cobaltstrike | 1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92

Analysis

max time kernel
48s
max time network
14s
platform
windows7_x64
resource
win7v20201028
submitted
10-11-2020 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
Size

5.2MB
MD5

343fab52a4b0e58925719e6451903093
SHA1

845fe3f231d26295dbda9feaa6a48d29e504aac1
SHA256

1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92
SHA512

5ae92127ee496819c7d36ffb8cf5f17a840cee010dc7c90958ddc60e072ed8f8476623b4bdd0bfd0823fd5540695f35f80efee65c4096bbade18013c6af8c303

Score

10^/10

cobaltstrike backdoor trojan upx

Malware Config

Signatures

Cobalt Strike reflective loader 29 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\AbHhiKR.exe	cobalt_reflective_dll
C:\Windows\system\AbHhiKR.exe	cobalt_reflective_dll
\Windows\system\LhjtzVP.exe	cobalt_reflective_dll
C:\Windows\system\LhjtzVP.exe	cobalt_reflective_dll
\Windows\system\nphnSAx.exe	cobalt_reflective_dll
C:\Windows\system\nphnSAx.exe	cobalt_reflective_dll
\Windows\system\MfINcom.exe	cobalt_reflective_dll
C:\Windows\system\MfINcom.exe	cobalt_reflective_dll
\Windows\system\tbQsdfk.exe	cobalt_reflective_dll
C:\Windows\system\tbQsdfk.exe	cobalt_reflective_dll
\Windows\system\ImKBRkC.exe	cobalt_reflective_dll
C:\Windows\system\ImKBRkC.exe	cobalt_reflective_dll
\Windows\system\UiSqGfm.exe	cobalt_reflective_dll
C:\Windows\system\UiSqGfm.exe	cobalt_reflective_dll
\Windows\system\jEOVZeu.exe	cobalt_reflective_dll
C:\Windows\system\jEOVZeu.exe	cobalt_reflective_dll
\Windows\system\qtmwUIQ.exe	cobalt_reflective_dll
C:\Windows\system\qtmwUIQ.exe	cobalt_reflective_dll
\Windows\system\LjpjwcZ.exe	cobalt_reflective_dll
C:\Windows\system\LjpjwcZ.exe	cobalt_reflective_dll
\Windows\system\vlpSjEN.exe	cobalt_reflective_dll
C:\Windows\system\vlpSjEN.exe	cobalt_reflective_dll
C:\Windows\system\XeSboTK.exe	cobalt_reflective_dll
\Windows\system\XeSboTK.exe	cobalt_reflective_dll
\Windows\system\REsPCha.exe	cobalt_reflective_dll
C:\Windows\system\REsPCha.exe	cobalt_reflective_dll
\Windows\system\fCFzfMM.exe	cobalt_reflective_dll
C:\Windows\system\fCFzfMM.exe	cobalt_reflective_dll
\Windows\system\exwchps.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Executes dropped EXE 14 IoCs

Processes:

AbHhiKR.exeLhjtzVP.exenphnSAx.exeMfINcom.exetbQsdfk.exeImKBRkC.exeUiSqGfm.exejEOVZeu.exeqtmwUIQ.exeLjpjwcZ.exevlpSjEN.exeXeSboTK.exeREsPCha.exefCFzfMM.exe

pid	process
1716	AbHhiKR.exe
1584	LhjtzVP.exe
788	nphnSAx.exe
1968	MfINcom.exe
1964	tbQsdfk.exe
1784	ImKBRkC.exe
1736	UiSqGfm.exe
1796	jEOVZeu.exe
1652	qtmwUIQ.exe
1892	LjpjwcZ.exe
1996	vlpSjEN.exe
1500	XeSboTK.exe
1020	REsPCha.exe
772	fCFzfMM.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\system\AbHhiKR.exe	upx
C:\Windows\system\AbHhiKR.exe	upx
\Windows\system\LhjtzVP.exe	upx
C:\Windows\system\LhjtzVP.exe	upx
\Windows\system\nphnSAx.exe	upx
C:\Windows\system\nphnSAx.exe	upx
\Windows\system\MfINcom.exe	upx
C:\Windows\system\MfINcom.exe	upx
\Windows\system\tbQsdfk.exe	upx
C:\Windows\system\tbQsdfk.exe	upx
\Windows\system\ImKBRkC.exe	upx
C:\Windows\system\ImKBRkC.exe	upx
\Windows\system\UiSqGfm.exe	upx
C:\Windows\system\UiSqGfm.exe	upx
\Windows\system\jEOVZeu.exe	upx
C:\Windows\system\jEOVZeu.exe	upx
\Windows\system\qtmwUIQ.exe	upx
C:\Windows\system\qtmwUIQ.exe	upx
\Windows\system\LjpjwcZ.exe	upx
C:\Windows\system\LjpjwcZ.exe	upx
\Windows\system\vlpSjEN.exe	upx
C:\Windows\system\vlpSjEN.exe	upx
C:\Windows\system\XeSboTK.exe	upx
\Windows\system\XeSboTK.exe	upx
\Windows\system\REsPCha.exe	upx
C:\Windows\system\REsPCha.exe	upx
\Windows\system\fCFzfMM.exe	upx
C:\Windows\system\fCFzfMM.exe	upx
\Windows\system\exwchps.exe	upx

Loads dropped DLL 15 IoCs

Processes:

1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe

pid	process
2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe

JavaScript code in executable 29 IoCs

Processes:

resource	yara_rule
\Windows\system\AbHhiKR.exe	js
C:\Windows\system\AbHhiKR.exe	js
\Windows\system\LhjtzVP.exe	js
C:\Windows\system\LhjtzVP.exe	js
\Windows\system\nphnSAx.exe	js
C:\Windows\system\nphnSAx.exe	js
\Windows\system\MfINcom.exe	js
C:\Windows\system\MfINcom.exe	js
\Windows\system\tbQsdfk.exe	js
C:\Windows\system\tbQsdfk.exe	js
\Windows\system\ImKBRkC.exe	js
C:\Windows\system\ImKBRkC.exe	js
\Windows\system\UiSqGfm.exe	js
C:\Windows\system\UiSqGfm.exe	js
\Windows\system\jEOVZeu.exe	js
C:\Windows\system\jEOVZeu.exe	js
\Windows\system\qtmwUIQ.exe	js
C:\Windows\system\qtmwUIQ.exe	js
\Windows\system\LjpjwcZ.exe	js
C:\Windows\system\LjpjwcZ.exe	js
\Windows\system\vlpSjEN.exe	js
C:\Windows\system\vlpSjEN.exe	js
C:\Windows\system\XeSboTK.exe	js
\Windows\system\XeSboTK.exe	js
\Windows\system\REsPCha.exe	js
C:\Windows\system\REsPCha.exe	js
\Windows\system\fCFzfMM.exe	js
C:\Windows\system\fCFzfMM.exe	js
\Windows\system\exwchps.exe	js

Drops file in Windows directory 15 IoCs

Processes:

1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe

description	ioc	process
File created	C:\Windows\System\vlpSjEN.exe	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
File created	C:\Windows\System\fCFzfMM.exe	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
File created	C:\Windows\System\exwchps.exe	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
File created	C:\Windows\System\UiSqGfm.exe	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
File created	C:\Windows\System\jEOVZeu.exe	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
File created	C:\Windows\System\qtmwUIQ.exe	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
File created	C:\Windows\System\XeSboTK.exe	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
File created	C:\Windows\System\REsPCha.exe	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
File created	C:\Windows\System\MfINcom.exe	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
File created	C:\Windows\System\LjpjwcZ.exe	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
File created	C:\Windows\System\AbHhiKR.exe	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
File created	C:\Windows\System\LhjtzVP.exe	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
File created	C:\Windows\System\nphnSAx.exe	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
File created	C:\Windows\System\tbQsdfk.exe	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
File created	C:\Windows\System\ImKBRkC.exe	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe

description	pid	process	target process
PID 2036 wrote to memory of 1716	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	AbHhiKR.exe
PID 2036 wrote to memory of 1716	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	AbHhiKR.exe
PID 2036 wrote to memory of 1716	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	AbHhiKR.exe
PID 2036 wrote to memory of 1584	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	LhjtzVP.exe
PID 2036 wrote to memory of 1584	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	LhjtzVP.exe
PID 2036 wrote to memory of 1584	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	LhjtzVP.exe
PID 2036 wrote to memory of 788	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	nphnSAx.exe
PID 2036 wrote to memory of 788	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	nphnSAx.exe
PID 2036 wrote to memory of 788	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	nphnSAx.exe
PID 2036 wrote to memory of 1968	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	MfINcom.exe
PID 2036 wrote to memory of 1968	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	MfINcom.exe
PID 2036 wrote to memory of 1968	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	MfINcom.exe
PID 2036 wrote to memory of 1964	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	tbQsdfk.exe
PID 2036 wrote to memory of 1964	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	tbQsdfk.exe
PID 2036 wrote to memory of 1964	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	tbQsdfk.exe
PID 2036 wrote to memory of 1784	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	ImKBRkC.exe
PID 2036 wrote to memory of 1784	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	ImKBRkC.exe
PID 2036 wrote to memory of 1784	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	ImKBRkC.exe
PID 2036 wrote to memory of 1736	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	UiSqGfm.exe
PID 2036 wrote to memory of 1736	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	UiSqGfm.exe
PID 2036 wrote to memory of 1736	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	UiSqGfm.exe
PID 2036 wrote to memory of 1796	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	jEOVZeu.exe
PID 2036 wrote to memory of 1796	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	jEOVZeu.exe
PID 2036 wrote to memory of 1796	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	jEOVZeu.exe
PID 2036 wrote to memory of 1652	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	qtmwUIQ.exe
PID 2036 wrote to memory of 1652	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	qtmwUIQ.exe
PID 2036 wrote to memory of 1652	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	qtmwUIQ.exe
PID 2036 wrote to memory of 1892	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	LjpjwcZ.exe
PID 2036 wrote to memory of 1892	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	LjpjwcZ.exe
PID 2036 wrote to memory of 1892	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	LjpjwcZ.exe
PID 2036 wrote to memory of 1996	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	vlpSjEN.exe
PID 2036 wrote to memory of 1996	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	vlpSjEN.exe
PID 2036 wrote to memory of 1996	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	vlpSjEN.exe
PID 2036 wrote to memory of 1500	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	XeSboTK.exe
PID 2036 wrote to memory of 1500	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	XeSboTK.exe
PID 2036 wrote to memory of 1500	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	XeSboTK.exe
PID 2036 wrote to memory of 1020	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	REsPCha.exe
PID 2036 wrote to memory of 1020	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	REsPCha.exe
PID 2036 wrote to memory of 1020	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	REsPCha.exe
PID 2036 wrote to memory of 772	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	fCFzfMM.exe
PID 2036 wrote to memory of 772	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	fCFzfMM.exe
PID 2036 wrote to memory of 772	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	fCFzfMM.exe
PID 2036 wrote to memory of 440	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	exwchps.exe
PID 2036 wrote to memory of 440	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	exwchps.exe
PID 2036 wrote to memory of 440	2036	1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe	exwchps.exe

C:\Users\Admin\AppData\Local\Temp\1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe
"C:\Users\Admin\AppData\Local\Temp\1b7773d4ecc31379d1232d053dcde99c3fccd42a696770b126fb7cf110d5dd92.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\System\AbHhiKR.exe
C:\Windows\System\AbHhiKR.exe
2⤵
- Executes dropped EXE
PID:1716

C:\Windows\System\LhjtzVP.exe
C:\Windows\System\LhjtzVP.exe
2⤵
- Executes dropped EXE
PID:1584

C:\Windows\System\nphnSAx.exe
C:\Windows\System\nphnSAx.exe
2⤵
- Executes dropped EXE
PID:788

C:\Windows\System\MfINcom.exe
C:\Windows\System\MfINcom.exe
2⤵
- Executes dropped EXE
PID:1968

C:\Windows\System\tbQsdfk.exe
C:\Windows\System\tbQsdfk.exe
2⤵
- Executes dropped EXE
PID:1964

C:\Windows\System\ImKBRkC.exe
C:\Windows\System\ImKBRkC.exe
2⤵
- Executes dropped EXE
PID:1784

C:\Windows\System\UiSqGfm.exe
C:\Windows\System\UiSqGfm.exe
2⤵
- Executes dropped EXE
PID:1736

C:\Windows\System\jEOVZeu.exe
C:\Windows\System\jEOVZeu.exe
2⤵
- Executes dropped EXE
PID:1796

C:\Windows\System\qtmwUIQ.exe
C:\Windows\System\qtmwUIQ.exe
2⤵
- Executes dropped EXE
PID:1652

C:\Windows\System\LjpjwcZ.exe
C:\Windows\System\LjpjwcZ.exe
2⤵
- Executes dropped EXE
PID:1892

C:\Windows\System\vlpSjEN.exe
C:\Windows\System\vlpSjEN.exe
2⤵
- Executes dropped EXE
PID:1996

C:\Windows\System\XeSboTK.exe
C:\Windows\System\XeSboTK.exe
2⤵
- Executes dropped EXE
PID:1500

C:\Windows\System\REsPCha.exe
C:\Windows\System\REsPCha.exe
2⤵
- Executes dropped EXE
PID:1020

C:\Windows\System\fCFzfMM.exe
C:\Windows\System\fCFzfMM.exe
2⤵
- Executes dropped EXE
PID:772

C:\Windows\System\exwchps.exe
C:\Windows\System\exwchps.exe
2⤵
PID:440

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AbHhiKR.exe
MD5
187a2ea9ae324be21477cc7a1aa4dccc

SHA1
b5ee0e7d01fa545d134fa89020f663e7f8144e87

SHA256
625caeb55dc73c416e8f26751156da4dc7d79691d07c34b1f4b7784565f162ce

SHA512
5b4f8b6f6a2cbffaac9ced2073b0d2847306c577d700ac20ec2867b0732dcf4c3c4a9836b58961cfc84d07fb6d60bcb78223ea9d4cc561b11b930203e20d145d

Download Submit
C:\Windows\system\ImKBRkC.exe
MD5
363065ef8b7850d0770879046fb5816e

SHA1
271fb300c6d0cc8563509e09126f717cede9707c

SHA256
d726123bcdd9782069be62698950ac3f519bca1f5a9a56cc9b44b93cb6935059

SHA512
fba08b1dcc5b64e8420b64d8632e30fc6172a19d99efff3e574ef1b51a80326222e51796673d13d82b04b02533e3feeab587f5f5364a05ee8e2efe29f635918d

Download Submit
C:\Windows\system\LhjtzVP.exe
MD5
ade0d5c7a8d17d089402e9e836ab87e3

SHA1
dc33cdbab13b49b11559e29920088a8c57c1b221

SHA256
73aec9df4053e38efb8059bf3ff65460547800553684a5f4f7ecf3f44fc62d0e

SHA512
8da7f0c742e03d18861cd856a76d313db7f2bcd4e232b02ab81b0390ff56c513c186cf01d160951ea5d644bd3185c586fb9334ee75249d6fe1883fd4dc574b38

Download Submit
C:\Windows\system\LjpjwcZ.exe
MD5
a04899d5ddd7c28b3a923f8fcb1b2f01

SHA1
be81f5d4e2faccf986273c6ced4475436abf2126

SHA256
b3bee7acca42402bdc74c86584daf4f9f0e4a7c97333d7023f6ba0dc41830313

SHA512
a6c08b627c870274cb6ddb4607a713df0b034202e2049e2af8076b8e5b141f78a286e55e3f32cd10e0a863e6afc2006a073b8347932b0ba7df5ae42dfa0d52d1

Download Submit
C:\Windows\system\MfINcom.exe
MD5
20c2962441a138eb67a696f047e3bf3f

SHA1
da55e74d70ac420cc0d3cf3a4362d1f5e079176f

SHA256
5618964664d9f9d840c923a64c3954fff8545be46a3a90614b83f24284f71f1b

SHA512
70c681eac592610381c5bd7233162d54daf60b5cc378d4e6686419634fd4a565f34a3defe26ae88540cc7332671060eddf02167fbfd7fa914b942ba1af982265

Download Submit
C:\Windows\system\REsPCha.exe
MD5
8b7ef8d29d5ed073be75f4d162054317

SHA1
bf19718bebbaab939ebb46ea173474046ecca181

SHA256
d358f41ade31bb765134bb351c686b8facc4864c56d58bf6a9e016803930a9e4

SHA512
44efc1c24d2cf87b3986c6b14e34463f4619686d8b912483233f3e0a3a070378ac5ea8727bc8db85c8584f02f3d066679b7a4b9f6fb268a9b3eec7d1c4814e27

Download Submit
C:\Windows\system\UiSqGfm.exe
MD5
40d70670bbd22d32f5d0783dd36c6d71

SHA1
0bb77bb204609012abf413c9c09e8b9c31499125

SHA256
56945fdfd11e1243eac55089d291b617a0209753a51399cea0415c39d4da76f0

SHA512
6a50258b71c2bdfc19c7b2148d8d7070522617fc4b98b227bfc902b58cfe46bc14199c10c3a8e7796b4d8366b544b645dd6004eeb6d75eee01ddf57483ede70b

