cobaltstrike | 1d1511fefadcdc16bd13684b66d8485ff0e42c14382c9e2fd9d27503f678938f

Analysis

max time kernel
118s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
Size

11.4MB
MD5

d5c28a6673a46cae85e6383c4d2e2008
SHA1

0ac9a83fb5897e1eef89e93b7889490ed826da7a
SHA256

1d1511fefadcdc16bd13684b66d8485ff0e42c14382c9e2fd9d27503f678938f
SHA512

2bcb23303fa7535b690104a36302b94fc1065720bd6e0b0b4314863f090909383fe93cf7ef273b1d6133aed8f1d23a87a0e197e1408f94a2236b6a055afb432c
SSDEEP

196608:dvg6YpjCa8BMHwNuD7PKUNwabNJvmrMQwHEFoWhW:dYXpkG6uDBuQjmrOHL

Score

10^/10

cobaltstrike xmrig backdoor miner persistence trojan

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 1 IoCs

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll	INDICATOR_SUSPICIOUS_ReflectiveLoader

Detects executables containing URLs to raw contents of a Github gist 7 IoCs

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1308-426-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1308-490-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1308-555-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1308-635-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1308-953-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1308-991-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll	xmrig
behavioral1/memory/1308-426-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/1308-490-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/1308-555-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/1308-635-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/1308-953-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/1308-991-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\me = "c:\\Windows\\System32\\me.exe"	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

21 drive.google.com
20 drive.google.com

flow	ioc
21	drive.google.com
20	drive.google.com

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
File created	D:\autorun.inf	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	F:\autorun.inf	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	F:\autorun.inf	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe

Drops file in System32 directory 1 IoCs

Processes:

2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe

description ioc process

File created \??\c:\Windows\System32\me.exe 2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
File created	\??\c:\Windows\System32\me.exe	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop_PAL.wmv	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mshwLatin.dll.mui	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Internet Explorer\pdm.dll	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ja_JP.jar	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jawt.h	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_SelectionSubpicture.png	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\nacl_irt_x86_64.nexe	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\msinfo32.exe.mui	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP.bat	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tipresx.dll.mui	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoCanary.png	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IpsMigrationPlugin.dll.mui	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ur.pak	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\FlickLearningWizard.exe.mui	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tabskb.dll.mui	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\System\ado\msadomd28.tlb	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\de.pak	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\AddSync.vsd	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Internet Explorer\networkinspection.dll	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaps.dll	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresplm.dat	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\sports_disc_mask.png	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.XUZWwhuabF.com"	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe

description	pid	process
Token: SeLockMemoryPrivilege	1308	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
Token: SeLockMemoryPrivilege	1308	2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_d5c28a6673a46cae85e6383c4d2e2008_cobalt-strike_cobaltstrike_xmrig.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer start page
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1308

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip32.dll
Filesize
11.6MB

MD5
540202c64980e4af412058df9980643e

SHA1
4ca4ac4d859d32fc926c01c6a699ceeddbc2111d

SHA256
44255cdb54945dff605ce8d714ce24593584c9ed4d577f540c96d02fdab712fd

SHA512
f0155be935d3d1c9568f2ce64932b8a3041ec6385eb70b5de7a0f4f7d664b7c5efb2fd561763a908798181375d7c91658da2fe2ce7474171a13918b4e3e709f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
c02928d2532ef2241871227d2f9b037b

SHA1
688dd4b4430062fb3793cae6143a3abe3dde9713

SHA256
6ba9169997853ed457f63f73995bed409bd27b4970c033710c485f63403121b7

SHA512
d027c594e165d3cd38633132970a13059ad9bc0042c123242404ac94738d5badcd3278d0e34249363c2ffc372eb3b1c1e33ac2cbdfb73fe8826cdd4616977c8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
87514e7a5cabd23a6509e26bcd13a413

SHA1
08752c1095bb46e6de0a837668b25ca09752362c

SHA256
149e234b4b3897cf3a5c8437d9afb133ed8dc34918819663857393a295f23b33

SHA512
5d458132684842176b45495a4d5700f2f13d213f170eba2c66110cba3aaf2cc5b6e781932e3746d764338c13fda58df79b709b663614b85445a06ea59232c218

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
91fdde48fd68afda4339b532ea28dd24

SHA1
b4bc06c63c1fc99b8cf51067311446bad5cdae3d

SHA256
7055abba1d2c131e220a5e7c513e05c6d6f2ca6b5850b84602361976f89075b8

SHA512
e37ed1668dc81d5b18d93c8974731d23729b15657267f443b6ebced44fbb645248914ae076fa78fc9567feb90d5d87f4654d8eafe4be9db533d38443b8dc50df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
41ed4a633d1fec22da62b9e0a572e228

SHA1
d9a5951775266c29a9fac5e2df42cb42ed73fe17

SHA256
bb25859581846ff20d47674edde197f5b138d85ddc91912ef6a17e718cce08b3

SHA512
9e3b72ad3c6656c95c983c549e0977abc1735c893d782e9b156924afdb9d04dc2e60e981fa01ab01025c45cd423cad5cd638093bda41e0e7241f9344d9dbcdfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b941c91d07111f6f1c587c2aa4f28e9a

SHA1
47ffc3de26049088e5aaa9b24e097480e8a2f4f4

SHA256
dbae780cec69cf204724b09c917991a6970647ce3ad4c679193b854776b35aed

SHA512
ddd0b1499666bf1e7ce0ada18ad59c3fb152d1cd5a2988014bd262e1faead307ad834390a694b3d97da96040aec0b198da47f6763cb1a9e96dea00532fcc56ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2b4f90c058ceebdd9d2a102f028c3c21

SHA1
476cc3cc496cbdb5b4acd348c58435cf98a7cb4b

SHA256
47c3a3b17153a220ef30be5e90a2d652327935ffdff432faae20a5b000342c3a

SHA512
ff8342aba09a680c6a41d6eb3dcca0f31b140fe4e98a9c3b20976915dd5383e668f9c2c45b972fd3dc50f2cd7e9e9232e8d7701ffa74cd6eb349df3b02325f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9167.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar917B.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9317.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/1308-953-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/1308-985-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1308-490-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/1308-555-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/1308-635-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/1308-0-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/1308-983-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1308-426-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/1308-984-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/1308-986-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1308-987-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/1308-988-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/1308-990-0x0000000000401000-0x0000000000A18000-memory.dmp

Filesize
6.1MB

Download
memory/1308-991-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download