cobaltstrike | 12077eca290b6e284194c5b14d6ae2ba686ca37cca4941f45a7eb9376ebfbc8b

Analysis

max time kernel
2s
max time network
6s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 23:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

f2652cb8ef0d92e8022ddc8d40386e0e
SHA1

241c8d78811d0e047c3e8b3af197cea6a3f247e9
SHA256

12077eca290b6e284194c5b14d6ae2ba686ca37cca4941f45a7eb9376ebfbc8b
SHA512

e8f38fb395866879797783843bf89a1c372d45f99ccf2b20b572f95a3e17e369b7ae2564cf529321ed065fff43c507073d14279670f25e3c5bd4f9234e42d3fb
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lB:RWWBibf56utgpPFotBER/mQ32lUd

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 16 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000a000000012243-3.dat	cobalt_reflective_dll
behavioral1/files/0x000a000000012243-6.dat	cobalt_reflective_dll
behavioral1/files/0x002d000000014f56-12.dat	cobalt_reflective_dll
behavioral1/files/0x002d000000014f56-15.dat	cobalt_reflective_dll
behavioral1/files/0x002d000000014f56-10.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000155e9-21.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000155f7-25.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015855-35.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015855-31.dat	cobalt_reflective_dll
behavioral1/files/0x002d0000000152f8-50.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015dbd-59.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015c0a-42.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000155f7-28.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000155e9-18.dat	cobalt_reflective_dll
behavioral1/files/0x000d0000000122c5-11.dat	cobalt_reflective_dll
behavioral1/files/0x000d0000000122c5-8.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 16 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012243-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000a000000012243-6.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002d000000014f56-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002d000000014f56-15.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002d000000014f56-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000155e9-21.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000155f7-25.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015855-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015855-31.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002d0000000152f8-50.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015dbd-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015c0a-42.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000155f7-28.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000155e9-18.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000d0000000122c5-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000d0000000122c5-8.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 41 IoCs

resource	yara_rule
behavioral1/memory/1724-0-0x000000013F6D0000-0x000000013FA21000-memory.dmp	UPX
behavioral1/files/0x000a000000012243-3.dat	UPX
behavioral1/files/0x000a000000012243-6.dat	UPX
behavioral1/files/0x002d000000014f56-12.dat	UPX
behavioral1/files/0x002d000000014f56-15.dat	UPX
behavioral1/files/0x002d000000014f56-10.dat	UPX
behavioral1/files/0x00070000000155e9-21.dat	UPX
behavioral1/memory/2816-22-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	UPX
behavioral1/memory/2856-23-0x000000013FCF0000-0x0000000140041000-memory.dmp	UPX
behavioral1/files/0x00070000000155f7-25.dat	UPX
behavioral1/memory/2704-34-0x000000013FC80000-0x000000013FFD1000-memory.dmp	UPX
behavioral1/files/0x0007000000015855-35.dat	UPX
behavioral1/files/0x0007000000015855-31.dat	UPX
behavioral1/memory/2900-38-0x000000013F660000-0x000000013F9B1000-memory.dmp	UPX
behavioral1/memory/2592-47-0x000000013FEE0000-0x0000000140231000-memory.dmp	UPX
behavioral1/memory/2700-49-0x000000013F640000-0x000000013F991000-memory.dmp	UPX
behavioral1/files/0x002d0000000152f8-50.dat	UPX
behavioral1/memory/2608-56-0x000000013F770000-0x000000013FAC1000-memory.dmp	UPX
behavioral1/files/0x0007000000015dbd-59.dat	UPX
behavioral1/files/0x0007000000015dbd-57.dat	UPX
behavioral1/memory/2344-62-0x000000013FAB0000-0x000000013FE01000-memory.dmp	UPX
behavioral1/files/0x0006000000016d47-80.dat	UPX
behavioral1/files/0x0006000000016d47-87.dat	UPX
behavioral1/files/0x0006000000016d52-91.dat	UPX
behavioral1/files/0x0006000000016d58-95.dat	UPX
behavioral1/memory/1672-99-0x000000013F690000-0x000000013F9E1000-memory.dmp	UPX
behavioral1/files/0x0006000000016d58-97.dat	UPX
behavioral1/files/0x0006000000016d3e-86.dat	UPX
behavioral1/files/0x0006000000016d52-83.dat	UPX
behavioral1/files/0x0006000000016d3e-77.dat	UPX
behavioral1/files/0x0006000000016d2f-74.dat	UPX
behavioral1/files/0x0006000000016d2f-70.dat	UPX
behavioral1/files/0x0006000000016d1d-66.dat	UPX
behavioral1/files/0x0006000000016d1d-64.dat	UPX
behavioral1/files/0x002d0000000152f8-53.dat	UPX
behavioral1/files/0x0008000000015c0a-42.dat	UPX
behavioral1/files/0x0008000000015c0a-39.dat	UPX
behavioral1/files/0x00070000000155f7-28.dat	UPX
behavioral1/files/0x00070000000155e9-18.dat	UPX
behavioral1/files/0x000d0000000122c5-11.dat	UPX
behavioral1/files/0x000d0000000122c5-8.dat	UPX

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral1/memory/2816-22-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	xmrig
behavioral1/memory/2856-23-0x000000013FCF0000-0x0000000140041000-memory.dmp	xmrig
behavioral1/memory/2704-34-0x000000013FC80000-0x000000013FFD1000-memory.dmp	xmrig
behavioral1/memory/2900-38-0x000000013F660000-0x000000013F9B1000-memory.dmp	xmrig
behavioral1/memory/2736-46-0x000000013FE60000-0x00000001401B1000-memory.dmp	xmrig
behavioral1/memory/2592-47-0x000000013FEE0000-0x0000000140231000-memory.dmp	xmrig
behavioral1/memory/2700-49-0x000000013F640000-0x000000013F991000-memory.dmp	xmrig
behavioral1/memory/2608-56-0x000000013F770000-0x000000013FAC1000-memory.dmp	xmrig
behavioral1/memory/2988-98-0x000000013F190000-0x000000013F4E1000-memory.dmp	xmrig
behavioral1/memory/472-94-0x000000013F970000-0x000000013FCC1000-memory.dmp	xmrig
behavioral1/memory/584-93-0x000000013FA70000-0x000000013FDC1000-memory.dmp	xmrig
behavioral1/memory/2348-73-0x000000013F3F0000-0x000000013F741000-memory.dmp	xmrig

Executes dropped EXE 4 IoCs

pid	Process
2816	KZRWTHW.exe
2856	zSJbfJG.exe
2704	XRLTtmJ.exe
2900	ZeZEiuQ.exe

Loads dropped DLL 4 IoCs

pid	Process
1724	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
1724	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
1724	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
1724	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1724-0-0x000000013F6D0000-0x000000013FA21000-memory.dmp	upx
behavioral1/files/0x000a000000012243-3.dat	upx
behavioral1/files/0x000a000000012243-6.dat	upx
behavioral1/files/0x002d000000014f56-12.dat	upx
behavioral1/files/0x002d000000014f56-15.dat	upx
behavioral1/files/0x002d000000014f56-10.dat	upx
behavioral1/files/0x00070000000155e9-21.dat	upx
behavioral1/memory/2816-22-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	upx
behavioral1/memory/2856-23-0x000000013FCF0000-0x0000000140041000-memory.dmp	upx
behavioral1/files/0x00070000000155f7-25.dat	upx
behavioral1/memory/2704-34-0x000000013FC80000-0x000000013FFD1000-memory.dmp	upx
behavioral1/files/0x0007000000015855-35.dat	upx
behavioral1/files/0x0007000000015855-31.dat	upx
behavioral1/memory/2900-38-0x000000013F660000-0x000000013F9B1000-memory.dmp	upx
behavioral1/memory/2736-46-0x000000013FE60000-0x00000001401B1000-memory.dmp	upx
behavioral1/memory/2592-47-0x000000013FEE0000-0x0000000140231000-memory.dmp	upx
behavioral1/memory/2700-49-0x000000013F640000-0x000000013F991000-memory.dmp	upx
behavioral1/files/0x002d0000000152f8-50.dat	upx
behavioral1/memory/2608-56-0x000000013F770000-0x000000013FAC1000-memory.dmp	upx
behavioral1/files/0x0007000000015dbd-59.dat	upx
behavioral1/files/0x0007000000015dbd-57.dat	upx
behavioral1/memory/2344-62-0x000000013FAB0000-0x000000013FE01000-memory.dmp	upx
behavioral1/files/0x0006000000016d47-80.dat	upx
behavioral1/files/0x0006000000016d47-87.dat	upx
behavioral1/files/0x0006000000016d52-91.dat	upx
behavioral1/files/0x0006000000016d58-95.dat	upx
behavioral1/memory/1672-99-0x000000013F690000-0x000000013F9E1000-memory.dmp	upx
behavioral1/memory/2988-98-0x000000013F190000-0x000000013F4E1000-memory.dmp	upx
behavioral1/memory/472-94-0x000000013F970000-0x000000013FCC1000-memory.dmp	upx
behavioral1/files/0x0006000000016d58-97.dat	upx
behavioral1/memory/584-93-0x000000013FA70000-0x000000013FDC1000-memory.dmp	upx
behavioral1/files/0x0006000000016d3e-86.dat	upx
behavioral1/files/0x0006000000016d52-83.dat	upx
behavioral1/files/0x0006000000016d3e-77.dat	upx
behavioral1/memory/2928-75-0x000000013FB90000-0x000000013FEE1000-memory.dmp	upx
behavioral1/files/0x0006000000016d2f-74.dat	upx
behavioral1/memory/2348-73-0x000000013F3F0000-0x000000013F741000-memory.dmp	upx
behavioral1/files/0x0006000000016d2f-70.dat	upx
behavioral1/files/0x0006000000016d1d-66.dat	upx
behavioral1/files/0x0006000000016d1d-64.dat	upx
behavioral1/files/0x002d0000000152f8-53.dat	upx
behavioral1/files/0x0008000000015c0a-42.dat	upx
behavioral1/files/0x0008000000015c0a-39.dat	upx
behavioral1/files/0x00070000000155f7-28.dat	upx
behavioral1/files/0x00070000000155e9-18.dat	upx
behavioral1/files/0x000d0000000122c5-11.dat	upx
behavioral1/files/0x000d0000000122c5-8.dat	upx
behavioral1/memory/2816-103-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	upx

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System\XRLTtmJ.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZeZEiuQ.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VcKgUwH.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KZRWTHW.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zSJbfJG.exe	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2816	1724	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	29
PID 1724 wrote to memory of 2816	1724	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	29
PID 1724 wrote to memory of 2816	1724	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	29
PID 1724 wrote to memory of 2856	1724	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	30
PID 1724 wrote to memory of 2856	1724	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	30
PID 1724 wrote to memory of 2856	1724	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	30
PID 1724 wrote to memory of 2704	1724	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	31
PID 1724 wrote to memory of 2704	1724	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	31
PID 1724 wrote to memory of 2704	1724	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	31
PID 1724 wrote to memory of 2900	1724	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	32
PID 1724 wrote to memory of 2900	1724	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	32
PID 1724 wrote to memory of 2900	1724	2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe	32

C:\Users\Admin\AppData\Local\Temp\2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_f2652cb8ef0d92e8022ddc8d40386e0e_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\System\KZRWTHW.exe
  C:\Windows\System\KZRWTHW.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System\zSJbfJG.exe
  C:\Windows\System\zSJbfJG.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\XRLTtmJ.exe
  C:\Windows\System\XRLTtmJ.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\ZeZEiuQ.exe
  C:\Windows\System\ZeZEiuQ.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System\AUKRzGI.exe
  C:\Windows\System\AUKRzGI.exe
  2⤵
  PID:2700
- C:\Windows\System\uDuXaGg.exe
  C:\Windows\System\uDuXaGg.exe
  2⤵
  PID:2348
- C:\Windows\System\QbaROwQ.exe
  C:\Windows\System\QbaROwQ.exe
  2⤵
  PID:2344
- C:\Windows\System\tXHFcgr.exe
  C:\Windows\System\tXHFcgr.exe
  2⤵
  PID:2928
- C:\Windows\System\KxOTNeG.exe
  C:\Windows\System\KxOTNeG.exe
  2⤵
  PID:1672
- C:\Windows\System\tGZbytK.exe
  C:\Windows\System\tGZbytK.exe
  2⤵
  PID:2988
- C:\Windows\System\sswdLIZ.exe
  C:\Windows\System\sswdLIZ.exe
  2⤵
  PID:472
- C:\Windows\System\EvmRLeY.exe
  C:\Windows\System\EvmRLeY.exe
  2⤵
  PID:584
- C:\Windows\System\ahyjKNN.exe
  C:\Windows\System\ahyjKNN.exe
  2⤵
  PID:2608
- C:\Windows\System\RkiJcYh.exe
  C:\Windows\System\RkiJcYh.exe
  2⤵
  PID:2592
- C:\Windows\System\VcKgUwH.exe
  C:\Windows\System\VcKgUwH.exe
  2⤵
  PID:2736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AUKRzGI.exe

Filesize
525KB

MD5
afba4f61581aa3d02c89bc1cd9d056e3

SHA1
823e14d8a508da1ffe3a5a98ce03ec6bcb2d6901

SHA256
79964b48a878129e53c09b5f35c73671932b741ce677bad0f2514b4d40f81977

SHA512
a6368036d07703ac0b071ebe36b8023d65d156aa394f42696f84582f046d733403a20abca00a5e2010c41c06cbfa0ec2a67258669f956c8d1524e73e82541087

Download Submit
C:\Windows\system\EvmRLeY.exe

Filesize
93KB

MD5
31edca38b2321043faa377d552e7a07e

SHA1
faa2e45480e02ab0c5eeb16c3cbc1eaf6d02564f

SHA256
b24d8eaf2ac8ca4af9ea74314760965362c1e0b7cbd85d9ccfb9913bdb6e43d3

SHA512
a2d2d14bdfb9d228c1850428d84d82975a09ce45762a74850d665123a52503c6dfeabe65026b3f87ddd7729287e3bb4dc277a494bf5543189ba67f4304412c6c

Download Submit
C:\Windows\system\KZRWTHW.exe

Filesize
1.2MB

MD5
e935c8bd6daebba30d0f5b0347089679

SHA1
e53502702676a9ea04db230ea7ed4904e0192f5d

SHA256
bb547bde953626ca4b877bfdb246afbd38d3af41ab7d7077c89cb8040e7bf2a9

SHA512
baa4b0359f00c888147ad36e3e9dc8b89dc20883fa0ffaeacafc6af641841b80ee4bc0bf69682282c5739e7f1d4e5c3b2aee6c96ea67d725494de48bb0969f8c

Download Submit
C:\Windows\system\KxOTNeG.exe

Filesize
145KB

MD5
b1239879b51c6a136a63cad7a82319d1

SHA1
9d626598b43f33c4163c741f26eac5ed80969221

SHA256
b83ea075a0dd2ff570e006e2589e28d15b70ed091e79d08b75411a9b53e63220

SHA512
5833649083bb3401910eeaf9c0a51c4eb1a210e94d01429bcd7a00e7fb4c1163d275f8dad203fb68feb4271da4103496d37727a28ef28fe1e563c4d4eeb43d44

Download Submit
C:\Windows\system\QbaROwQ.exe

Filesize
384KB

MD5
501ace9801b109a6c22e9eec177f5910

SHA1
0e8cff928c9ff2fb0a5edf29bff36fcca0083129

SHA256
77506142a649913afe4fa0ad337356389f2604142893f670c7581afd61f5d3cc

SHA512
135e0b61ee3198bd34dde0fa18406205909d0f557aa90c9e91c94971a7959a4e6cddd9062d057a5e162476dc1ddba41dadd53947108a4c85257f4f5a6b50f13d

Download Submit
C:\Windows\system\RkiJcYh.exe

Filesize
631KB

MD5
eb0ac8d5a7403b26377730da1c6b772f

SHA1
1497d44a9dc39e2dc23f86523ae27d3960e4ecab

SHA256
44135f04986862723621e651aadf7c3dc9961de528d59077c7739b7052f9bdb1

SHA512
c08addf6398c94478f4b5fee3ee0ac48805e2bcce5079269e4d81ff6120e608177caa4c7e3192ef35ce0eb19d1ea7b36b210b1990c700956f4592f0f51d72ec1

