cobaltstrike | b2682a2b6fc2c23a7ee8d5be63e8ff378f8953168aa9a776411979b20605a3f4

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Size

4.9MB
MD5

2cbbcf36f9bedbffb10f821eb280c001
SHA1

1726ea09c6af1714a1dd8b9a47782f33ac99d742
SHA256

b2682a2b6fc2c23a7ee8d5be63e8ff378f8953168aa9a776411979b20605a3f4
SHA512

877270c949890c4af87ddc425628df80274e73e938a20224b1a0b30d91d4c248aca92929ba6e6fa01d185f76df962a639d5efef0b34da1cdb86e3628081a2096
SSDEEP

98304:SW1qiPgxn+cuSuxx8Svt73qq36IdKtVxNw6pUkp3bkbRxOUk:53EnsxxDt73DdKrwapwbRk

Score

10^/10

cobaltstrike xmrig backdoor miner trojan upx

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 1 IoCs

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

Detects executables containing URLs to raw contents of a Github gist 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2880-1063-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2880-1070-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2880-2217-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2880-3476-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2880-4249-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2880-4251-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2880-4439-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2880-4453-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

UPX dump on OEP (original entry point) 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2880-1-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
C:\Program Files\7-Zip\7-zip32.dll.exe	UPX
behavioral1/memory/2880-1063-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/2880-1070-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/2880-2217-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/2880-3476-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/2880-4249-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/2880-4251-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/2880-4439-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/2880-4453-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/2880-4455-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX

XMRig Miner payload 10 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2880-1063-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/2880-1070-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/2880-2217-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/2880-3476-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/2880-4249-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/2880-4251-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/2880-4439-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/2880-4449-0x0000000000401000-0x00000000010B5000-memory.dmp	xmrig
behavioral1/memory/2880-4453-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/2880-4454-0x0000000000401000-0x00000000010B5000-memory.dmp	xmrig

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2880-1-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
C:\Program Files\7-Zip\7-zip32.dll.exe	upx
behavioral1/memory/2880-1063-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/2880-1070-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/2880-2217-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/2880-3476-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/2880-4249-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/2880-4251-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/2880-4439-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/2880-4453-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/2880-4455-0x0000000000400000-0x00000000010B6000-memory.dmp	upx

Drops desktop.ini file(s) 9 IoCs

Processes:

2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\desktop.ini	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe

description	ioc	process
File opened for modification	F:\autorun.inf	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	D:\autorun.inf	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	F:\autorun.inf	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\MSTTSLoc.dll.mui	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\203x8subpicture.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Resolute	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Aqtau	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Darwin	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_settings.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\gadget.xml	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\logo.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text_3.9.1.v20140827-1810.jar	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libfluidsynth_plugin.dll	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Reunion	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libcaf_plugin.dll	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssLogo.gif	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Monaco	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.properties	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Eucla	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libnfs_plugin.dll	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.resources.dll	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libsmf_plugin.dll	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\System\ado\adovbs.inc	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Algiers	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Inuvik	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Rome	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Internet Explorer\en-US\F12.dll.mui	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mlp_plugin.dll	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\gadget.xml	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mexico_City	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\index.html	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Media Player\es-ES\mpvis.dll.mui	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_m.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\settings.css	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+4	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\vlc.mo	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe

Modifies Internet Explorer start page 1 TTPs 4 IoCs

stealer

Modify Registry

T1112

Processes:

2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.tuuSPkTKRb.com"	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.KiYLtAmgSe.com"	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.EPsukjVSei.com"	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.EFzBBLnCOw.com"	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2880	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2880	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in Program Files directory
- Modifies Internet Explorer start page
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip32.dll.exe

Filesize
5.2MB

MD5
8d602d00dc508d55e2aec138b571342f

SHA1
ae24c819bc7b097f0d55f3d164444ffc4f71e36a

SHA256
6e5b7c64d7347f9300c04809663c5cfcd33b118aeeb5ec73ed026f0b82a8bbe7

SHA512
c87cf6fe8bc5f576c782e334436e53f9f4c28d1c56320ea1c137dd23a791c394ab37af43c8c418e1ed9e3221b38b02fe69f77faa3ddaa4e2bba8267d500fedec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
3963de228a4243706353b8d812307d37

SHA1
d44e3b77eb205af0d7618ada56a942b84772fc09

SHA256
5c6c982edc6218ed186f380ddd7e539e83d848ef3c90b583c822ddab9fe72c84

SHA512
69b613755bbfc68f504fd33f0890d81b241ce553ef0e380f8f2b1bb28e275a1f9d1922aa5f564815373f991a51f9288e842f9bb83426ffb494ba694c8c4e777c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5a945cc99c6333e08a2711e06ee2e8f8

SHA1
1724ed2ebdb40964431bd6f1093c3cdcf373f75f

SHA256
5571cbf7ba5dd9101b3700a791cd166bd6a9886290dc8b07cc09201dadbbc113

SHA512
35e1431c3a30af2517ea2b2ed8fb5b86115c6a563329b10ae4b24a5d336ca5d82176bcaf42f3de11aced95f4876cd3734ccb047c619f9f22a90fd83568c01265

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4f30a0cd1904883d6b11330fbcc3ead0

SHA1
35ba064697f24cd722edc150386b996fd21e1f77

SHA256
560769c014ab4a88dc15fe6fbf7932146995b3a3c6362534efa8fe5cbcd920e2

SHA512
4706e9106dadf7c076270035d70f8d74ea3b2fe96f6e388bd3452e528a028e2414ef8c327c0ef0abc904429e2a52207a80c6f82c8ae1b2dfb715d1c2e04af07d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
68a88fe012db54b7ca005884cc0c1bc4

SHA1
3e855bf1911c870a4f52ea01fc45b530751429ad

SHA256
962b4de7113b520ab07f2fb660f0b200ec46e617506e7c053412ba6d6fb2d93a

SHA512
b561957d1ea5042673c7899a30a08eb469fc97dbd0aa783a75cafdac95875c02270aa3526e2bea25bb96fe950f8a1d6d5271f8401913b22b8270524f9dbcc1e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a9287ea4b2f967de01a9bb2dd21e092d

SHA1
5c6d92a8948d08d625c0a9d0d3e089818323204b

SHA256
b76034096de25707d751a6d649ab95093a1547ca0aa2b1babb1367ccd4edde54

SHA512
963f470c4e4a151dbc61fcb4ee3b2569412fcd590b25646d622923eec19438bf3c915728f9f7fd5f7086be22d534582ad13926f9ae7cb533d77bb0d7ef43eb18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0f07e6db6294ef1b3939e40c1d417015

SHA1
6f196f82b345219e28c46d35dd625020ce06692e

SHA256
4b02c14e83eefa2b2b9d2b8dbd091a6432b079b5914b111f109c79cf4d1c2dc5

SHA512
0d254b8aae59ef7ac94e1c2ee82f932c1104b2181b6bf5fa9396d30d2bed32c53e5fb99ba97c6f840900f2b22f1493e961f4d147257ef19e1b439299ae2e051b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD0D.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD10.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE2F.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/2880-1063-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2880-4436-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2880-0-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2880-1070-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2880-2217-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2880-3476-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2880-4249-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2880-4251-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2880-4434-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2880-1-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2880-4435-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/2880-4437-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2880-4438-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2880-4439-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2880-4449-0x0000000000401000-0x00000000010B5000-memory.dmp

Filesize
12.7MB

Download
memory/2880-4451-0x0000000004430000-0x0000000004431000-memory.dmp

Filesize
4KB

Download
memory/2880-4453-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2880-4454-0x0000000000401000-0x00000000010B5000-memory.dmp

Filesize
12.7MB

Download
memory/2880-4455-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download