cobaltstrike | 7f28018c3f6727670ae7c0535b9e1039d52bdd32e950bc789609c95d81b3f6a8

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
Size

10.6MB
MD5

07ca8b7a8462cf263b1b4189cc18cdf6
SHA1

c8e15653f4c4eead32d54586632651c27c609c1e
SHA256

7f28018c3f6727670ae7c0535b9e1039d52bdd32e950bc789609c95d81b3f6a8
SHA512

83b63ae20eb99491d2f1b31036a6aa4e8a2032b8469db31922ffa6fefae3c6c131aed378ef251fc69aee27a1d13a2e9ebd10e4a9a936d7dd8eae02d392d6c326
SSDEEP

196608:dvg6YpjCa8BMHwNuD7PKUNwabNJvmrMQwHEFoWcY:dYXpkG6uDBuQjmrOHO

Score

10^/10

cobaltstrike xmrig backdoor miner trojan

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 1 IoCs

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

Detects executables containing URLs to raw contents of a Github gist 7 IoCs

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1596-1115-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1596-1936-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1596-2684-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1596-3505-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1596-3674-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1596-3727-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll.exe	xmrig
behavioral1/memory/1596-1115-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/1596-1936-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/1596-2684-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/1596-3505-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/1596-3674-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/1596-3727-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig

Drops desktop.ini file(s) 1 IoCs

Processes:

2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
File created	D:\autorun.inf	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File created	F:\autorun.inf	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	F:\autorun.inf	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
File created	C:\Program Files\Internet Explorer\MemoryAnalyzer.dll	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprst.dll	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\pushplaysubpicture.png	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\msvcr100.dll	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\System\msadc\msadcs.dll	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\uk.pak	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Internet Explorer\en-US\jsdbgui.dll.mui	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\glass.dll	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.bfc	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\bin\installer.dll	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sk.pak	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_ja.jar	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Kosrae	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vevay	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-font.dll	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightItalic.ttf	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.security	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-progress.jar	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Knox	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\awt.dll	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\jhall-2.0_05.jar	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Monterrey	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novosibirsk	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pohnpei	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_zh_4.4.0.v20140623020002.jar	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-execution.jar	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ceuta	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\.lastModified	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_ja_4.4.0.v20140623020002.jar	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Ushuaia	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\content-types.properties	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Goose_Bay	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\eula.dll	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Qyzylorda	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe

description	pid	process
Token: SeLockMemoryPrivilege	1596	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
Token: SeLockMemoryPrivilege	1596	2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_07ca8b7a8462cf263b1b4189cc18cdf6_cobalt-strike_cobaltstrike_xmrig.exe"
1⤵
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip32.dll.exe
Filesize
10.8MB

MD5
15da1ef48ed8815753589c9fcad752ff

SHA1
a6dac4dd3468cfaccc3835e8fe9733f215dabe3f

SHA256
fd255d3f613605bf76f7a208b20021261ff4a851064ae841442a8acb7a894ef6

SHA512
695688e6d54130eab5bdb25504c25f10885bedf1b118116d9b06e87be96f42ce13d39f517e5ba587c553e0744cff74a4fdcbedbeee8bba964578db8062d4e9fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
9a15e4d267e4983d82ada56e8f26fe38

SHA1
4b4cf579ce49356918debfb4ea8df60709f4fd7b

SHA256
ba129637803a56b77496daa64dcc244528c5a200b3650e4ed09b71286f8b4799

SHA512
586405ee699dc35ecf7e538021e35f2c8ddae80247f7af2e75c8f617688f231b212f5ec9db237de8f9d4f4e4d29c6e4be04c7575fd17122dbe1a782879933dee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
52c5638162018f1a667b26effed89aae

SHA1
e025fe5d4ce628338926d60d81d113afd7a172f9

SHA256
4db9e921ac9604df5f1d35350e501df63cc16d0cef3dbfdc44319eb373966eac

SHA512
340cf571dae65c6daf9594e81bcfd908eea2aedeab4c745e2dcf452c0a866add972eeb683c53bbb992bc190fba101560f63e92a218093985d54dc6ab6987bf46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
241ab9ddb147bb3dccb0982e721bad94

SHA1
026b0b5e397261e9ebf6fe450cad1750fcd2912b

SHA256
518bbf2872314c9703c9103d60c97091ebb0f6c3a9f39072f90631c3f979a9e9

SHA512
90c9ab034af4b9a77c5e3b76e89f88f5c92593ab8fe82e14637cbfb22da9a15cb2c004b235a5b3056caff7eb8d665928962c814c08d13210876ea88b444dc3e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8fac0f66bd99df7f1837ffc9916c092b

SHA1
f10e1fa999e5b6328ec4ca8647bd661b9916d805

SHA256
661314ea8a8496bea8e1e2bbf58043e1517e5be486d54f84310f72b99f9cc242

SHA512
301a4ce7fc0e02d361bd693b4965048fcc86a2282203ab0206a3e2241de278d42550b8ab3a4e71b6d7c1e7d4ef6cc765bbd88a46a316122aa41668c4f4c90109

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
de8bc6a53889eb08c6ec2217cad9c982

SHA1
7e08a1ee41c5bd8f7f933e02fb535d404f2ed7ad

SHA256
0abad2017f29c07da7ef89c0ad175996049220c348cdc732857b48be8e03905c

SHA512
bb7805651c818ad68a12e1203d9a8e31f249763420547de25ae9a96868f68687afa56b5e4f41ee4ca2f4318a9aa91905b38d116d115cf85668a9db0229c2956a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d4e8bdbc019390544b91939c28517b7c

SHA1
28490b55dde74555b5c51f59e6940b05c0c330c9

SHA256
002ec7a2afbb03efc7d9f84db1dad8d1f9c7453413e3eec9681e7d6ac3e210c3

SHA512
7d692fc540de17f39958b2f15099351f0b19f91b4da23c5b61418fd8c99840c8f52106ee33324b0b388b5b2ddcadfeac3930d96cfa90b5e072291f2950fc56c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
dae233660013c8cf866db86bbb54dc49

SHA1
2f516a1e60fea1eed1f6165ba9f600e965ae041a

SHA256
27bfdc829e90f60a106126c8376cf3a47077b15cbc493050d2e90e2b16cfe82a

SHA512
75008585366899ea152279cca1ac13bd0e34e5373826cac0c53c91b70450aba3bd04e57aacdbc63130a4b2bb48e35271ef51de578e6e1426b0d132afa3b93b5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e45f1560407c4b0e2f6a99f35dbe2355

SHA1
07af40a53c39b41fb577dcf559c26a67c304adc8

SHA256
f0dc40c1a0c9f0a57ec01f73c494a32363ee4e5d42627338a9f70c1541df6274

SHA512
337011cd9a9d5757e14dde11a4185194abb94cfee22180ced363ab0ceac1eb458955163ab0c43e037f594097fb04ef8f702cbd48f06c858854bcb563bccdb4e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
915ab93ed2f68476c2646ba3ec8a47fe

SHA1
7dbf43f75e34d69df82c0105de2d8da4393f60fc

SHA256
fb0de5e743f982279426e8a065f7382a00c537a8bf327b0df0a9e67848fc70a7

SHA512
c4e5e68d022fa6eb3cc204e2737580ad8ef21d46ae0b789070e6f8b03d1a7ac6fd667ad677f9b1c390bac33016700638ab1cfa6682d41021176d1cc0a6f8bc86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
401670ac59e4d606f8b645ab0c611ea8

SHA1
2855a51f4a568097782028df67ebaa5ad103c156

SHA256
83034c3ee84f24003f73d79b3fe637e113f03c480512a52c9aaaf48074be1244

SHA512
7ac3dd14eedc60f6fd7fa4f34659ca63ae069f78e8293f3a4eebbdbef0788db6ceda7bf107cfbc8ec232db4975f1b9c6d7933c3e86707f2e6c5e13b790c0046f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2158.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2199.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/1596-2684-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/1596-1115-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/1596-1936-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/1596-0-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/1596-3505-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/1596-3674-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/1596-3720-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1596-3722-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1596-3723-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1596-3724-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/1596-3725-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/1596-3727-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download