cobaltstrike | b5a2ccff16b7a67d416f355d1fda783494cc2edbfa47ca51a7c9d5ee910d096f

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
Size

11.3MB
MD5

4ead4120cb8942537450505c291cd308
SHA1

e9ed9d43fecee6be41b941f86b8d216c646d0653
SHA256

b5a2ccff16b7a67d416f355d1fda783494cc2edbfa47ca51a7c9d5ee910d096f
SHA512

dfad13eb882be49020c68f8ef7d7bb187cd5cdbdb193f8e843e8f10d1a1fcb5bc18dab86eff6a71501d2cae997f59e87d9a8bf4c910d7d39bef8d5c6913a6a57
SSDEEP

196608:dvg6YpjCa8BMHwNuD7PKUNwabNJvmrMQwHEFoWXB:dYXpkG6uDBuQjmrOHC

Score

10^/10

cobaltstrike xmrig backdoor miner trojan

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 1 IoCs

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

Detects executables containing URLs to raw contents of a Github gist 7 IoCs

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2392-783-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2392-1585-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2392-2264-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2392-2762-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2392-3041-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2392-3074-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll.exe	xmrig
behavioral1/memory/2392-783-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/2392-1585-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/2392-2264-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/2392-2762-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/2392-3041-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/2392-3074-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig

Drops desktop.ini file(s) 9 IoCs

Processes:

2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\desktop.ini	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

Processes:

flow	ioc
3	raw.githubusercontent.com
4	raw.githubusercontent.com
21	raw.githubusercontent.com
30	raw.githubusercontent.com
57	drive.google.com
58	drive.google.com

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
File opened for modification	F:\autorun.inf	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	D:\autorun.inf	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	F:\autorun.inf	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgRes.dll	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libaribcam_plugin.dll	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\vlc.mo	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_description_plugin.dll	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libball_plugin.dll	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Media Player\it-IT\wmpnetwk.exe.mui	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuvp_plugin.dll	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2iexp.dll	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Madrid	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Darwin	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-uihandler.xml_hidden	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\El_Aaiun	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh88	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST5EDT	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\cpu.js	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\settings.html	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClientsideProviders.resources.dll	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Defender\MpOAV.dll	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bg.pak	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_zh_CN.jar	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\librtp_plugin.dll	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_it.jar	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-disable.png	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ur.pak	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.properties	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Copenhagen	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Stockholm	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\cs.pak	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\settings.html	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_over.png	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Tbilisi	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+10	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\telnet.luac	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\avtransport.xml	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libcdg_plugin.dll	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_ja.jar	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

Processes:

2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.WUgKlDzKtW.com"	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.ymBNFDKYvv.com"	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe

description	pid	process
Token: SeLockMemoryPrivilege	2392	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
Token: SeLockMemoryPrivilege	2392	2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_4ead4120cb8942537450505c291cd308_cobalt-strike_cobaltstrike_xmrig.exe"
1⤵
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in Program Files directory
- Modifies Internet Explorer start page
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2392

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip32.dll.exe
Filesize
11.6MB

MD5
286cb9b2e73c98b95583c119eed51417

SHA1
7058df92fdbdbb45e3a3c2a83ecaa706e7d113a8

SHA256
3fb549d29fd88658fa50c753b0aa14970da61f52004b42a6ba2291db9cd97c5d

SHA512
66355d1d0782e307ec8b2cecabe4a57026bb7f601d99848e582cc6fa8c7e287b15f01f081db771e09807cb0e34a97b5feab5bacc981266c9092b18fc71138e39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
ff17f9b97f49fde562d927e9a7c743f7

SHA1
664960025f13340ce570316c9f473ecc3086f645

SHA256
3c678f19e619b6972445a4f8ea49bcf45f0597e9b7ca874cf448ba65576e3988

SHA512
58caa0fbd1c6592e38d9e40701331c7f37d06ae0cf1887272c3858ccefc9cbb192ef31704eb6b5a1ac659d76dee993c919518a0a646e14b5bfaccd4e99a26fce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a6dd4e89e9f47c6f80a0cc27874ce80f

SHA1
dcf9ca8fb625bebd79b765994e597832d7332569

SHA256
c00b66af72fa8ba977d81ef9627ba165d692a5ef06b370db61ab21c413f79b94

SHA512
41886e41f0b1826085a5d3c710c13d534abad493d9a59248ba0af65e73477f0bb24b91a4e4ce341eeff404f22081679d07ca0968b747ec06509cecf81e9d7345

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a1811b82d42102cbe77d2082cb8591e7

SHA1
7f7e45fa6f709390491004d83c7b7fd8379d6a80

SHA256
161c8b06df5b0f49aefcd04bc6866c22fbe114af229694d3917b4a061f7d5fad

SHA512
16696d7f57d2e8e9328a081c9d1ffa257b9462ba155d2c27d886142187768f9ae42d321f1e1fd903f9e8f57bc37dd054c44b1213c2d2cdb5cca27ffbedac71e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
de4d59ea1f18b0f2bba2e67eada4ec7d

SHA1
c940eb95a50429ad520bb1a9234caefffe1015d6

SHA256
7b9b034879b04714dab7e20e332cdff2797b7750b5b7ae149a0f8b139724f9fe

SHA512
92dfa547be64803c38ad5c9998d9e9389e7c97bcb3ef2d9b996975dcf05d4631da9b41e7a39c1ba1ec88761d22a7fbe0486f0f40c7926625f0f11740b1712fb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
766cb6b3bd91c3047369306e4b2cbf0a

SHA1
08ebec3a6aec3898e4c948cc8a73815821f9aa73

SHA256
ee773b184e3b4d123844ac00174e91f8e4969775c89ec064e6aa421e05386161

SHA512
ea70cf8a110fb3a361e0c54199ad5bb7d9adcdf667c34a910a62d82d9f27cfee49f824c1386cffd6925a71611159f96033ed1ea4720d706320f561db3dab3001

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7312543dbdc4901a52a092ca13a8c331

SHA1
82277faf9114c967cc61293aa8c9ae36ac0ac3e9

SHA256
7ff1bf3f342e9f732fd4ee6c65be0b4d56dbd9e813c4ee4abed802b6f4d42eb8

SHA512
f397f9cf0b2e0e487f1b82b573401ae0a1451c2f4f525e231244695aad54adcecdd520ad198da01d24e170f577be373bbcaf0328117a891b6f2c6ecea68c3d81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
94f9bc121c7c2b817934837359e09a81

SHA1
8e0b2349b54f43b32372b5263d026ab088e37d69

SHA256
bbf85bf665908ecc3bedf4e06fbf9703fcfd66d1097bf5c8faec54fc83753329

SHA512
bc8b5d74d8d69e8adcaa1ac6d14462c4e6509453f2c1ecc4b664ee55f15a4629b7dbc2e97740ac447d40b8150abad4c4ad9925f11426f7dfa46307bc742cb451

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4e2e2a3f9b54bae7946788833d9454b1

SHA1
e6cb311d3f42b85ad71ce0c614e2c80047540381

SHA256
ef1a1bf00efd56f1422c2270f65dd4d4dbb29ea70c8f665bcc2079939bba1368

SHA512
a387d7d1fdbda32a33a38604d31d184345f1810d97183c6f20ee9c7ad1599dc7b1015fe608a352e742d5d1e3be94726794c9fc855f9e90ae591a7409585bb9d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7747e3e8a14ca8c33613c71463e98f1f

SHA1
06718f07a3440df0916febafc86a2d4f4d98221c

SHA256
c90bca118ba4f0f8f2383a4c049b6692ee4b779699d3446418a65763fc110a15

SHA512
48cfa7075ae99d59fc2fb9dac3209c17adfa48f015dcbca8f0f3ddad0a254db13ff894c77525a06c400ac5e6eff6571ec1aa7a6665468f0d0076eddc9c647d24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
aa493e045a56952604f27d205141f9ee

SHA1
34879a2bd85e25712d5339915a183cf770a338b2

SHA256
9e091f1c187258c44584b7c1c666fc44bab1342678e5b35babf355c72598cfb6

SHA512
955f312a53be72d4fc447ab6bcd5c9b18df94abc4319a5d98de2a8a86bb0a8dcc5c674fc9f817e8d495cfa8d95e3eed631d963f1e493c09680ef72958166c24c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b921d9397e3916cbcabcb599b25b4ee2

SHA1
fe765df1065a72a4bb22067b97429b9242cf71ba

SHA256
ada1223f9e9f8a729e53df21bc4ca84537dddb3b5629c1b928c36eeb8944cc32

SHA512
1ae0151210406a8a3ec261a6844f0be6eae022744d599e9376b9fd60315f0dc315b50df1108b954dac912f214065dee619abceb7490eff40107b113533e04c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1306.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1357.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/2392-3065-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2392-3067-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2392-1585-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/2392-2264-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/2392-2762-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/2392-3041-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/2392-3064-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2392-783-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/2392-3066-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2392-0-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/2392-3068-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/2392-3069-0x00000000002A0000-0x00000000003A0000-memory.dmp

Filesize
1024KB

Download
memory/2392-3070-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2392-3071-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2392-3072-0x0000000004650000-0x0000000004651000-memory.dmp

Filesize
4KB

Download
memory/2392-3075-0x0000000000401000-0x0000000000A18000-memory.dmp

Filesize
6.1MB

Download
memory/2392-3074-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download