cobaltstrike | c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7v20201028
submitted
10-11-2020 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
Size

5.9MB
MD5

afe6516a4a150bcd966664c05944c494
SHA1

599eb108c1654ff2af629d97f1fc34f5aea44d25
SHA256

c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1
SHA512

6c4f3523008ae2597b2386cb7de498a645c504c3c1e9ca4f39629bb503779c56dcd9c72add0b7ff1afd49816bc7527a19655e05189691633ca2bf2b751893f2d

Score

10^/10

cobaltstrike backdoor trojan upx

Malware Config

Signatures

Cobalt Strike reflective loader 25 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\JJtrqTu.exe	cobalt_reflective_dll
C:\Windows\system\JJtrqTu.exe	cobalt_reflective_dll
\Windows\system\XvGkVJK.exe	cobalt_reflective_dll
C:\Windows\system\XvGkVJK.exe	cobalt_reflective_dll
\Windows\system\avsGllX.exe	cobalt_reflective_dll
C:\Windows\system\avsGllX.exe	cobalt_reflective_dll
\Windows\system\rIesTCK.exe	cobalt_reflective_dll
C:\Windows\system\SFNInbE.exe	cobalt_reflective_dll
\Windows\system\SFNInbE.exe	cobalt_reflective_dll
C:\Windows\system\rIesTCK.exe	cobalt_reflective_dll
\Windows\system\pSONdwA.exe	cobalt_reflective_dll
C:\Windows\system\pSONdwA.exe	cobalt_reflective_dll
\Windows\system\bDUZuGS.exe	cobalt_reflective_dll
C:\Windows\system\bDUZuGS.exe	cobalt_reflective_dll
\Windows\system\NbvsVOl.exe	cobalt_reflective_dll
\Windows\system\NMCfBdq.exe	cobalt_reflective_dll
C:\Windows\system\NbvsVOl.exe	cobalt_reflective_dll
C:\Windows\system\NMCfBdq.exe	cobalt_reflective_dll
\Windows\system\ZwYRygQ.exe	cobalt_reflective_dll
C:\Windows\system\ZwYRygQ.exe	cobalt_reflective_dll
\Windows\system\NwpuztS.exe	cobalt_reflective_dll
C:\Windows\system\NwpuztS.exe	cobalt_reflective_dll
\Windows\system\zFjGHVt.exe	cobalt_reflective_dll
\Windows\system\AkTcBzt.exe	cobalt_reflective_dll
C:\Windows\system\zFjGHVt.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Executes dropped EXE 12 IoCs

Processes:

JJtrqTu.exeXvGkVJK.exeavsGllX.exerIesTCK.exeSFNInbE.exepSONdwA.exebDUZuGS.exeNbvsVOl.exeNMCfBdq.exeZwYRygQ.exeNwpuztS.exezFjGHVt.exe

pid	process
2020	JJtrqTu.exe
1988	XvGkVJK.exe
1980	avsGllX.exe
1892	rIesTCK.exe
1736	SFNInbE.exe
1788	pSONdwA.exe
1740	bDUZuGS.exe
1764	NbvsVOl.exe
1204	NMCfBdq.exe
1268	ZwYRygQ.exe
1528	NwpuztS.exe
1408	zFjGHVt.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\system\JJtrqTu.exe	upx
C:\Windows\system\JJtrqTu.exe	upx
\Windows\system\XvGkVJK.exe	upx
C:\Windows\system\XvGkVJK.exe	upx
\Windows\system\avsGllX.exe	upx
C:\Windows\system\avsGllX.exe	upx
\Windows\system\rIesTCK.exe	upx
C:\Windows\system\SFNInbE.exe	upx
\Windows\system\SFNInbE.exe	upx
C:\Windows\system\rIesTCK.exe	upx
\Windows\system\pSONdwA.exe	upx
C:\Windows\system\pSONdwA.exe	upx
\Windows\system\bDUZuGS.exe	upx
C:\Windows\system\bDUZuGS.exe	upx
\Windows\system\NbvsVOl.exe	upx
\Windows\system\NMCfBdq.exe	upx
C:\Windows\system\NbvsVOl.exe	upx
C:\Windows\system\NMCfBdq.exe	upx
\Windows\system\ZwYRygQ.exe	upx
C:\Windows\system\ZwYRygQ.exe	upx
\Windows\system\NwpuztS.exe	upx
C:\Windows\system\NwpuztS.exe	upx
\Windows\system\zFjGHVt.exe	upx
\Windows\system\AkTcBzt.exe	upx
C:\Windows\system\zFjGHVt.exe	upx

