cobaltstrike | facbd1463fe98e01ead3f22d9a9ceb194ee55bac5376be9fccbe86082e2f8d64

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-01-2025 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-29_045672e26712551ec8e1a82e9f45169d_cobalt-strike_cobaltstrike_poet-rat.exe
Size

7.8MB
MD5

045672e26712551ec8e1a82e9f45169d
SHA1

2d96e00ccb99d7d4d70feec0999191db8faf8d50
SHA256

facbd1463fe98e01ead3f22d9a9ceb194ee55bac5376be9fccbe86082e2f8d64
SHA512

bd2b7fd001a9c213d32e9c7339e320a4287720dc6ac01ac84b99a57a01a35be32782599f31c465082ea501ba30b088c44cc45eb70efad18c1b813c7da4bb01c3
SSDEEP

98304:bGUjSb/X0Z3y/t2uDN8nsk/39999999999eEN3JjAUtw6MT4nR8CZqXebhnp3aJm:bGUGb/X0Zi/t2uDN8qurYmd08uDU

Score

10^/10

cobaltstrike xmrig backdoor miner trojan

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0002000000010622-6.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 15 IoCs

miner

resource	yara_rule
behavioral1/files/0x0002000000010622-6.dat	xmrig
behavioral1/memory/2028-45-0x0000000000400000-0x0000000000DBD000-memory.dmp	xmrig
behavioral1/memory/2028-46-0x0000000000400000-0x0000000000DBD000-memory.dmp	xmrig
behavioral1/memory/2028-47-0x0000000000400000-0x0000000000DBD000-memory.dmp	xmrig
behavioral1/memory/2028-48-0x0000000000400000-0x0000000000DBD000-memory.dmp	xmrig
behavioral1/memory/2028-51-0x0000000000400000-0x0000000000DBD000-memory.dmp	xmrig
behavioral1/memory/2028-58-0x0000000000400000-0x0000000000DBD000-memory.dmp	xmrig
behavioral1/memory/2028-167-0x0000000000400000-0x0000000000DBD000-memory.dmp	xmrig
behavioral1/memory/2028-582-0x0000000000400000-0x0000000000DBD000-memory.dmp	xmrig
behavioral1/memory/2028-583-0x0000000000400000-0x0000000000DBD000-memory.dmp	xmrig
behavioral1/memory/2028-1234-0x0000000000400000-0x0000000000DBD000-memory.dmp	xmrig
behavioral1/memory/2028-1237-0x0000000000400000-0x0000000000DBD000-memory.dmp	xmrig
behavioral1/memory/2028-1242-0x0000000000400000-0x0000000000DBD000-memory.dmp	xmrig
behavioral1/memory/2028-1243-0x0000000000400000-0x0000000000DBD000-memory.dmp	xmrig
behavioral1/memory/2028-1246-0x0000000000400000-0x0000000000DBD000-memory.dmp	xmrig

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File created	C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini	2025-01-29_045672e26712551ec8e1a82e9f45169d_cobalt-strike_cobaltstrike_poet-rat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
48	raw.githubusercontent.com
49	raw.githubusercontent.com
151	raw.githubusercontent.com
33	drive.google.com
37	drive.google.com
47	raw.githubusercontent.com

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	D:\autorun.inf	2025-01-29_045672e26712551ec8e1a82e9f45169d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	F:\autorun.inf	2025-01-29_045672e26712551ec8e1a82e9f45169d_cobalt-strike_cobaltstrike_poet-rat.exe
File opened for modification	F:\autorun.inf	2025-01-29_045672e26712551ec8e1a82e9f45169d_cobalt-strike_cobaltstrike_poet-rat.exe

Modifies Internet Explorer start page 1 TTPs 8 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.zoNjzpeyEB.com"	2025-01-29_045672e26712551ec8e1a82e9f45169d_cobalt-strike_cobaltstrike_poet-rat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.IESezORpLf.com"	2025-01-29_045672e26712551ec8e1a82e9f45169d_cobalt-strike_cobaltstrike_poet-rat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.ZuVAknlEPh.com"	2025-01-29_045672e26712551ec8e1a82e9f45169d_cobalt-strike_cobaltstrike_poet-rat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.himinSLBrt.com"	2025-01-29_045672e26712551ec8e1a82e9f45169d_cobalt-strike_cobaltstrike_poet-rat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.izKFxHhoCy.com"	2025-01-29_045672e26712551ec8e1a82e9f45169d_cobalt-strike_cobaltstrike_poet-rat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.eKnexcGogd.com"	2025-01-29_045672e26712551ec8e1a82e9f45169d_cobalt-strike_cobaltstrike_poet-rat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.CxUjTlZpMX.com"	2025-01-29_045672e26712551ec8e1a82e9f45169d_cobalt-strike_cobaltstrike_poet-rat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.pTOJMrrIrW.com"	2025-01-29_045672e26712551ec8e1a82e9f45169d_cobalt-strike_cobaltstrike_poet-rat.exe

Modifies system certificate store 2 TTPs 6 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2025-01-29_045672e26712551ec8e1a82e9f45169d_cobalt-strike_cobaltstrike_poet-rat.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2025-01-29_045672e26712551ec8e1a82e9f45169d_cobalt-strike_cobaltstrike_poet-rat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	2025-01-29_045672e26712551ec8e1a82e9f45169d_cobalt-strike_cobaltstrike_poet-rat.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	2025-01-29_045672e26712551ec8e1a82e9f45169d_cobalt-strike_cobaltstrike_poet-rat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	2025-01-29_045672e26712551ec8e1a82e9f45169d_cobalt-strike_cobaltstrike_poet-rat.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2025-01-29_045672e26712551ec8e1a82e9f45169d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2028	2025-01-29_045672e26712551ec8e1a82e9f45169d_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2028	2025-01-29_045672e26712551ec8e1a82e9f45169d_cobalt-strike_cobaltstrike_poet-rat.exe