Download Submit
C:\Windows\system\XeSboTK.exe
MD5
e48b997d4654895c788eed6af37e90e3

SHA1
7abd6de042610c0e00c0f06b76ec9735ad956da5

SHA256
43f0cbeb6dc1b2d64596f75aeededca7bfd2ad26811669a0831be1b98e0d7c15

SHA512
9c4bb9d7df3bc49979bb5bd5e634565ab81062f156cfc7392694982f29caaee4d76d8fb081c4ebdb09dcc5f83f352de751f95ad84cc018fe7b78ae989b82a378

Download Submit
C:\Windows\system\fCFzfMM.exe
MD5
f233b6b09690023f3d3daa8bb28bf9ac

SHA1
b645a997322bc2b755ff9da0dcb8218fe35429ef

SHA256
fc527dbe288fad0dca7fb46a038ed796106e66760a46b24029baa7aed887ff31

SHA512
902b458145b586fafc81c9d29edf5f2cff6649b2111429cf640c60ec7e8952fa0303bb571fa0bcc12c9fea1ab9dcbdbe68674d30fd53ec6a2ddbf864b7a31be5

Download Submit
C:\Windows\system\jEOVZeu.exe
MD5
7303e2b55659875aa9b6dfd251086211

SHA1
3b347d4d1508bc130436869082029e43eef16722

SHA256
84c49340fdb07f3b7fa408ebd98b182505ad792ad85173f5e82860cbe100e2ed

SHA512
b2709247428aa3bb24466cf1ed432e623fdab139c81492c097c20033f71b2da2f44dee24b84c61c6d364a3450a6e7bbd1ccebfb6b14de296851a2aa96a2a9571

Download Submit
C:\Windows\system\nphnSAx.exe
MD5
cdc17484332c86a5f37effd64f0b260d

SHA1
8971b6dfa20e22a00faed0de755720b171ebd96a

SHA256
ed6ac93ff310e21183f46e62a2c5dd378fd61d7288368b9fd68f1eaed6d207bd

SHA512
f6b8d6dad987e539da98cf5696fe1c1cb4f1e99d0c658786098636c92cc45e4857bad81ec02a9e8dfbe248d240a80244df04bab09d0e1ad7f6ce47251f7e98e2

Download Submit
C:\Windows\system\qtmwUIQ.exe
MD5
a9dcae3fd57cdf463de04d827bc15007

SHA1
dc12c1f4c7406c8691db84ddd6894722137478cf

SHA256
c9927ad9e1030467cf5a3aeae26cbda0d94d6a03f5ef88da4c3ee37ea8b56e29

SHA512
80e64027c3f666fc14ca7845b13072c0ab2fec4d097de907aa93a500671bedde1277d7207f4f0d83e833d8d9ee218be281dda849d37f411477d2c6e0bb252510

Download Submit
C:\Windows\system\tbQsdfk.exe
MD5
37635991ae99d758d3148cadc19e7861

SHA1
abae741d92277ee7f6fa81d26d2fbb05382844ee

SHA256
776f100fbde153d7588496df143fd15ef967596d98d14df49a4c88fdf632d6a8

SHA512
01c9c31d11bde2ab3de3f7ba57ce35d1bedb3fda5313c563c8cf86aca88fc5ac0a3cef32921991c3acd7b44d7254728ef57fdf730291a791e50a87d2975379a7

Download Submit
C:\Windows\system\vlpSjEN.exe
MD5
cdeff857e80ab9dfd6fe7b6ef4731fe3

SHA1
51f5e2d775728cdf77657081ab87ce4f63c031dd

SHA256
9e44851d5d15bf14beac91a3b6d5005974a244f54b71a5ab3be97a6a1c47a355

SHA512
1499de8a303ebe9e92f46f286eb333b9f5a454de166d1576badf6fd5c6686c0d4ef096bf339d58c7408cfdb38b72c004135bdb26e0792ff6dbc18664bc2932b5

Download Submit
\Windows\system\AbHhiKR.exe
MD5
187a2ea9ae324be21477cc7a1aa4dccc

SHA1
b5ee0e7d01fa545d134fa89020f663e7f8144e87

SHA256
625caeb55dc73c416e8f26751156da4dc7d79691d07c34b1f4b7784565f162ce

SHA512
5b4f8b6f6a2cbffaac9ced2073b0d2847306c577d700ac20ec2867b0732dcf4c3c4a9836b58961cfc84d07fb6d60bcb78223ea9d4cc561b11b930203e20d145d