Loads dropped DLL 13 IoCs

Processes:

c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe

pid	process
1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe

JavaScript code in executable 25 IoCs

Processes:

resource	yara_rule
\Windows\system\JJtrqTu.exe	js
C:\Windows\system\JJtrqTu.exe	js
\Windows\system\XvGkVJK.exe	js
C:\Windows\system\XvGkVJK.exe	js
\Windows\system\avsGllX.exe	js
C:\Windows\system\avsGllX.exe	js
\Windows\system\rIesTCK.exe	js
C:\Windows\system\SFNInbE.exe	js
\Windows\system\SFNInbE.exe	js
C:\Windows\system\rIesTCK.exe	js
\Windows\system\pSONdwA.exe	js
C:\Windows\system\pSONdwA.exe	js
\Windows\system\bDUZuGS.exe	js
C:\Windows\system\bDUZuGS.exe	js
\Windows\system\NbvsVOl.exe	js
\Windows\system\NMCfBdq.exe	js
C:\Windows\system\NbvsVOl.exe	js
C:\Windows\system\NMCfBdq.exe	js
\Windows\system\ZwYRygQ.exe	js
C:\Windows\system\ZwYRygQ.exe	js
\Windows\system\NwpuztS.exe	js
C:\Windows\system\NwpuztS.exe	js
\Windows\system\zFjGHVt.exe	js
\Windows\system\AkTcBzt.exe	js
C:\Windows\system\zFjGHVt.exe	js

Drops file in Windows directory 13 IoCs

Processes:

c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe

description	ioc	process
File created	C:\Windows\System\SFNInbE.exe	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
File created	C:\Windows\System\pSONdwA.exe	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
File created	C:\Windows\System\NbvsVOl.exe	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
File created	C:\Windows\System\zFjGHVt.exe	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
File created	C:\Windows\System\AkTcBzt.exe	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
File created	C:\Windows\System\NMCfBdq.exe	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
File created	C:\Windows\System\ZwYRygQ.exe	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
File created	C:\Windows\System\NwpuztS.exe	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
File created	C:\Windows\System\JJtrqTu.exe	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
File created	C:\Windows\System\XvGkVJK.exe	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
File created	C:\Windows\System\avsGllX.exe	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
File created	C:\Windows\System\rIesTCK.exe	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
File created	C:\Windows\System\bDUZuGS.exe	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe

description	pid	process	target process
PID 1704 wrote to memory of 2020	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	JJtrqTu.exe
PID 1704 wrote to memory of 2020	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	JJtrqTu.exe
PID 1704 wrote to memory of 2020	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	JJtrqTu.exe
PID 1704 wrote to memory of 1988	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	XvGkVJK.exe
PID 1704 wrote to memory of 1988	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	XvGkVJK.exe
PID 1704 wrote to memory of 1988	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	XvGkVJK.exe
PID 1704 wrote to memory of 1980	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	avsGllX.exe
PID 1704 wrote to memory of 1980	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	avsGllX.exe
PID 1704 wrote to memory of 1980	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	avsGllX.exe
PID 1704 wrote to memory of 1892	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	rIesTCK.exe
PID 1704 wrote to memory of 1892	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	rIesTCK.exe
PID 1704 wrote to memory of 1892	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	rIesTCK.exe
PID 1704 wrote to memory of 1736	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	SFNInbE.exe
PID 1704 wrote to memory of 1736	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	SFNInbE.exe
PID 1704 wrote to memory of 1736	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	SFNInbE.exe
PID 1704 wrote to memory of 1788	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	pSONdwA.exe
PID 1704 wrote to memory of 1788	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	pSONdwA.exe
PID 1704 wrote to memory of 1788	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	pSONdwA.exe
PID 1704 wrote to memory of 1740	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	bDUZuGS.exe
PID 1704 wrote to memory of 1740	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	bDUZuGS.exe
PID 1704 wrote to memory of 1740	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	bDUZuGS.exe
PID 1704 wrote to memory of 1764	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	NbvsVOl.exe
PID 1704 wrote to memory of 1764	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	NbvsVOl.exe
PID 1704 wrote to memory of 1764	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	NbvsVOl.exe
PID 1704 wrote to memory of 1204	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	NMCfBdq.exe
PID 1704 wrote to memory of 1204	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	NMCfBdq.exe
PID 1704 wrote to memory of 1204	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	NMCfBdq.exe
PID 1704 wrote to memory of 1268	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	ZwYRygQ.exe
PID 1704 wrote to memory of 1268	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	ZwYRygQ.exe
PID 1704 wrote to memory of 1268	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	ZwYRygQ.exe
PID 1704 wrote to memory of 1528	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	NwpuztS.exe
PID 1704 wrote to memory of 1528	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	NwpuztS.exe
PID 1704 wrote to memory of 1528	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	NwpuztS.exe
PID 1704 wrote to memory of 1408	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	zFjGHVt.exe
PID 1704 wrote to memory of 1408	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	zFjGHVt.exe
PID 1704 wrote to memory of 1408	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	zFjGHVt.exe
PID 1704 wrote to memory of 1524	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	AkTcBzt.exe
PID 1704 wrote to memory of 1524	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	AkTcBzt.exe
PID 1704 wrote to memory of 1524	1704	c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe	AkTcBzt.exe

