cobaltstrike | 34458cfaed3533352e08db79c36d76c29f6be7e37cd478262cf1be8286cc420d

Analysis

max time kernel
133s
max time network
138s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
Size

11.1MB
MD5

899f70d5ef318e6c2173e30cae312b74
SHA1

4da4ea46e96c984b533f112235b719a1265d4903
SHA256

34458cfaed3533352e08db79c36d76c29f6be7e37cd478262cf1be8286cc420d
SHA512

b107071f724085d7e90ac99a89a2b512fa4ac2a63dc4cad269879ea27aaa78c52ad0db4ed0b7fbcdd42793b63509c3370524a607dbf8c52b186cfcf7b4366f83
SSDEEP

196608:m2XrSIqtPazmgL7uDbzV0xpZr8o37nmPQLi7gCsLd9:maWIPyquDCzzmPfgCE

Score

10^/10

cobaltstrike xmrig backdoor miner trojan

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 1 IoCs

Processes:

resource	yara_rule
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll	INDICATOR_SUSPICIOUS_ReflectiveLoader

Detects executables containing URLs to raw contents of a Github gist 7 IoCs

Processes:

resource	yara_rule
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2132-838-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2132-1579-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2132-2244-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2132-2723-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2132-3212-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2132-3261-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll	xmrig
behavioral1/memory/2132-838-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/2132-1579-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/2132-2244-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/2132-2723-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/2132-3212-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/2132-3261-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig

Drops desktop.ini file(s) 10 IoCs

Processes:

2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\desktop.ini	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\$Recycle.Bin\S-1-5-21-2737914667-933161113-3798636211-1000\desktop.ini	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

33 raw.githubusercontent.com
34 raw.githubusercontent.com
47 drive.google.com
48 drive.google.com
55 raw.githubusercontent.com

flow	ioc
33	raw.githubusercontent.com
34	raw.githubusercontent.com
47	drive.google.com
48	drive.google.com
55	raw.githubusercontent.com

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
File created	D:\autorun.inf	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	F:\autorun.inf	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	F:\autorun.inf	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Anchorage	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Noumea	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\PST8	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_right.png	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\currency.js	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Macau	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-util-enumerations.jar	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightDemiItalic.ttf	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Jakarta	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libasf_plugin.dll	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IpsMigrationPlugin.dll.mui	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\eclipse_1655.dll	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Chita	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+10	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\helpmap.txt	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Singapore	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Tahiti	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\vlc.mo	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\liblogger_plugin.dll	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libaribcam_plugin.dll	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\psfont.properties.ja	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ComponentModel.DataAnnotations.dll	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jawt.dll	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vincennes	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\settings.css	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-modules-appui.jar	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-9	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Journal\JNTFiltr.dll	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrespsh.dat	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jayapura	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\telnet.luac	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_ja.jar	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-windows.jar	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_ja.jar	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Rothera	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\de-DE\Minesweeper.exe.mui	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\vlc.mo	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\gadget.xml	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\settings.js	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jni.h	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsFormsIntegration.resources.dll	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\slideShow.css	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe

Modifies Internet Explorer start page 1 TTPs 9 IoCs

stealer

Modify Registry

T1112

Processes:

2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.sdYQwyEHOP.com"	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.jDXGsaOeeF.com"	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.yOxinGMmWf.com"	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.GBcIZVercX.com"	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.SwwvVzfqjZ.com"	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.NnMxluhLHj.com"	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.UByfTtePTr.com"	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.kMvqpKQnzo.com"	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.rGaGrgmQWN.com"	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe

description	pid	process
Token: SeLockMemoryPrivilege	2132	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
Token: SeLockMemoryPrivilege	2132	2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_899f70d5ef318e6c2173e30cae312b74_cobalt-strike_cobaltstrike_xmrig.exe"
1⤵
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in Program Files directory
- Modifies Internet Explorer start page
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2132

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll
Filesize
11.3MB

MD5
89c835ec2abbc7738bf6e80cf78bc903

SHA1
aa398e8769a81d9c76a165e2ceac1e9c804e6d23

SHA256
9bec2b3e36fd84bbea29476533a7f54259d33cdba847ebda41899196dfb62b92

SHA512
b2318c47a3d550713329bb50b850b5948d642ddad27f84705bfb24fd3c1f3f15a630d74863cea0513f4b6c80f76a34e2ea9e9d09eaf4709c15e5541f3b427d20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
625f94d7d0ed06cee37606d28453e5ff

SHA1
56b6405f4f965b6d5b8c58edaff06646873676a7

SHA256
be4a6dad5d0ea633715031edd4cb9c8196bf6638ed8c15782d62dcce97617508

SHA512
3ef46def8d2120e9bd61a5edd4058202162fa259139bdfaa0a14bf1726e1b20d7e7cf91aa6650a63603de20d5fa5577cf01d0bd26b1aedfe77662138909d0da4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
bed466c8c42bb960ac586e0ba905a3e3

SHA1
1d1fe7b5003936a9cb78f42843bf018a9462f42a

SHA256
b4278623f8f242169a5a38ee36acde8e948b9222ea0d57fc92dfaefb38a128a0

SHA512
259dce46c5e87c81534938e0333189e5e735edce406408faa1554950cfc72d4aad19d5f0e06a116b819720092eaed5325c0e819c355932c548d1e3be5ef60004

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6c2fe923be6def78840e46d3b0e185d2

SHA1
f697a431e8349b8d8bf6b02c113cb5c4a15a9e36

SHA256
ab45a98c4e4160e9a0d9f89ab2b6e2b4d1c98e2159c6ff50764e38cc149543cd

SHA512
b066c8ce51822598382ba88491f2eeb005fa096b155e9e50334b5ec6f407d4d2589f082ae92d2b523c20d03a07c2df8d7c75bb5696ac5a970c02c8f88b870dd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f1015532260f80d7192eb31845c08fb5

SHA1
5db670a52f6bee3d08313f0da2e161a0e12036c7

SHA256
d10ce775345f9d3f591a0f9979ce6f5dcb4e306fe88e229a507d3e651eaf3af6

SHA512
ee7466f95703372442796ada211395e6fc440188044453b17bfbd380b513de485844283bc5cef1f454bf73acff84f9057a9d013e60e0a1b03cc9d8784abfc708

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7718e29be143dfa0cdacee902ec4ff23

SHA1
2bf9277911eff917f93fe34fc83fab768a5bbd1f

SHA256
bcc598208d03a71924e38004baabd0b0f042344bcc38aa275b31ac4e2604a5a2

SHA512
ae140a859d93c225f5a968af100ec3bf275988d0f6428f9300b41adb07ba2ca9fd6f0851443c748a1069fde4dfc3b46b9f8d885d82b69588da164697af1818be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
757031ee44feaaa4adaf9243a0fd2799

SHA1
61742849394c8828784fd8ed50d9da578f768348

SHA256
6bd8fddca9d0145e13e95fb200741d66954566b41e743ff0915c28ce1a919c8f

SHA512
eae8bd410c4260e5d0988938c6f9ce07f2d99d0793a0346e169b4102281a659b0576e8c9f404352b2ecc14196da4e9dea9053244ce7baf2ab369d575de978fd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b1fdc3d7d739d8229578638ba71bf2bf

SHA1
683587cfcf88c4840e8a848fd294a09001c0f69b

SHA256
e04bac65dafc98212b75234a0f1e5b3c8559cdb10849a31625653c4016effeec

SHA512
46c2eabfd4acda45fed54daa458b42b2b8ba2474d318cfee494f25f643cc777dcfea58be17acf9e15a8f32f3f6d0d59f12ccb0d4e75d66925b3eb335743b41bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b3a08d2a69a3729b39dcc5010d883fcb

SHA1
82fef0b9f98176b0a79cdc34a21232dce6de382c

SHA256
a0f25ca496735a76a91a18def604b33a531989eae0c521da3f8f04942583c9fd

SHA512
4299bd8c72084594ed3aafcffd9e2a15d743e1aafc27edb4ba07c7c0bced9a25df3b787ad246edf0ab05374fb2fa0c0f8370de9538d5d32be175943eabb278a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
91653ce7d6d611e33fe42323d988ee15

SHA1
62921d2842ce941bae80cdabbb5876236a0c38fd

SHA256
f19f262a7402b27d7c809da788440a18f4d912e09bfe8b3163005ec7a9584ba0

SHA512
c443eb9e22e46d88e2c1330cdd320a0b1f32571a77eadc751b6ba452e7142ffda647468ec85cfdcb0d1659cbeb22a8414d8bd6b79f9b183771235cb316e6b483

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
12947e16174feef90d4120501fafbe22

SHA1
12e27e6cb97d01c80dc520a39d2a4c44e7a7c2ad

SHA256
ceacd355c46f305408ea2471f5ea2d5116fdc13c3e3664124327965b80a9e267

SHA512
16f3bdc7c590928f64701f250fa6cefeabf0e867fc46f711298ed09057ee1f54e13943c71b4ded034e846dec8887fc7e8489d7dcad6cbc8c072e2bae8709b5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab234B.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar236D.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/2132-838-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/2132-0-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2132-1579-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/2132-2244-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/2132-2723-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/2132-3212-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/2132-3249-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2132-3252-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2132-3254-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/2132-3257-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2132-3258-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2132-3260-0x0000000000401000-0x0000000000A18000-memory.dmp

Filesize
6.1MB

Download
memory/2132-3261-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/2132-3269-0x0000000000401000-0x0000000000A18000-memory.dmp

Filesize
6.1MB

Download