Download Submit
C:\Windows\system\VcKgUwH.exe

Filesize
1024KB

MD5
3534862c6ec6ee5f9d4570ce5fa753d3

SHA1
4101013e33f1019f678d97155108eca85f5e307d

SHA256
e5cbc3c41e7d20744da8f64bb69aef3478c6758897b4f16b3297218859e748d6

SHA512
37e161688066a8e577e09fb7a63c54672114192a7287df89ec2ffb17e7c3560362f23b3935697c6d346ca69ed6aa3f8443887ce9e1273e63d87b655008cbd9ce

Download Submit
C:\Windows\system\XRLTtmJ.exe

Filesize
619KB

MD5
252ce20e7b4b37f1fb58e021a6bee727

SHA1
e7cfd61a51294ebf99d8c6ce7d367e3f7fd75088

SHA256
2f2be5c57fc07fc62b00698231853cc481314be239fa27b4d015a580283ee3d7

SHA512
392b8d83cdf7ce1ba22bbd4ce4d5f5295747227a48e0d17266321c5ec118127d5e55738a1cb725ff2b5087f302d6bf51508ab666a9408b02610d77b89d8cda81

Download Submit
C:\Windows\system\XRLTtmJ.exe

Filesize
971KB

MD5
c07cb611fb72cb028bc9bee5bff91a74

SHA1
a966f5ae5b820dd6b216c1da820423f0e47d7005

SHA256
b3930c2ce6bcfe16e62a0eaf1f9f4e44f744c3a55770457faa262df0c6f01602

SHA512
a507d3f9bb9b755e2db975acc0c36409dd1a4854bb59652bedd96b0b717d0b8c4fd856eccb5cb396789daa63e20209c76f59437937d24c2a470821d12dc66575

Download Submit
C:\Windows\system\ZeZEiuQ.exe

Filesize
572KB

MD5
4ff0133383b6fe1ecd9a52fb75425d4a

SHA1
fedf334052fb3cec1d7d2c9869be563597d05351

SHA256
5cd7bda23e94b13ff21c948b3defc21c7c924e438cf2839030dec5c23b60bc26

SHA512
cb3ba99ad041c30013f28e9c9302a35c192a6210f53c07df7a80336b58b44d6a5e9cf692c0a0500d15d183bcf7c7b32f1c846a5dc85c9c4fbf09df086fe8de67

Download Submit
C:\Windows\system\ahyjKNN.exe

Filesize
582KB

MD5
54393f17f35d73bb9c1ee07455f693bc

SHA1
803f54d48da88370a3f929a72bb2124cd5ead2b5

SHA256
9052528b408ee457a8bee4f0fc3f0c08e2a6341dbc7786c102066522df226070

SHA512
7e5cb413e0563695bc7c78a6e30b33a21336733b16c88c36cbcb271d5fa8da1828618dcf3f103cc1911e59b7606edfb11200316acdd75b60b3ef942d477c855a

Download Submit
C:\Windows\system\sswdLIZ.exe

Filesize
255KB

MD5
46e1ed951b144c626728f8772a26e2b7

SHA1
1bfbef852dc0258679915e887c82f2eca2a000a2

SHA256
6ff6cd68fec7cadc8ea1fcbb6f493f99991f725e34d9939d83918b18b6ba8026

SHA512
d2e5a77e5992f6a0a668349d94bed657a4d6d4daad12dd1119c269778a1f37928c27519f91c15fa07aff4413b29124182c0c1f19878035bfca962d17a9aeb024

Download Submit
C:\Windows\system\tGZbytK.exe

Filesize
34KB

MD5
d2c0b2916c341a9bca9ec4ab7d47ade5

SHA1
dd293755b8a1f37117188213a5349bee6def2cb2

SHA256
685b89399b75bb2c11618d5b2ce247b3159754f6b454f52981a9ceb0e51d7785

SHA512
6d7c2169d5742d4bd37e5d8f93e367e02d1fd9c6ca6651bde05818aa0d9665048d23a39a61f4c32da2030a9ce38f11de00d634798e622c5e2d3a0a3b5913640c

Download Submit
C:\Windows\system\tXHFcgr.exe

Filesize
369KB

MD5
77343225d85a261ab665ff796b81f0e7

SHA1
e458c7f4fd10a5ef463f46c163077ac2606b2ad6

SHA256
ece4b08e18aac100deca49da94e24ef7ef4541d7e6e741caa1db12ab9dc3ed0e

SHA512
bd5a566f5e9cb7d7355675e9edf61633e3deaad106d2bb153248176be60deecc7321987e8a4c77290fd26cf60a81c0e062ea8fca773f0ef0078d3796fde8d7fa

Download Submit
C:\Windows\system\uDuXaGg.exe

Filesize
490KB

MD5
f0bd71d7e1b7e99d540cdbc0476927b8

SHA1
28d65696c05576cb265720df91be92b596beb0d1

SHA256
b78cc4e4139b722532662678ee71e20f415bf572dc6a11e05c4f1804a2bb0975

SHA512
f194c1f422acf36f0ea596672c579020fe2a0bf420f2df78b8d2b02fea28f52cd2df73228e320fa7438398c1a797785835b56a14dcec6ee913fe2315589b4b2f

Download Submit
C:\Windows\system\zSJbfJG.exe

Filesize
793KB

MD5
844e8372370c05d95fb30e676482c831

SHA1
145ec76cb64f93944ff08c6807c5a8fdb6452d86

SHA256
72b580656e537cae76c55c6d0d25fef0bd5526d0261bcb11c2b3049215a01184

SHA512
2e9ca85a72a552a84e84510a52748436628ce46d3ad292520a464a9bca9e33167dffcccc261d404813b8a88b48b238adce27efbf9faa5e8c54141741902bf245

Download Submit
\Windows\system\AUKRzGI.exe

Filesize
445KB

MD5
99f2fe6b76e210301e414ea664c2a2de

SHA1
bdcdff2c1e03d0917570e1025b6c9a4c86e4a0ad

SHA256
1da4cb6facfd8401d9c6a5a45caa84432caf292597ee40a766423a4f667afd1c

SHA512
c56fa0462e7d406fe24923b74dedea58eae136e77bab850383a6b5cfcadda094fac664fa1bb66187012f66cd3d39b03cf08aac0ee1190b2a2298cb3750eb2ff4

Download Submit
\Windows\system\EvmRLeY.exe

Filesize
211KB

MD5
565f5829f1fdf512b4b350f7b565e4a4

SHA1
aa88cfbc99f5a42c9fb7aabccff1d6fb16579ce1

SHA256
70a2881cbf4d6a5bdcd7e52000d0f9bbb54415267a25a068354a542769dc74f2

SHA512
a0165e44d5afb0ed3a1bee04678be3d0d23a5fbdf448099c6f15f0e071b60b1ee55052186677e9643120f0822a952b303c63e9ed141bab5e5b54719c64337534

Download Submit
\Windows\system\KZRWTHW.exe

Filesize
2.0MB

MD5
b2c234c959f177e93cd1b2de34305a55

SHA1
988a4e4f1944657c3c15697c1048b11577284ef7

SHA256
873878233b928f8fab222298aa14c35a28507e9012a068cc443ef8f832634626

SHA512
1e1330299db1f145b36d9c796a5beaa2992602c37e695c26a35ec0ba25dc7cb5dfb0417a8ae395c29c11a1fc2b33a1ba350c8bcc6dab28baebc3185218d1c5c6

Download Submit
\Windows\system\KxOTNeG.exe

Filesize
108KB

MD5
e4c844a7564160550d91684aa2c8271a

SHA1
c1dde33d669df90d93d187c2aa6f920973ee6aaf

SHA256
a7e43d2bb75f912e3dc8af7011db70d5f1371bbb5fd3bf296c0ce1f347ca45dd

SHA512
ab707ba92dba646f341e36bc7810e013faf926715a255cd5362a7754972b7c1c2529674bc47370f3348bd84d222272a8e36139f6d86b8fa9af47671c9d9b4f39

Download Submit
\Windows\system\QbaROwQ.exe

Filesize
326KB

MD5
970849f2a3af37a1ad219489e835aac8

SHA1
e5248b617f180baf2047deb53257286deb786fca

SHA256
9a1901a872d0d18a995126291d28c961ff830ac098a7f72be60c146f58cbef42

SHA512
1cd88391b9901ab165efc4dafdab2065452678b2411bd679b84822da216a72fd9f64b9a79727a7e54c48e7990c434fe0c8df9d65f9b5dfb9997bd84714c0d145

Download Submit
\Windows\system\RkiJcYh.exe

Filesize
614KB

MD5
d1da4dab72784b11a0efe829f4e829fe

SHA1
ae3df4d8757e0e332494557091198b203a5ba05d

SHA256
f066318d7ac0581a20ac5c19b1c87c91f793fae5c16f684f822ea9ae1e18cf4d

SHA512
2ce561e3f19c54b558473f19e15d15e8f2745940c45f3c578dd6accfe9cd9000e70645ac12a26440a21418e01fd999c18b1fdf022d61ad10c0821b65c6975a3b

Download Submit
\Windows\system\VcKgUwH.exe

Filesize
545KB

MD5
042d28b1f3d2e8a81463a114d5b886fb

SHA1
3de8da767c681e6cf51a85e3f968ae82853b2698

SHA256
570ac505664862acc9e236d310d2f4a76e31dc270930df13cf65645921820c93

SHA512
dfd38611840f1e34748f84d2639fbb19fa204ca559590ae5d13a95c8577bfea8ea20fefc51c4c901315dd845b37f2095ab7d143db5b6f265606e967ac2ddc28b

Download Submit
\Windows\system\XRLTtmJ.exe

Filesize
822KB

MD5
c0577be6e39980299e4b95a8935128c6

SHA1
b6278281e27f47a1914ea11eaa4e52db2c4ade4f

SHA256
a08737fe66acf9ec93e2c3b4109e85f5341cbf1320be09db909c68e92af78aa8

SHA512
196cbd8601075135da715a7081f2d7e35399984b45b479ef2ec69aa6a825055ff48871e2217e17a780e6ec2a3bdd86c657455f286417e70d60ad2adb3d7203ec

Download Submit
\Windows\system\ZeZEiuQ.exe

Filesize
966KB

MD5
9c45e30be490f64b4b00eb247004d314

SHA1
7dc01c7f7633708c558a576bc2848b932a8f7c95

SHA256
71c2ef4670f46a5ed303389f147a5de9af5ac2eadffbaa8cf206573292597386

SHA512
e3a9df4b0726ac7a1a29ae71e0dbe93f2cc8625c0f3157f8abbc24c42687956d5c146b36ee81c49a0f57fe482662a2cbc77546a3aeea972dd9c6f1c8646d13fb

Download Submit
\Windows\system\ahyjKNN.exe

Filesize
544KB

MD5
558237f83b2d34a7ccdd0141e198b90f

SHA1
0faef7d6400d9e91dafb7a865bb2fe2041a573b7

SHA256
2b7d6bc7c7faf44c4658805bd47422e938c3c36839dd0bce4e75aafa1d24925d

SHA512
8de818aa129ca6f7f49059180dab53533be893017a46ed39356330e55a233ab264084a1f62a199f11127c13d29fef6109e71b391e7db8842c7d8265500351c85

Download Submit
\Windows\system\sswdLIZ.exe

Filesize
109KB

MD5
dc7f89fd56c7e18d050249dea611b271

SHA1
4c4a146b4a04731563241bd783811510299457be

SHA256
e88bace0f4396a7530de5ecc83059aaec6382e1a55eed2144d91d775a1999774

SHA512
e8720dc1d7885c1503235b9a0b073e4c449dd8ee7e2a79b62d0bff18ba21ee441107585244341c360b34fd558ff1fbba053c086101ecdc2748527057e075d816

Download Submit
\Windows\system\tGZbytK.exe

Filesize
222KB

MD5
d5d0080cdbc7136257df28d17135d120

SHA1
c726fc231f945084731bd68a9eff22bb3396b670

SHA256
e9bc5b36d7d7a9bbabb46f7858e87928dcc370f96f458b6518fcb7134f5b8155

SHA512
09f89b94dfd769e26c2244939b9e6d8fe8f911a28bcf1d2b7f1442c4d6ca49d146114331429e014e7fe5758eacb4167976fbbf4329379b974e7915f6edee531e