C:\Users\Admin\AppData\Local\Temp\c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe
"C:\Users\Admin\AppData\Local\Temp\c502a2ae67b7996363a13a82ddde624a68ff5e0c8dabbdee1fdc0317e9a4e9a1.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\System\JJtrqTu.exe
C:\Windows\System\JJtrqTu.exe
2⤵
- Executes dropped EXE
PID:2020

C:\Windows\System\XvGkVJK.exe
C:\Windows\System\XvGkVJK.exe
2⤵
- Executes dropped EXE
PID:1988

C:\Windows\System\avsGllX.exe
C:\Windows\System\avsGllX.exe
2⤵
- Executes dropped EXE
PID:1980

C:\Windows\System\rIesTCK.exe
C:\Windows\System\rIesTCK.exe
2⤵
- Executes dropped EXE
PID:1892

C:\Windows\System\SFNInbE.exe
C:\Windows\System\SFNInbE.exe
2⤵
- Executes dropped EXE
PID:1736

C:\Windows\System\pSONdwA.exe
C:\Windows\System\pSONdwA.exe
2⤵
- Executes dropped EXE
PID:1788

C:\Windows\System\bDUZuGS.exe
C:\Windows\System\bDUZuGS.exe
2⤵
- Executes dropped EXE
PID:1740

C:\Windows\System\NbvsVOl.exe
C:\Windows\System\NbvsVOl.exe
2⤵
- Executes dropped EXE
PID:1764

C:\Windows\System\NMCfBdq.exe
C:\Windows\System\NMCfBdq.exe
2⤵
- Executes dropped EXE
PID:1204

C:\Windows\System\ZwYRygQ.exe
C:\Windows\System\ZwYRygQ.exe
2⤵
- Executes dropped EXE
PID:1268

C:\Windows\System\NwpuztS.exe
C:\Windows\System\NwpuztS.exe
2⤵
- Executes dropped EXE
PID:1528

C:\Windows\System\zFjGHVt.exe
C:\Windows\System\zFjGHVt.exe
2⤵
- Executes dropped EXE
PID:1408

C:\Windows\System\AkTcBzt.exe
C:\Windows\System\AkTcBzt.exe
2⤵
PID:1524

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\JJtrqTu.exe
MD5
cf18391d89421f809382a8c22892d2c3

SHA1
80868a3d382ed835ada28fe971a73108e1ee4265

SHA256
d8c684e185511c426d1111c1dab6bbf6473bc98640e4552e8fc66b63aa7ad650

SHA512
99b4fb1737225ef1086bedce099597d2595e8276cb9863ee2c438429648c0192efdf55d901dd971110b20a76b3d97ba98f6d9d743b32fa1ac4e6a499caa238ee

Download Submit
C:\Windows\system\NMCfBdq.exe
MD5
2227ddc620ad6f020eba3d8af6151f58

SHA1
34a30953b4645aadd6c59e567cb1da484078d3c4

SHA256
857772bc8896e472465b555dd41176f0eaac8408afa0fe77f6f8d2f0861c7439

SHA512
d75c74114bab5afbb01f77b9230bbbb93b72e6901f55753d7bfa483d451f8f32ba51b5883c227fc4ab302959b0abb91a5740e90bda1ddc636cb3c1b9341b7389

Download Submit
C:\Windows\system\NbvsVOl.exe
MD5
55c1cf41ecf7bf5ea7bebedade55c936

SHA1
312429d9d785f415e6a51fb4f82bc79b658e32aa

SHA256
dc69542d37c4d37c18164e272187a6d3147e4a30637bce269e7422e7018c3680

SHA512
1171562daa2c51367e7999d3bffcd83bcdf6a176bf468dad9ad671f7cb698480262ca474def39eee7432fbc42c50b336125a3bec67c1cdca95e733c29d37f121

Download Submit
C:\Windows\system\NwpuztS.exe
MD5
a2e9cce7b3b5943d31533325934461bf

SHA1
271ac99804a3136a8793cf868976679ba26c388f

SHA256
69b623c13fa3b1bab8309d35aa5b5e83e71cb8d062ed0a10958f423b5fa43da4

SHA512
f51e2e73ad0c1de10c61f343e11fdea1918ee9031df0843551d2609a0f6766d400fa62d9a01cc0d0f8a21644b716be64aadd07325127d53222e5928769242116

Download Submit
C:\Windows\system\SFNInbE.exe
MD5
4a0c626929c92fa25b30d97d16cf2ab3

SHA1
187364815983ed7af91ebaa18ab4d083847c1f67

SHA256
d53ad33c388b20eb4e41b110db1b87de675bdcc6cb7025f2596245be400de789

SHA512
3447c4da0ccd198606191e6d03db64ff0593de4ebbda7089a59009ae81f4e961e9a698accfe81c12aa51c9fb5758c6442897e10656613f715f1965944a42328e

Download Submit
C:\Windows\system\XvGkVJK.exe
MD5
2c6f11177a07a1faee8a73f6d4f951f9

SHA1
6560c2e9880d5fa615d8e3d8639d8a6de70291d0

SHA256
521dcc4935850643065ddac3f8c8f6f6b1806637cdf5af3000d64a89fd3a425d

SHA512
650e323ea80eaf5f098df105b4e13a6feb33d03b25d43dacbe62ab58116df71265c3a5ebe5f10d000e8abd57cf7b8aec3a0420a2f35c0005d891f753d875770d

Download Submit
C:\Windows\system\ZwYRygQ.exe
MD5
2639ba58d960d7c633f220916c1d2033

SHA1
31795b7b5d58ddaa4a94160e8b403bcf3b5156d3

SHA256
5491097d194ea10916b01818663155071aa45360da04c395703e4773dddf0e01

SHA512
4b41c2e80958338710e875e3289acf065ebb17226a9aed37c0c5ee860d890318246e6a46ce341f6dc713566f0b57e45f423db774aa4b59e4a8563ec96bba9b65

Download Submit
C:\Windows\system\avsGllX.exe
MD5
d41e6f274035d8df7a0fc8367e7dd0ab

SHA1
5472a8f4fdb26bd3c12228b267487e66eb5abfea

SHA256
d4c3ab4b1e3b5dd9c72e0d27afe781a0bb104c67af4a9dbd01735e4d7ef49340

SHA512
0a0d43861358cf749a975c593bfa45965451998614faefa7b2376ffb1ac25cdfbb3b275fead33a431975c14775510d0f6df2655f8016acc5904c386791952fa0

Download Submit
C:\Windows\system\bDUZuGS.exe
MD5
17f060fd5b74e2a1d2ba81a6714299e6

SHA1
f6ca0c7e839012d8b6b14e6a9140de2ce4b0edb1

SHA256
31a77ebd914d8b7636908496b436592feb03e0ba9a093fa2ed1c67a113463228

SHA512
ecc53c4dd2b192a6321430ce418359f90427f6e74235c18ff7edcd2c1d0e088f24662dd7c520b27fc3f153e92446d5bc186ebbf565c99d9454a4483b813c0afb

Download Submit
C:\Windows\system\pSONdwA.exe
MD5
8fd723b2df3e7e247b0d0dec30914c96

SHA1
6335029b4156d12741267b51c1b8f15b0e5cde28

SHA256
a880bcc6ec636531be0ac2fc71378d468ca66440788f86d60519e643fb6a0d20

SHA512
1a143289f8290a8976eb49ab6700edcc238c153a2b59212ab2c80298e4bfa1d272bbb80e4481bde22817787a4d01e9d6c0524f6dc6a969c9c904f4b97182d6f0

Download Submit
C:\Windows\system\rIesTCK.exe
MD5
a80f78037509fe0199beea92a3097f66

SHA1
b6590af7f474a68efe8dfebaf318154d8d63ac17

SHA256
cc56f11104458fd4f35468d7474c630a474203b5a7ba45ccfdbffe58e08bd271

SHA512
3b232936ed2d50856739eb1a7df9a4bedfb67f497a5d6ee3223e0f5183e601733faeae0a2ef1124b45e9202f04b7d3149079705f143c15b466b3aa28ded604df

Download Submit
C:\Windows\system\zFjGHVt.exe
MD5
76f54546d4fab388689b7f623cc8d9ee

SHA1
c83d6b7d9fcacb8e0b46941db23c81decdac2a92

SHA256
bdcbfda2b16a2231824b7c8c77084a0a335bcee03f947e5f3850b9f7417cd065

SHA512
c9a9ff237fdcafeeecef4b8537b4a11708249ca500dfa079842278b904e4bc6b127113cb73477f9094d12c59bdf3bca4e49155f9fcd6d7c91f52010782ab3640

Download Submit
\Windows\system\AkTcBzt.exe
MD5
9164cecf218be54476fc3de7f2b52e9a

SHA1
96b795a44d55581712da8a7c5793cf5767cb9aa0

SHA256
4732c7d11e3e92cca154bae1e017a8d62cb414bc415e787f2873b01de602f39c

SHA512
9adbfffcdd19bcff0ec6d5bb1515bdc2de1e17612b3cedf18d5159c188c36f615d4e8348640f487f234584aceb5f2d97e63260ddf5cc08ee9586ad2330e51888

Download Submit
\Windows\system\JJtrqTu.exe
MD5
cf18391d89421f809382a8c22892d2c3

SHA1
80868a3d382ed835ada28fe971a73108e1ee4265

SHA256
d8c684e185511c426d1111c1dab6bbf6473bc98640e4552e8fc66b63aa7ad650

SHA512
99b4fb1737225ef1086bedce099597d2595e8276cb9863ee2c438429648c0192efdf55d901dd971110b20a76b3d97ba98f6d9d743b32fa1ac4e6a499caa238ee

Download Submit
\Windows\system\NMCfBdq.exe
MD5
2227ddc620ad6f020eba3d8af6151f58

SHA1
34a30953b4645aadd6c59e567cb1da484078d3c4

SHA256
857772bc8896e472465b555dd41176f0eaac8408afa0fe77f6f8d2f0861c7439

SHA512
d75c74114bab5afbb01f77b9230bbbb93b72e6901f55753d7bfa483d451f8f32ba51b5883c227fc4ab302959b0abb91a5740e90bda1ddc636cb3c1b9341b7389

Download Submit
\Windows\system\NbvsVOl.exe
MD5
55c1cf41ecf7bf5ea7bebedade55c936

SHA1
312429d9d785f415e6a51fb4f82bc79b658e32aa

SHA256
dc69542d37c4d37c18164e272187a6d3147e4a30637bce269e7422e7018c3680

SHA512
1171562daa2c51367e7999d3bffcd83bcdf6a176bf468dad9ad671f7cb698480262ca474def39eee7432fbc42c50b336125a3bec67c1cdca95e733c29d37f121

Download Submit
\Windows\system\NwpuztS.exe
MD5
a2e9cce7b3b5943d31533325934461bf

SHA1
271ac99804a3136a8793cf868976679ba26c388f

SHA256
69b623c13fa3b1bab8309d35aa5b5e83e71cb8d062ed0a10958f423b5fa43da4

SHA512
f51e2e73ad0c1de10c61f343e11fdea1918ee9031df0843551d2609a0f6766d400fa62d9a01cc0d0f8a21644b716be64aadd07325127d53222e5928769242116

Download Submit
\Windows\system\SFNInbE.exe
MD5
4a0c626929c92fa25b30d97d16cf2ab3

SHA1
187364815983ed7af91ebaa18ab4d083847c1f67

SHA256
d53ad33c388b20eb4e41b110db1b87de675bdcc6cb7025f2596245be400de789

SHA512
3447c4da0ccd198606191e6d03db64ff0593de4ebbda7089a59009ae81f4e961e9a698accfe81c12aa51c9fb5758c6442897e10656613f715f1965944a42328e

Download Submit
\Windows\system\XvGkVJK.exe
MD5
2c6f11177a07a1faee8a73f6d4f951f9

SHA1
6560c2e9880d5fa615d8e3d8639d8a6de70291d0

SHA256
521dcc4935850643065ddac3f8c8f6f6b1806637cdf5af3000d64a89fd3a425d

SHA512
650e323ea80eaf5f098df105b4e13a6feb33d03b25d43dacbe62ab58116df71265c3a5ebe5f10d000e8abd57cf7b8aec3a0420a2f35c0005d891f753d875770d

Download Submit
\Windows\system\ZwYRygQ.exe
MD5
2639ba58d960d7c633f220916c1d2033

SHA1
31795b7b5d58ddaa4a94160e8b403bcf3b5156d3

SHA256
5491097d194ea10916b01818663155071aa45360da04c395703e4773dddf0e01

SHA512
4b41c2e80958338710e875e3289acf065ebb17226a9aed37c0c5ee860d890318246e6a46ce341f6dc713566f0b57e45f423db774aa4b59e4a8563ec96bba9b65

Download Submit
\Windows\system\avsGllX.exe
MD5
d41e6f274035d8df7a0fc8367e7dd0ab

SHA1
5472a8f4fdb26bd3c12228b267487e66eb5abfea

SHA256
d4c3ab4b1e3b5dd9c72e0d27afe781a0bb104c67af4a9dbd01735e4d7ef49340

SHA512
0a0d43861358cf749a975c593bfa45965451998614faefa7b2376ffb1ac25cdfbb3b275fead33a431975c14775510d0f6df2655f8016acc5904c386791952fa0

Download Submit
\Windows\system\bDUZuGS.exe
MD5
17f060fd5b74e2a1d2ba81a6714299e6

SHA1
f6ca0c7e839012d8b6b14e6a9140de2ce4b0edb1

SHA256
31a77ebd914d8b7636908496b436592feb03e0ba9a093fa2ed1c67a113463228

SHA512
ecc53c4dd2b192a6321430ce418359f90427f6e74235c18ff7edcd2c1d0e088f24662dd7c520b27fc3f153e92446d5bc186ebbf565c99d9454a4483b813c0afb

Download Submit
\Windows\system\pSONdwA.exe
MD5
8fd723b2df3e7e247b0d0dec30914c96

SHA1
6335029b4156d12741267b51c1b8f15b0e5cde28

SHA256
a880bcc6ec636531be0ac2fc71378d468ca66440788f86d60519e643fb6a0d20

SHA512
1a143289f8290a8976eb49ab6700edcc238c153a2b59212ab2c80298e4bfa1d272bbb80e4481bde22817787a4d01e9d6c0524f6dc6a969c9c904f4b97182d6f0

Download Submit
\Windows\system\rIesTCK.exe
MD5
a80f78037509fe0199beea92a3097f66

SHA1
b6590af7f474a68efe8dfebaf318154d8d63ac17

SHA256
cc56f11104458fd4f35468d7474c630a474203b5a7ba45ccfdbffe58e08bd271

SHA512
3b232936ed2d50856739eb1a7df9a4bedfb67f497a5d6ee3223e0f5183e601733faeae0a2ef1124b45e9202f04b7d3149079705f143c15b466b3aa28ded604df

Download Submit
\Windows\system\zFjGHVt.exe
MD5
76f54546d4fab388689b7f623cc8d9ee

SHA1
c83d6b7d9fcacb8e0b46941db23c81decdac2a92

SHA256
bdcbfda2b16a2231824b7c8c77084a0a335bcee03f947e5f3850b9f7417cd065

SHA512
c9a9ff237fdcafeeecef4b8537b4a11708249ca500dfa079842278b904e4bc6b127113cb73477f9094d12c59bdf3bca4e49155f9fcd6d7c91f52010782ab3640

Download Submit
memory/1204-25-0x0000000000000000-mapping.dmp

Download
memory/1268-28-0x0000000000000000-mapping.dmp

Download
memory/1408-34-0x0000000000000000-mapping.dmp

Download
memory/1524-37-0x0000000000000000-mapping.dmp

Download
memory/1528-31-0x0000000000000000-mapping.dmp

Download
memory/1736-13-0x0000000000000000-mapping.dmp

Download
memory/1740-19-0x0000000000000000-mapping.dmp

Download
memory/1764-22-0x0000000000000000-mapping.dmp

Download
memory/1788-16-0x0000000000000000-mapping.dmp

Download
memory/1892-9-0x0000000000000000-mapping.dmp

Download
memory/1980-7-0x0000000000000000-mapping.dmp

Download
memory/1988-4-0x0000000000000000-mapping.dmp

Download
memory/2020-1-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads