Malware Analysis Report

2025-01-06 15:14

Sample ID 240525-qkwh9sec64
Target 2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig
SHA256 8baf52bcf6bba53df5088d137614c655b569f2ba866d0b0ab4ab797a92c110a8
Tags
miner 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8baf52bcf6bba53df5088d137614c655b569f2ba866d0b0ab4ab797a92c110a8

Threat Level: Known bad

The file 2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig was found to be: Known bad.

Malicious Activity Summary

miner 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

Detects executables containing URLs to raw contents of a Github gist

Detects Reflective DLL injection artifacts

xmrig

Cobaltstrike family

XMRig Miner payload

Xmrig family

Cobaltstrike

XMRig Miner payload

Detects Reflective DLL injection artifacts

Detects executables containing URLs to raw contents of a Github gist

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Drops autorun.inf file

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer start page

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-25 13:19

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 13:19

Reported

2024-05-25 13:23

Platform

win7-20231129-en

Max time kernel

117s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wallis C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\MSTTSLoc.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\PYCC.pf C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dubai C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\DVD Maker\rtstreamsink.ax C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\tr.pak C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Eirunepe C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Adak C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Lisbon C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Bissau C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Lima C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll.sig C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wake C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Barbados C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.descriptorProvider.exsd C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\ConvertUnregister.inf C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedback.gif C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Thunder_Bay C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_ja.jar C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\DVD Maker\PipeTran.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Rangoon C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf_1.1.0.v20140408-1354.jar C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Dawson_Creek C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\glass.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands_0.10.2.v20140424-2344.jar C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_ja.jar C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\7-Zip\readme.txt C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-GB.pak C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.vnhkpDqYBR.com" C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.HdyLVjJpmJ.com" C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54362000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 1900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd90b000000010000001200000044006900670069004300650072007400000014000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd155090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 endpsbn1u6m8f.x.pipedream.net udp
US 34.196.63.177:443 endpsbn1u6m8f.x.pipedream.net tcp
US 34.196.63.177:443 endpsbn1u6m8f.x.pipedream.net tcp
US 34.196.63.177:443 endpsbn1u6m8f.x.pipedream.net tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
DE 35.156.248.16:443 tcp
US 8.8.8.8:53 UwcmGdY.bitbucket.com udp
GB 185.166.141.7:443 UwcmGdY.bitbucket.com tcp
US 8.8.8.8:53 Zy.bitbucket.com udp
GB 185.166.141.8:443 Zy.bitbucket.com tcp
US 8.8.8.8:53 yrCgCGAFe.bitbucket.com udp
GB 185.166.141.7:443 yrCgCGAFe.bitbucket.com tcp
US 8.8.8.8:53 NqGv.bitbucket.com udp
GB 185.166.141.8:443 NqGv.bitbucket.com tcp
US 8.8.8.8:53 jRieIhnWEPbiDB.aawyqogCPXWhMicNFCtx.readme.io udp
US 104.16.242.118:443 jRieIhnWEPbiDB.aawyqogCPXWhMicNFCtx.readme.io tcp
US 8.8.8.8:53 f.TGWuGyRGTxUPTRxhUzFT.readme.io udp
US 104.16.241.118:443 f.TGWuGyRGTxUPTRxhUzFT.readme.io tcp
US 8.8.8.8:53 HOXFpKq.lAhISLomgaIaSaflooJX.readme.io udp
US 104.16.242.118:443 HOXFpKq.lAhISLomgaIaSaflooJX.readme.io tcp
US 8.8.8.8:53 CzEgiCcxgbdOhT.JkVQVkHDVryboYZQmLHP.readme.io udp
US 104.16.241.118:443 CzEgiCcxgbdOhT.JkVQVkHDVryboYZQmLHP.readme.io tcp
US 8.8.8.8:53 www.dropbox.com udp
GB 162.125.64.18:443 www.dropbox.com tcp
US 8.8.8.8:53 l.bitbucket.com udp
GB 185.166.141.8:443 l.bitbucket.com tcp
US 8.8.8.8:53 ZMAi.bitbucket.com udp
GB 185.166.141.7:443 ZMAi.bitbucket.com tcp
US 8.8.8.8:53 WwdCNroKIg.bitbucket.com udp
GB 185.166.141.9:443 WwdCNroKIg.bitbucket.com tcp
US 8.8.8.8:53 QxqkrIjdm.bitbucket.com udp
GB 185.166.141.8:443 QxqkrIjdm.bitbucket.com tcp
US 8.8.8.8:53 mega.nz udp
LU 31.216.144.5:443 mega.nz tcp
DE 35.156.248.16:443 tcp
US 8.8.8.8:53 noscullsnow.com udp
US 8.8.8.8:53 idcomercial.com.br udp
US 8.8.8.8:53 codeload.github.com udp
GB 20.26.156.216:443 codeload.github.com tcp
US 8.8.8.8:53 kampower.com udp
US 185.148.131.244:443 kampower.com tcp
DE 35.156.248.16:443 tcp
US 8.8.8.8:53 mZdcRzbiQirf.bitbucket.com udp
GB 185.166.141.7:443 mZdcRzbiQirf.bitbucket.com tcp
US 8.8.8.8:53 aLbR.bitbucket.com udp
GB 185.166.141.8:443 aLbR.bitbucket.com tcp
US 8.8.8.8:53 mgxQJzibQTtw.bitbucket.com udp
GB 185.166.141.9:443 mgxQJzibQTtw.bitbucket.com tcp
US 8.8.8.8:53 daTcZBNIiR.bitbucket.com udp
GB 185.166.141.8:443 daTcZBNIiR.bitbucket.com tcp
US 8.8.8.8:53 CsGFBBhkkcF.bitbucket.com udp
GB 185.166.141.8:443 CsGFBBhkkcF.bitbucket.com tcp