Download Submit
\Windows\system\ImKBRkC.exe
MD5
363065ef8b7850d0770879046fb5816e

SHA1
271fb300c6d0cc8563509e09126f717cede9707c

SHA256
d726123bcdd9782069be62698950ac3f519bca1f5a9a56cc9b44b93cb6935059

SHA512
fba08b1dcc5b64e8420b64d8632e30fc6172a19d99efff3e574ef1b51a80326222e51796673d13d82b04b02533e3feeab587f5f5364a05ee8e2efe29f635918d

Download Submit
\Windows\system\LhjtzVP.exe
MD5
ade0d5c7a8d17d089402e9e836ab87e3

SHA1
dc33cdbab13b49b11559e29920088a8c57c1b221

SHA256
73aec9df4053e38efb8059bf3ff65460547800553684a5f4f7ecf3f44fc62d0e

SHA512
8da7f0c742e03d18861cd856a76d313db7f2bcd4e232b02ab81b0390ff56c513c186cf01d160951ea5d644bd3185c586fb9334ee75249d6fe1883fd4dc574b38

Download Submit
\Windows\system\LjpjwcZ.exe
MD5
a04899d5ddd7c28b3a923f8fcb1b2f01

SHA1
be81f5d4e2faccf986273c6ced4475436abf2126

SHA256
b3bee7acca42402bdc74c86584daf4f9f0e4a7c97333d7023f6ba0dc41830313

SHA512
a6c08b627c870274cb6ddb4607a713df0b034202e2049e2af8076b8e5b141f78a286e55e3f32cd10e0a863e6afc2006a073b8347932b0ba7df5ae42dfa0d52d1

Download Submit
\Windows\system\MfINcom.exe
MD5
20c2962441a138eb67a696f047e3bf3f

SHA1
da55e74d70ac420cc0d3cf3a4362d1f5e079176f

SHA256
5618964664d9f9d840c923a64c3954fff8545be46a3a90614b83f24284f71f1b

SHA512
70c681eac592610381c5bd7233162d54daf60b5cc378d4e6686419634fd4a565f34a3defe26ae88540cc7332671060eddf02167fbfd7fa914b942ba1af982265

Download Submit
\Windows\system\REsPCha.exe
MD5
8b7ef8d29d5ed073be75f4d162054317

SHA1
bf19718bebbaab939ebb46ea173474046ecca181

SHA256
d358f41ade31bb765134bb351c686b8facc4864c56d58bf6a9e016803930a9e4

SHA512
44efc1c24d2cf87b3986c6b14e34463f4619686d8b912483233f3e0a3a070378ac5ea8727bc8db85c8584f02f3d066679b7a4b9f6fb268a9b3eec7d1c4814e27

Download Submit
\Windows\system\UiSqGfm.exe
MD5
40d70670bbd22d32f5d0783dd36c6d71

SHA1
0bb77bb204609012abf413c9c09e8b9c31499125

SHA256
56945fdfd11e1243eac55089d291b617a0209753a51399cea0415c39d4da76f0

SHA512
6a50258b71c2bdfc19c7b2148d8d7070522617fc4b98b227bfc902b58cfe46bc14199c10c3a8e7796b4d8366b544b645dd6004eeb6d75eee01ddf57483ede70b

Download Submit
\Windows\system\XeSboTK.exe
MD5
e48b997d4654895c788eed6af37e90e3

SHA1
7abd6de042610c0e00c0f06b76ec9735ad956da5

SHA256
43f0cbeb6dc1b2d64596f75aeededca7bfd2ad26811669a0831be1b98e0d7c15

SHA512
9c4bb9d7df3bc49979bb5bd5e634565ab81062f156cfc7392694982f29caaee4d76d8fb081c4ebdb09dcc5f83f352de751f95ad84cc018fe7b78ae989b82a378

Download Submit
\Windows\system\exwchps.exe
MD5
45e9b3145291075b4533963cc5ac57bf

SHA1
4a12625f786388f3ac109b68ddff9b93a9848744

SHA256
a7ea0dd49d131a4652257bc659a2d83e5c73f59be37a932e7c265450079abef4

SHA512
444c9c34d406d3c6d36fcc2daf50ce11db292213527b70b55fe1f13d5cd37961ed33de24f2c3ad3da5f037c2651028742037c57db6f369346dd2ee2b2220cc63