Download Submit
\Windows\system\tXHFcgr.exe

Filesize
489KB

MD5
73debc093a7a818877d5308b14e6ae0e

SHA1
403ab300ac3014bcea61a0d01436b24ce991bc04

SHA256
c4cea5ba7f0787878e11d2f1713795848661b4487ae5d65cc3a7a5cf15f69174

SHA512
10135c2963b8723bf8b712c9322167dbc511792b5e38651211b9e5da55d5a58c1ba0a29ddb32000157be46d1b7c3a9559f1a13c2bfab6a074d3b7aab27ca3406

Download Submit
\Windows\system\uDuXaGg.exe

Filesize
453KB

MD5
248118ded7fd86ae429269bbb69dfdd4

SHA1
2eaf2879ff8cad744cf42d71315a17f268a2298f

SHA256
db98dd325268311acd53d650f2f6253af398a5735f7adfa8e17875f7cdfe1f32

SHA512
c51b2d8043e74502c8978aa9dc8bdf496598c68e007a15f8794ba70729ce7363189cfaf9cb49e4e65e4db7dd9492846d1d6d36ad858629fd0a3c8621a181530a

Download Submit
\Windows\system\zSJbfJG.exe

Filesize
1.3MB

MD5
c0e91b8f8faa39b1c8c7f8106ed4f405

SHA1
e2be1dd61d752e062b1faec78d886510ac84deb7

SHA256
578885e2f791713cd0f41a9693cc663e976f6d420e1fd334a064130ea5838202

SHA512
48728da5634b9ce458ade0d390b481397434ff6894ce032e438c17050203b8d0463fca6275c74bf797c722b9f1d5cb130403bb6b27df955574eccf5913366211

Download Submit
memory/472-94-0x000000013F970000-0x000000013FCC1000-memory.dmp

Filesize
3.3MB

Download
memory/584-93-0x000000013FA70000-0x000000013FDC1000-memory.dmp

Filesize
3.3MB

Download
memory/1672-99-0x000000013F690000-0x000000013F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/1724-48-0x0000000002300000-0x0000000002651000-memory.dmp

Filesize
3.3MB

Download
memory/1724-61-0x000000013FAB0000-0x000000013FE01000-memory.dmp

Filesize
3.3MB

Download
memory/1724-101-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/1724-30-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/1724-54-0x0000000002300000-0x0000000002651000-memory.dmp

Filesize
3.3MB

Download
memory/1724-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1724-37-0x0000000002300000-0x0000000002651000-memory.dmp

Filesize
3.3MB

Download
memory/1724-102-0x0000000002300000-0x0000000002651000-memory.dmp

Filesize
3.3MB

Download
memory/1724-0-0x000000013F6D0000-0x000000013FA21000-memory.dmp

Filesize
3.3MB

Download
memory/1724-90-0x000000013FA70000-0x000000013FDC1000-memory.dmp

Filesize
3.3MB

Download
memory/1724-45-0x000000013FE60000-0x00000001401B1000-memory.dmp

Filesize
3.3MB

Download
memory/1724-100-0x0000000002300000-0x0000000002651000-memory.dmp

Filesize
3.3MB

Download
memory/1724-44-0x000000013FCF0000-0x0000000140041000-memory.dmp

Filesize
3.3MB

Download
memory/1724-68-0x0000000002300000-0x0000000002651000-memory.dmp

Filesize
3.3MB

Download
memory/2344-62-0x000000013FAB0000-0x000000013FE01000-memory.dmp

Filesize
3.3MB

Download
memory/2348-73-0x000000013F3F0000-0x000000013F741000-memory.dmp

Filesize
3.3MB

Download
memory/2592-47-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2608-56-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2700-49-0x000000013F640000-0x000000013F991000-memory.dmp

Filesize
3.3MB

Download
memory/2704-34-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/2736-46-0x000000013FE60000-0x00000001401B1000-memory.dmp

Filesize
3.3MB

Download
memory/2816-22-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/2816-103-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/2856-23-0x000000013FCF0000-0x0000000140041000-memory.dmp

Filesize
3.3MB

Download
memory/2900-38-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2928-75-0x000000013FB90000-0x000000013FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/2988-98-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download