Files

memory/2884-0-0x00000000003E0000-0x00000000003F0000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.exe

MD5 21cfaa83a9f2ab0b37cee96d67b35bda
SHA1 4cae240bf50524eefaa268b24f906611154a00c9
SHA256 46307f3b5e8d8b949626cd6fbc4b2849deb6db809d2180d0e4577c2375bb246f
SHA512 57438ad8c15d34c7a29650a777d31baaf1dca0a8fcf694f70a0526bd4e50966f707931d54c07882cbaa6bb2896a9cda2138c96a8a00ac31a2a1eadc5ff423710

C:\Users\Admin\AppData\Local\Temp\Cab11EB.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar1357.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e7d1529a5d512886286eff2f7b1c7a0
SHA1 e94f0bce3323c9601fc4ade93669453636708cac
SHA256 7ae71475b28b780e5cd62dc4b9c7b45abe4d556f2da250fa9c75fcb32bea7380
SHA512 947b44a5b200954e692f7054ca35332045df5f63fbf8e43b182ab70c3bff45aa7687e02c14eb1c505bc1931bf440e4bfb36af0df468a26c347c3d07c552afbd4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a1d301df62d91711119a9ceb03658af
SHA1 304b48c10075ae796a371e1f2660a11ace702707
SHA256 4e74cb3e37ce68e535290c8cd136645ffb390029e42f519706769fc918d6e45e
SHA512 48436fe13fd6b6f0cae0a318145a7ea39fd55a2421d85217467d3c05c9be5fbe9f4655ff4cf8a28ff41c7fe4b9ccbc7eb99066a1ae989cb8166db64852ef17a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 7d01296bd3f57b939a1035e34a4417fd
SHA1 678d92c0df2321b58cde0314f9e8505f841c0890
SHA256 b831b354f1f1931c7d8eb7213299dec6505d011f21cdaa4f353733eb43fe2d15
SHA512 b12b1b1bfd7f2ebad946b4478888e0ef2a84fba186f004b75e8af9cae845065c9917a72e0e3aab94ad7d7c2d6e2e9d0c730e832822e7433671548acf42671f58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 046fe4539d3d11fa0a72eda692920c2c
SHA1 f3f0bf735b64af5c1357ee864cd6873cf6d50b6e
SHA256 0414987414cff294d0613f151005cad2715413da72cb9321a570f1f63408d136
SHA512 50ff90680c56fff199540a8dc1e1ff12b70c246594f5795a719fd18a353baaadf10d25070f50b441d2d3d544d1b71a0df56887aa871217badd669eaca7bebd36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 fbaa4d0d3c603f3041deccafc1e93ff5
SHA1 7a1e7c0470a5fa5306791e76a3cc6a75d488cb05
SHA256 86b37f9fa1c12cce0994b8fbab15a144ee9bcc79d300b49c3405cfcd572bbb47
SHA512 914bd7fb497bc99c88050f7d0dc4063b50f0de9fff79349c99ec8432deda50853d4458710975d2ab4ae5a34f68f50ae3145a9dc874eafac5c1d890058d03e4d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ed8534e9b970869668986b2451a424fa
SHA1 693e2b80a177961341b386e8a63c152414d931e2
SHA256 8eed136d95f690d34832ad82ba9c20015b7244b1fcf602c4e70773256221c979
SHA512 b9075fdac2ca701b17bcabfeb4d7437ed43fed6334fc5e605220de3c675756a013ec1a9eb673a25cc74ab58341bebc1a6afaad9ff67947ccffe980d822a025e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c30abaf7bb9d848db5447701e07fc38c
SHA1 c47ee49f773f048bb4431de0c3898e9652dfdc32
SHA256 3cce0a6bd9a68119842209b580a15cb299a639c34403890300717cb6b386f0c8
SHA512 42c73ebb10bc994a8b37d0c7b53ef3e2ee6aff65d0855091d4851434db157e4a3592cb5cbcc348f37d288b11fc39df989af2c96d67a2663d90465066a81e4316

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f04fb155396af49acbdc8f101cfdea52
SHA1 8a052980f4d599036fa31aa158fcc6fe1c77cced
SHA256 0391f27f976dc0e89b5e8324b189c77665113ba2355f9a6adeec2b6d4941ebe0
SHA512 327ab270d27323bdbcf8d305c3e378d752bec124a95f7f800a1faa868b5455c846b4eb9c933b11f31c7ff2510be85f05e9fcd6815ec9be9bcfe0dac3807e5891

memory/2884-906-0x0000000000400000-0x00000000010B2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 424fc95c8c18cd77efd3facdb4ee0795
SHA1 ab39e4d1fca6bd0677a51e44d824e142f7a35286
SHA256 4e92402814b1cf05a5309729cf0192636b8e70d86605ff886431b4a1ecc4aa99
SHA512 3a8d4b29b0196a718bd9f9b69b8e24bcac103ef6e0f32b7b67db1ae2465a0873f1347c6bdcf44e74e63267aad28e38d038e52f057ff812dfb967b2149caa0fb0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b5e9c157f896a75e0fc1fad1f66860b
SHA1 1233e650503ca338caa1a7a3cc2c4f835915922c
SHA256 253529bfa9deed28fb568e0ad7cc6cc3f13230d1188e497fcfd0b6c2da4887e2
SHA512 9ae823c431619e001cdd3f8cd83bf3a2d7dfc7f57aab008a90f42cfefebbf258881c65dda612b2491de03e1759f1eac94e5e10803aecb3edf4c16d1e4853ab1f

memory/2884-1619-0x0000000000400000-0x00000000010B2000-memory.dmp

memory/2884-2104-0x0000000000400000-0x00000000010B2000-memory.dmp

memory/2884-2678-0x0000000000400000-0x00000000010B2000-memory.dmp

memory/2884-3292-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2884-3306-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2884-3310-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2884-3314-0x00000000003F0000-0x0000000000400000-memory.dmp

memory/2884-3317-0x0000000000400000-0x00000000010B2000-memory.dmp

memory/2884-3319-0x0000000000401000-0x0000000000A18000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 13:19

Reported

2024-05-25 13:23

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\lij.txt C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\LICENSE C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\vk_swiftshader_icd.json C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\bn.txt C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\es.txt C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdfmap.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\7-Zip\7z.exe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nb.txt C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mraut.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fi.txt C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledb32.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\TabTip.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\tr.pak C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\co.txt C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\EnterPublish.ADTS C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\en-US.pak C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\ExportTrace.midi C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\hi.pak C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sw.txt C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\System\wab32res.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.sfx C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nl.txt C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\7-Zip\7zCon.sfx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.JwLDiGrjzZ.com" C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.KNhnBPKpwz.com" C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.vAGRRLvUZQ.com" C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.zVGyjkBdhi.com" C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.QmXZaxcFzi.com" C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.gKAgbXykCf.com" C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.OTRLRSiNST.com" C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.anMrliaaWE.com" C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.VPUKobeKYL.com" C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 endpsbn1u6m8f.x.pipedream.net udp
US 3.95.144.111:443 endpsbn1u6m8f.x.pipedream.net tcp
US 3.95.144.111:443 endpsbn1u6m8f.x.pipedream.net tcp
US 3.95.144.111:443 endpsbn1u6m8f.x.pipedream.net tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 111.144.95.3.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.140.162.3.in-addr.arpa udp
DE 35.156.248.16:443 tcp
US 8.8.8.8:53 uUapdzNRW.bitbucket.com udp
GB 185.166.141.7:443 uUapdzNRW.bitbucket.com tcp
US 8.8.8.8:53 bitbucket.org udp
US 8.8.8.8:53 7.141.166.185.in-addr.arpa udp
AU 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 AgZbpQ.bitbucket.com udp
GB 185.166.141.9:443 AgZbpQ.bitbucket.com tcp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 8.8.8.8:53 fHVZsoYpp.bitbucket.com udp
GB 185.166.141.7:443 fHVZsoYpp.bitbucket.com tcp
US 8.8.8.8:53 AmIlqRQRcOqurr.bitbucket.com udp
GB 185.166.141.9:443 AmIlqRQRcOqurr.bitbucket.com tcp
GB 185.166.141.7:443 AmIlqRQRcOqurr.bitbucket.com tcp
US 8.8.8.8:53 9.141.166.185.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 OtXsEyMS.bitbucket.com udp
GB 185.166.141.9:443 OtXsEyMS.bitbucket.com tcp
US 8.8.8.8:53 LDsohUgEvVUtTH.bitbucket.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
GB 185.166.141.7:443 LDsohUgEvVUtTH.bitbucket.com tcp
US 8.8.8.8:53 www.dropbox.com udp
GB 162.125.64.18:443 www.dropbox.com tcp
US 8.8.8.8:53 18.64.125.162.in-addr.arpa udp
US 8.8.8.8:53 uc065c1dd5e34f8a67a33d0aa347.dl.dropboxusercontent.com udp
GB 162.125.64.15:443 uc065c1dd5e34f8a67a33d0aa347.dl.dropboxusercontent.com tcp
US 8.8.8.8:53 15.64.125.162.in-addr.arpa udp
US 8.8.8.8:53 idcomercial.com.br udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 dBVyPVy.wYOiKNdTCQCpLrNHWDrg.readme.io udp
US 104.16.241.118:443 dBVyPVy.wYOiKNdTCQCpLrNHWDrg.readme.io tcp
US 8.8.8.8:53 TalDuHwSLJKHTs.dzQbctBjqdhRoViitwmc.readme.io udp
US 104.16.242.118:443 TalDuHwSLJKHTs.dzQbctBjqdhRoViitwmc.readme.io tcp
US 8.8.8.8:53 jMfpNIYU.MDseWWvkiejSMtAHSaxn.readme.io udp
US 104.16.242.118:443 jMfpNIYU.MDseWWvkiejSMtAHSaxn.readme.io tcp
US 8.8.8.8:53 ZHYmqOZdSnQ.mZDpExdwaAmfxhlNTYBB.readme.io udp
US 104.16.241.118:443 ZHYmqOZdSnQ.mZDpExdwaAmfxhlNTYBB.readme.io tcp
US 8.8.8.8:53 EhTSFZTXec.qqGHcbLYzgWFaqHaBIeS.readme.io udp
US 8.8.8.8:53 118.241.16.104.in-addr.arpa udp
US 8.8.8.8:53 118.242.16.104.in-addr.arpa udp
US 104.16.241.118:443 EhTSFZTXec.qqGHcbLYzgWFaqHaBIeS.readme.io tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
DE 35.156.248.16:443 tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 cBUEoHTlFdA.bitbucket.com udp
GB 185.166.141.8:443 cBUEoHTlFdA.bitbucket.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 8.141.166.185.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 ndLFKGCk.EzTYzRzzIexvqfsjEuPH.readme.io udp
US 104.16.241.118:443 ndLFKGCk.EzTYzRzzIexvqfsjEuPH.readme.io tcp
US 8.8.8.8:53 FMOFAAwropzt.KFAcvZOKWlQvPDcwWzKE.readme.io udp
US 104.16.241.118:443 FMOFAAwropzt.KFAcvZOKWlQvPDcwWzKE.readme.io tcp
US 8.8.8.8:53 cuaMZg.ylcMgxPtMpxKjvRXaDcL.readme.io udp
US 104.16.241.118:443 cuaMZg.ylcMgxPtMpxKjvRXaDcL.readme.io tcp
US 8.8.8.8:53 y.mhjxPQqWSQXHzDDOZGex.readme.io udp
US 104.16.241.118:443 y.mhjxPQqWSQXHzDDOZGex.readme.io tcp
US 8.8.8.8:53 RCHjQOVAf.zRIhRMzuOpJNfuAFSJeN.readme.io udp
US 104.16.241.118:443 RCHjQOVAf.zRIhRMzuOpJNfuAFSJeN.readme.io tcp
US 8.8.8.8:53 mega.nz udp
LU 31.216.145.5:443 mega.nz tcp
US 8.8.8.8:53 5.145.216.31.in-addr.arpa udp
US 8.8.8.8:53 noscullsnow.com udp
DE 35.156.248.16:443 tcp
US 8.8.8.8:53 www.bates.edu udp
US 134.181.132.45:443 www.bates.edu tcp
US 8.8.8.8:53 45.132.181.134.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

memory/4024-0-0x00000000001F0000-0x0000000000200000-memory.dmp

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 9ab32d502e47e073d68c714c6e02141f
SHA1 ede549feddc45c42bafd2c1d6acae1ee596563b4
SHA256 8d4cf424ca4af56fec49431fae18af8b591c336c997a3d7110e198815a04047a
SHA512 70cd0fdedc307f1cbc3cae00d546d332e312179ca664e73ad7208e1273ff28e9dd45a9f70e10418fd491c4819c0a4a688ff14fbc0c0445a994db0b404750c79d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

MD5 e6f34dee36907f62a604715276857a04
SHA1 d34177bc8a30dc76d4aec5958425a44c9d9f1976
SHA256 8c8fbdbef1ea4bc2c68b40f687c4ce2756518f69813dd608303a9329cc1cb2f3
SHA512 b6769e78fd255866a2a0db666b15e8306234c743d6861d86dff53064e86ec6f7747eeacf753c89640e6d8ab0de09905910cde4f84e6e9e00bffa9847796be9b0

memory/4024-88-0x0000000000400000-0x00000000010B2000-memory.dmp

memory/4024-144-0x0000000000400000-0x00000000010B2000-memory.dmp

memory/4024-213-0x0000000000400000-0x00000000010B2000-memory.dmp

memory/4024-257-0x0000000000400000-0x00000000010B2000-memory.dmp

memory/4024-304-0x0000000000400000-0x00000000010B2000-memory.dmp

memory/4024-336-0x0000000000060000-0x0000000000062000-memory.dmp

memory/4024-342-0x0000000000400000-0x00000000010B2000-memory.dmp

memory/4024-372-0x0000000000401000-0x0000000000A18000-memory.dmp

memory/4024-373-0x0000000000400000-0x00000000010B2000-memory.dmp

memory/4024-374-0x0000000000401000-0x0000000000A18000-memory.dmp