C:\Users\Admin\AppData\Local\Temp\2025-01-29_045672e26712551ec8e1a82e9f45169d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-29_045672e26712551ec8e1a82e9f45169d_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Modifies Internet Explorer start page
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.exe

Filesize
7.9MB

MD5
4d5ccb3daf88fa1e6db1f0da9a3a3d4b

SHA1
6be8d3d33512b70872a8c50613fd862951bdc4a8

SHA256
01f23c51133e5c9767320d48f6f14aa5071f3a1be14cb02c50a2702b4046c7cc

SHA512
16dd7ea59941e0d40d3cb03c8e19be53e0cfe4c68257649a95a6422d4b47d3e9546a5153558bebd2c9364b65b50631e1b28ea0959600224c6b152266c98d5332

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56676f22cb5fa52bf5f8afa522b464ae

SHA1
8b96918aaf45bac0e040d75fbf0957c5cfa8b5fe

SHA256
45097b25ecf38c693e8665e6241caf88623abe550e5dc536c541485e887ae37b

SHA512
baddccfafde9d071a91817b9f8d21ea3dbb2efc6b0c4a219e6645c1b14480ac3ef8a2295b7bdc81d897cb0e285c7f73552ccb5a680ae5746cb2a976b71316c80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96bf5332cf22316f1286b633a4f5534b

SHA1
a9d6939b6502e3e9dfe9571ea8b3db4deb7fda5f

SHA256
2bed4f2d0ce7beeb20887cd0069408785682567d7f2c6da84b0c367a2bddadbb

SHA512
ac74bf77258de1b3c17cd208173dede2355bdddc7793f79b515ace4e4519193a779de0f26a7bbecc368d119b65dd55a2d34a59177919bc857a8a31c448f2cb7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
705ef7173ba51006d84915b7fd942255

SHA1
2ef850c5b5bd6b684daefae7a1ed46b472357b18

SHA256
fbc4ad8d89239ce46ff0d5b272c4f3b3ff17a0b1d760a873b14ff62e5aa765b2

SHA512
a0686ece6b9fcc36dce93952295816f0a9abefca58583bd680ea66b6755313af28bd66d81b053b975fa63cd4b4a3399f8134e61be477f9d2774355c6df0ed7b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5029332d53234da5a441ace93860b2f2

SHA1
af90a267e6733e98aa47b97385ba261294b4407e

SHA256
10aaafa7deaffa1686db85185861915a3ac9f655b4757423aae51e69c4ff5519

SHA512
5d6fe095e7b9dc87757085be40e31f84f6498f85a0d6af9cd7d74b0fe348645de2548ac4223cd270089a8a2ac5e9c78610adf217156a36797a1bbc569be78d46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0be7fc219dedbf0d11661dd0a1d2f888

SHA1
10d6de3c8950c93f6ef76a18d2ce7be5765962cc

SHA256
10a19aa8f8d380df43d2be590f18c36c8242b5afc867d9cfb664f0ac5f5d2c1a

SHA512
ad04c1383f3358e8ba7d45e8ed91b5c0f648f35aed1cbf3333db5fdcfe92e00263186663f0e8336cd1427dd54cd2c841adb9d297d073dc18ed27b186510d29b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBF3C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBFEA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
F:\autorun.inf

Filesize
26B

MD5
1935cdab3da6383f98941575f1e8008d

SHA1
fa28e3d3a3c72ebf691233fc8fe9f236b08fe8a3

SHA256
f1070351b8c0a4c68c56112ccbb8fcad6d3730e2b24df38167f43284372bc438

SHA512
a7f03a4e04a8d479c92f96884791b6b3462119c1e2e8a8f99f9d94dacdc3d39853d62755210dbd9f8a416506a08a5e949d5f998c9e02df0b15e3b9d04e7f1e02

Download Submit
memory/2028-51-0x0000000000400000-0x0000000000DBD000-memory.dmp

Filesize
9.7MB

Download
memory/2028-582-0x0000000000400000-0x0000000000DBD000-memory.dmp

Filesize
9.7MB

Download
memory/2028-0-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2028-167-0x0000000000400000-0x0000000000DBD000-memory.dmp

Filesize
9.7MB

Download
memory/2028-48-0x0000000000400000-0x0000000000DBD000-memory.dmp

Filesize
9.7MB

Download
memory/2028-47-0x0000000000400000-0x0000000000DBD000-memory.dmp

Filesize
9.7MB

Download
memory/2028-46-0x0000000000400000-0x0000000000DBD000-memory.dmp

Filesize
9.7MB

Download
memory/2028-58-0x0000000000400000-0x0000000000DBD000-memory.dmp

Filesize
9.7MB

Download
memory/2028-583-0x0000000000400000-0x0000000000DBD000-memory.dmp

Filesize
9.7MB

Download
memory/2028-45-0x0000000000400000-0x0000000000DBD000-memory.dmp

Filesize
9.7MB

Download
memory/2028-1234-0x0000000000400000-0x0000000000DBD000-memory.dmp

Filesize
9.7MB

Download
memory/2028-1237-0x0000000000400000-0x0000000000DBD000-memory.dmp

Filesize
9.7MB

Download
memory/2028-1242-0x0000000000400000-0x0000000000DBD000-memory.dmp

Filesize
9.7MB

Download
memory/2028-1243-0x0000000000400000-0x0000000000DBD000-memory.dmp

Filesize
9.7MB

Download
memory/2028-1246-0x0000000000400000-0x0000000000DBD000-memory.dmp

Filesize
9.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads