wrote to memory of 1184	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	45
PID 1980 wrote to memory of 2896	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	46
PID 1980 wrote to memory of 2896	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	46
PID 1980 wrote to memory of 2896	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	46
PID 1980 wrote to memory of 2644	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	47
PID 1980 wrote to memory of 2644	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	47
PID 1980 wrote to memory of 2644	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	47
PID 1980 wrote to memory of 2960	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	48
PID 1980 wrote to memory of 2960	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	48
PID 1980 wrote to memory of 2960	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	48
PID 1980 wrote to memory of 1308	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	49
PID 1980 wrote to memory of 1308	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	49
PID 1980 wrote to memory of 1308	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	49
PID 1980 wrote to memory of 2016	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	50
PID 1980 wrote to memory of 2016	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	50
PID 1980 wrote to memory of 2016	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	50
PID 1980 wrote to memory of 2976	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	51
PID 1980 wrote to memory of 2976	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	51
PID 1980 wrote to memory of 2976	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	51
PID 1980 wrote to memory of 2980	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	52
PID 1980 wrote to memory of 2980	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	52
PID 1980 wrote to memory of 2980	1980	f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe	52

C:\Users\Admin\AppData\Local\Temp\f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f96807d70f64c81ed5cc7ba0c5e6e8a7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\System\PnCftiI.exe
  C:\Windows\System\PnCftiI.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\xGHtiht.exe
  C:\Windows\System\xGHtiht.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System\GNxYdMm.exe
  C:\Windows\System\GNxYdMm.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System\LbqJcsF.exe
  C:\Windows\System\LbqJcsF.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System\eXtKbcb.exe
  C:\Windows\System\eXtKbcb.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System\VHdMsYZ.exe
  C:\Windows\System\VHdMsYZ.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\SCVPlEo.exe
  C:\Windows\System\SCVPlEo.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\ArMyuMA.exe
  C:\Windows\System\ArMyuMA.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System\dUPNHAc.exe
  C:\Windows\System\dUPNHAc.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System\SMNQzsw.exe
  C:\Windows\System\SMNQzsw.exe
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\System\GdXYGgZ.exe
  C:\Windows\System\GdXYGgZ.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System\iwXUvGw.exe
  C:\Windows\System\iwXUvGw.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System\mWScxcI.exe
  C:\Windows\System\mWScxcI.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System\HVSsgVM.exe
  C:\Windows\System\HVSsgVM.exe
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\System\aFJghua.exe
  C:\Windows\System\aFJghua.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System\abXDpcR.exe
  C:\Windows\System\abXDpcR.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System\KKNbuBF.exe
  C:\Windows\System\KKNbuBF.exe
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\System\MTQkMFy.exe
  C:\Windows\System\MTQkMFy.exe
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\System\mKaCPUk.exe
  C:\Windows\System\mKaCPUk.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System\aSlDePt.exe
  C:\Windows\System\aSlDePt.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System\YhgvDxk.exe
  C:\Windows\System\YhgvDxk.exe
  2⤵
  - Executes dropped EXE
  PID:2980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\GdXYGgZ.exe

Filesize
5.9MB

MD5
d35aa5ddefee6a10dc68923afc2770ef

SHA1
98bd531de3a3a8b0a8a7f619123cf578bc795d6f

SHA256
d3e63c17b7dc0f0eea3be4b1fbb0070441eda85229495f43c33a176a0ccf35f0

SHA512
ed43d0019a291db4a02b254a9d3f88ccac84e6e55499e63b8594711c1f34d85ba7cbae93f1bb0ccbdc83c929be2785e70a395f9334f883295a1ea9484fecf31f

Download Submit
C:\Windows\system\HVSsgVM.exe

Filesize
5.9MB

MD5
9dfef7c6618be5b0af68d66e43658aed

SHA1
08c45cf6b939d065d590b3a093cedde237d10bff

SHA256
fb0ffb0ce94756464478f415d256f6bf3e89b599ff5d6c39a9952846554bfb72

SHA512
797ebee748c69419dbce2ef233bfc7148094c4afe9fdf65e51383ddb84c5338fb02dc00197358f1a21879655e357475bc4c4fabc98728d7b787f22fe2560c48a

Download Submit
C:\Windows\system\KKNbuBF.exe

Filesize
5.9MB

MD5
81b6ec6bb31ae94488ad3dc018e7ec9e

SHA1
c39a1f5a2ed0c0abb4830497c142c6b71b8a83fd

SHA256
87a9bf2c0432b3386ed33e9e450678c4da6e442ff4b2d1efe51e3ff09e338d83

SHA512
85121b648aeea0dc1456ff2eac3bcb7068decd54b4325e5316819353abf7621f1c16499b7c8437a3ed70e5e6e16bba69ff527cf1208ae04c5b15d5d12b6a9537

Download Submit
C:\Windows\system\MTQkMFy.exe

Filesize
5.9MB

MD5
9e7c7aa1de1b11e0098211a92d89431b

SHA1
981f7f823930f15be71236eb8c0f49793b402418

SHA256
dd66612ef80944e9c04e576d5b80c949ae43e1adcc87e4bdb35388afeab9d932

SHA512
5b080bf9a94f8cf1476f28fff42bfa99595c1a5273ea531e18c3b100d550e99db403f497c6df63f547b4ae8845d772ec5b6bcbd981cb6469d6c38739bf7fbaa3

Download Submit
C:\Windows\system\VHdMsYZ.exe

Filesize
5.9MB

MD5
c5b8d6fc6db38694afca72cd5c6e9b44

SHA1
eb160dd3a28df2bbdd48612129a7f45f2505bfda

SHA256
01888cd4c3b00fea6beb23c4209154c02097f075b94f48b282c4609a8e924aff

SHA512
9cdbaeffdd23b1422e17041d44eef6904d1ac127b1238479c1b2c7c7057ec1b08a013c55cd3a1afde388fb75dcf9dd63d2675b4dd8fd72966b7da09827b353f9

Download Submit
C:\Windows\system\aFJghua.exe

Filesize
5.9MB

MD5
ecbbd1fc16257b8dcfc0dbe233ad4e11

SHA1
63ec19d46d11b0044a1c24406aa32fb27b20a7fe

SHA256
18ccd3916c2a99e012b42355a068581fb9e5901dd10b93c805b4a8dcb6dae79d

SHA512
ae02fa9d44d10663b898c96d78d77c64ad0bbae9313b86a0cabc636a6c2bdc30abbdd92597aae9e3dba52578d05cd9780aa25f747239c83d7ab5fb095c8215c0

Download Submit
C:\Windows\system\abXDpcR.exe

Filesize
5.9MB

MD5
db56b5219d6dea945aad4f7b16658890

SHA1
750005a16714329f46096d8d4f475cc5b13edfd9

SHA256
42e659919485d0c3fb8fd59aa4a0895383be612385c1338a4805b7c0f8024fae

SHA512
12af0b312ec374204031ed55bb2f3c16c9ba67d9da6e0f3847f0d0bd84dd2b2a0b743bfa33044d35ef6abe86eb09ced3c1a56a6bba065d02996e99cffe70c28b

Download Submit
C:\Windows\system\dUPNHAc.exe

Filesize
5.9MB

MD5
bdb240b390cb753888102aa2984e8916

SHA1
b1536eae6c52a5a6924c4618104d56cfd96d3c9f

SHA256
a59f480f8b9f80a5970f0f8fa5d84edd153ec02f34051fc05abfab8e7d19aa59

SHA512
42969fc221c475263a0dd3852fa9bc7e92b95b2395f9e1be5421222f58d0f9e917f627f42baba8692c0a7f47ce6895cf6cd49d9419f48cbfb90c979d9d08d9d6

Download Submit
C:\Windows\system\mKaCPUk.exe

Filesize
5.9MB

MD5
117dc709bdf5c429478dda72be3843b4

SHA1
14895e4fe4180189ccc52adc7a3eb502972f27a4

SHA256
26ba4961ee43b2cd1aa69e4ed7bb7bcc0312126426ad3f53c48f9550fa359e6e

SHA512
760bf7297b1748ffa05220a604ac2097faaf3be751dffdf9c036b0399e74cb3d3808680dadfd6cdbab5c622152bf830fd4b4fef3f0516ccbd2c1a3933d70c71b

Download Submit
C:\Windows\system\mWScxcI.exe

Filesize
5.9MB

MD5
91039ba7c130912b3a6bf6a654177607

SHA1
17b07752cf40bb59fcd82b11c3206a0bc37f3cb7

SHA256
8df30b1410a2c32b14875b047905e4ac59491d1534bb745bf2c4a414bd6eb728

SHA512
76f4a56d77afe688ef3d34b44bd1acc2f17cb0062c303de2a3db30b035083be8d4a09e144092071ebbff26d7922a05fb4cff35c7fbd5a9c0b39e73a991f0b84e

Download Submit
\Windows\system\ArMyuMA.exe

Filesize
5.9MB

MD5
dbd3c68982c08edb4a42c3b3b9608dd6

SHA1
4e122933fdb878f0f620d593acf92b152a76ed02

SHA256
7ea9f42fd153d4becd2beb5f07ec0bddd2c55b0780ec2b89030973af24fb8a59

SHA512
37807b4c04bbc6659b9e6fe5de65ca4eda194041a8d8230c87536bf6a5d1162e9af8abcc490283de22ed127438c4ac04e8c9810070561b829c96a35389e8b31a

Download Submit
\Windows\system\GNxYdMm.exe

Filesize
5.9MB

MD5
b0d3c7840abebcf74f1ae3bb4dc7a07d

SHA1
a933d4825b7a045490796e7e3eaf419aea906b66

SHA256
e6cec9d9857d32ec7b8a5671ebc80415cfbc05c680fd19cbc529d68a806f4af4

SHA512
7bde94cec31cc0357daf1b4dade3ab4367238c87aab2b3d8e109143e46b9bd3f347c33dc7ea46b061656abf2e3525c53fe87c86b47dff39838abe8fe24894aaf

Download Submit
\Windows\system\LbqJcsF.exe

Filesize
5.9MB

MD5
69eab02da3f48f804792c1bffa6b4141

SHA1
00c1d5afe3458223a5264788f4c5f3b78928cd95

SHA256
fc55a27e07299753df992564bb0b9befd6618ccd68d7005445c77d033f3e9f36

SHA512
2bc6f64273de36a08e7e5a98cded20b7bde1c28c5764ac5344b32710b8fcb8a020b8b33ba6570bbca2c3d51181536b9027b374feabda01972b593c70db8da27d

Download Submit
\Windows\system\PnCftiI.exe

Filesize
5.9MB

MD5
b30ab25e96cbc6a2930c60b7b4d25d4f

SHA1
ba80643809808d203391f76324f1c1ba03da1498

SHA256
e001d529bab9b09fcbdfe6c65d1d6d9229568dad2ad0aa63ea6c5bce582da068

SHA512
1cf2490259fb1626fb44ddc8eb67b72bac32932c3b670cb6bf34436abb83d95446c314df8503e773e847c8af951eb6196eb52ac4a7b560a42ab2709583dbd233

Download Submit
\Windows\system\SCVPlEo.exe

Filesize
5.9MB

MD5
53a578937e71a32ab3c5e936e3aaeaf4

SHA1
9989bfd9a10686b171dab3794a99e0d47172669b

SHA256
1fc5674ed3ae3f2ccf8cdd0289284f04ae7ee19083fe1d11885b7ac1a0d352ae

SHA512
b5e308df32b4dc9676cdfd7c5eab37cfb4e58a568fcb1f7068e134c1ef11ae9347e8671bf3c7c831f5cb94a0fdf464d53bd8c424ddf77d4468ea97511707343f

Download Submit
\Windows\system\SMNQzsw.exe

Filesize
5.9MB

MD5
cbf6f525d941b1b5e0cb1607d1354358

SHA1
d658ef255d35b03a96cff5b12824e5d0b76ea8a0

SHA256
885fda7550722a8fabd17235ae6b0a28de46d3b7253afb6c2181be76d8114385

SHA512
a1d3cb3e04120ee5d547864c397559f8d52dee547cf6bd328edcdfb74ac4843a15387a263e989fdc359ae215546a3d39a3dc52631f0f4602390b2bddf214cd1c

Download Submit
\Windows\system\YhgvDxk.exe

Filesize
5.9MB

MD5
24bad09e688f5e1ffffd18a3112aece4

SHA1
d78e9cc129f815b8b02705f73dfc64272928a379

SHA256
bc0fc764bce437646d17b73931ca0b8daf8eaf854c31ed99e9b0eb8a3e3d876a

SHA512
34eee98366ae14623d71ac15401011bdd51b0656cf52ffc10c1531b15c2ca12d9e6d84a52e0fd22dc677ab11cc316cd8086e7ae01bda8183594ab5d2daf1fb28

Download Submit
\Windows\system\aSlDePt.exe

Filesize
5.9MB

MD5
18bcc35e4e4347c8902150bd38be471d

SHA1
590dcf7c3ef8d3106f4085ed3075e3dc8b806fe7

SHA256
01dd3ef87ddd6cd4108d6f38b20cdfb9eb2d14bc28355401afc5d420a9f18219

SHA512
b9145035b9b1c5baa8252b09b4ba4ec00e91d330b0c89cd8a8e6b7c90332c9f5a52334c1ddb442dd0544608d2de1ffa19d11edaf6f6d2cc50e6cfca1756d01d2

Download Submit
\Windows\system\eXtKbcb.exe

Filesize
5.9MB

MD5
c83160ccd23489d2e3025ec5b4891dc0

SHA1
506f6ecc506903ef30f5e148bbf0fecf2080f51f

SHA256
7b8f296c04135a07125c5ffbbc05403ea39976951c53081218d452c2e8ff3126

SHA512
0a49f5342fb9220a26b56ed03b88056403cfeb66b4db9fb40117741ced8780d4d96d44b6226fd41642e8605b6c36ca38186ae7a83c1a5978ba8eafe9556f3de2

Download Submit
\Windows\system\iwXUvGw.exe

Filesize
5.9MB

MD5
e5e9be7ef00975705d03a3b65ff0ef19

SHA1
ee7e949c8fd37864f431e0e1ff93c1618ab0bcc0

SHA256
623d97eb18c724c71ee5578175c0547a6cffa08a677d3d2dd024955ef3641231

SHA512
77ec57e54eeda43c1697a13bf40b1fc9246e51265d25ba49be9a739da6707c82627c3da5e1a549aff4e3ed3f475fd8fe16d066417086e783262f044ea4791679

Download Submit
\Windows\system\xGHtiht.exe

Filesize
5.9MB

MD5
84f48f123ab28d99cab173286fadfcfa

SHA1
e185a1d6a275f7c01d193532212f2f17b03eb5a3

SHA256
ac520fccd92e4d154ec3a057290d7d35e8a87063e67e21b0ce38817161a38bce

SHA512
1c0928f5884a6dc71a8094c7d50aad53e1ba1fdaf8a8ab67e19dcf9b5958caa92d84d212261b981109eb911fc54200791e99461d81a7ad3023f2022bb1d1b325

Download Submit
memory/624-147-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/624-90-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/624-164-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/1184-106-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/1184-166-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/1184-151-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/1348-162-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Filesize
3.3MB

Download
memory/1348-110-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Filesize
3.3MB

Download
memory/1348-73-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Filesize
3.3MB

Download
memory/1740-81-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/1740-145-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/1740-163-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/1980-86-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/1980-66-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/1980-103-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/1980-64-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/1980-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1980-89-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Filesize
3.3MB

Download
memory/1980-61-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Filesize
3.3MB

Download
memory/1980-152-0x0000000002420000-0x0000000002774000-memory.dmp

Filesize
3.3MB

Download
memory/1980-12-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/1980-150-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/1980-48-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/1980-148-0x000000013F5F0000-0x000000013F944000-memory.dmp

Filesize
3.3MB

Download
memory/1980-41-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/1980-32-0x000000013FE40000-0x0000000140194000-memory.dmp

Filesize
3.3MB

Download
memory/1980-34-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/1980-21-0x000000013F7D0000-0x000000013FB24000-memory.dmp

Filesize
3.3MB

Download
memory/1980-63-0x000000013F7D0000-0x000000013FB24000-memory.dmp

Filesize
3.3MB

Download
memory/1980-0-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/1980-111-0x0000000002420000-0x0000000002774000-memory.dmp

Filesize
3.3MB

Download
memory/1980-97-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/1980-27-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/1980-146-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/1980-94-0x000000013F5F0000-0x000000013F944000-memory.dmp

Filesize
3.3MB

Download
memory/1980-70-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Filesize
3.3MB

Download
memory/2204-154-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/2204-15-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/2288-159-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Filesize
3.3MB

Download
memory/2288-62-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Filesize
3.3MB

Download
memory/2588-102-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/2588-67-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/2588-161-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/2680-153-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/2680-44-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/2680-8-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/2740-22-0x000000013F7D0000-0x000000013FB24000-memory.dmp

Filesize
3.3MB

Download
memory/2740-155-0x000000013F7D0000-0x000000013FB24000-memory.dmp

Filesize
3.3MB

Download
memory/2864-29-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/2864-72-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/2864-156-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/2944-149-0x000000013F5F0000-0x000000013F944000-memory.dmp

Filesize
3.3MB

Download
memory/2944-165-0x000000013F5F0000-0x000000013F944000-memory.dmp

Filesize
3.3MB

Download
memory/2944-98-0x000000013F5F0000-0x000000013F944000-memory.dmp

Filesize
3.3MB

Download
memory/2992-160-0x000000013F920000-0x000000013FC74000-memory.dmp

Filesize
3.3MB

Download
memory/2992-56-0x000000013F920000-0x000000013FC74000-memory.dmp

Filesize
3.3MB

Download
memory/2992-85-0x000000013F920000-0x000000013FC74000-memory.dmp

Filesize
3.3MB

Download
memory/3028-158-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/3028-50-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/3032-157-0x000000013FE40000-0x0000000140194000-memory.dmp

Filesize
3.3MB

Download
memory/3032-78-0x000000013FE40000-0x0000000140194000-memory.dmp

Filesize
3.3MB

Download
memory/3032-35-0x000000013FE40000-0x0000000140194000-memory.dmp

Filesize
3.3MB

Download