Download Submit
\Windows\system\fCFzfMM.exe
MD5
f233b6b09690023f3d3daa8bb28bf9ac

SHA1
b645a997322bc2b755ff9da0dcb8218fe35429ef

SHA256
fc527dbe288fad0dca7fb46a038ed796106e66760a46b24029baa7aed887ff31

SHA512
902b458145b586fafc81c9d29edf5f2cff6649b2111429cf640c60ec7e8952fa0303bb571fa0bcc12c9fea1ab9dcbdbe68674d30fd53ec6a2ddbf864b7a31be5

Download Submit
\Windows\system\jEOVZeu.exe
MD5
7303e2b55659875aa9b6dfd251086211

SHA1
3b347d4d1508bc130436869082029e43eef16722

SHA256
84c49340fdb07f3b7fa408ebd98b182505ad792ad85173f5e82860cbe100e2ed

SHA512
b2709247428aa3bb24466cf1ed432e623fdab139c81492c097c20033f71b2da2f44dee24b84c61c6d364a3450a6e7bbd1ccebfb6b14de296851a2aa96a2a9571

Download Submit
\Windows\system\nphnSAx.exe
MD5
cdc17484332c86a5f37effd64f0b260d

SHA1
8971b6dfa20e22a00faed0de755720b171ebd96a

SHA256
ed6ac93ff310e21183f46e62a2c5dd378fd61d7288368b9fd68f1eaed6d207bd

SHA512
f6b8d6dad987e539da98cf5696fe1c1cb4f1e99d0c658786098636c92cc45e4857bad81ec02a9e8dfbe248d240a80244df04bab09d0e1ad7f6ce47251f7e98e2

Download Submit
\Windows\system\qtmwUIQ.exe
MD5
a9dcae3fd57cdf463de04d827bc15007

SHA1
dc12c1f4c7406c8691db84ddd6894722137478cf

SHA256
c9927ad9e1030467cf5a3aeae26cbda0d94d6a03f5ef88da4c3ee37ea8b56e29

SHA512
80e64027c3f666fc14ca7845b13072c0ab2fec4d097de907aa93a500671bedde1277d7207f4f0d83e833d8d9ee218be281dda849d37f411477d2c6e0bb252510

Download Submit
\Windows\system\tbQsdfk.exe
MD5
37635991ae99d758d3148cadc19e7861

SHA1
abae741d92277ee7f6fa81d26d2fbb05382844ee

SHA256
776f100fbde153d7588496df143fd15ef967596d98d14df49a4c88fdf632d6a8

SHA512
01c9c31d11bde2ab3de3f7ba57ce35d1bedb3fda5313c563c8cf86aca88fc5ac0a3cef32921991c3acd7b44d7254728ef57fdf730291a791e50a87d2975379a7

Download Submit
\Windows\system\vlpSjEN.exe
MD5
cdeff857e80ab9dfd6fe7b6ef4731fe3

SHA1
51f5e2d775728cdf77657081ab87ce4f63c031dd

SHA256
9e44851d5d15bf14beac91a3b6d5005974a244f54b71a5ab3be97a6a1c47a355

SHA512
1499de8a303ebe9e92f46f286eb333b9f5a454de166d1576badf6fd5c6686c0d4ef096bf339d58c7408cfdb38b72c004135bdb26e0792ff6dbc18664bc2932b5

Download Submit
memory/440-43-0x0000000000000000-mapping.dmp

Download
memory/772-40-0x0000000000000000-mapping.dmp

Download
memory/788-7-0x0000000000000000-mapping.dmp

Download
memory/1020-37-0x0000000000000000-mapping.dmp

Download
memory/1500-34-0x0000000000000000-mapping.dmp

Download
memory/1584-4-0x0000000000000000-mapping.dmp

Download
memory/1652-25-0x0000000000000000-mapping.dmp

Download
memory/1716-1-0x0000000000000000-mapping.dmp

Download
memory/1736-19-0x0000000000000000-mapping.dmp

Download
memory/1784-16-0x0000000000000000-mapping.dmp

Download
memory/1796-22-0x0000000000000000-mapping.dmp

Download
memory/1892-28-0x0000000000000000-mapping.dmp

Download
memory/1964-13-0x0000000000000000-mapping.dmp

Download
memory/1968-10-0x0000000000000000-mapping.dmp

Download
memory/1996-31-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads