Malware Analysis Report

2025-01-06 15:43

Sample ID 240525-tv5fpsah39
Target 2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike
SHA256 cf4890fc8d1467a7853a76265f2d3aa9434455be745b9508498ec7925ab8df59
Tags
cobaltstrike xmrig backdoor miner persistence trojan upx 0
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cf4890fc8d1467a7853a76265f2d3aa9434455be745b9508498ec7925ab8df59

Threat Level: Known bad

The file 2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig backdoor miner persistence trojan upx 0

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

Xmrig family

Detects Reflective DLL injection artifacts

Detects executables containing URLs to raw contents of a Github gist

xmrig

Cobaltstrike

Cobaltstrike family

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Detects executables containing URLs to raw contents of a Github gist

XMRig Miner payload

UPX packed file

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Drops desktop.ini file(s)

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Modifies Internet Explorer start page

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-25 16:23

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 16:23

Reported

2024-05-25 16:26

Platform

win7-20240221-en

Max time kernel

122s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tgxeiC = "c:\\Windows\\System32\\tgxeiC.exe" C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\tgxeiC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\br.txt C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\it.txt C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresplm.dat C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Ushuaia C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\New_Salem C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Christmas C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fa.txt C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaprsr.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ja_JP.jar C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\FlickLearningWizard.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdasql.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdaosp.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Minsk C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\wab32.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\DVDMaker.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\uk.pak C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\OmdBase.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\ado\msadrh15.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\msadc\adcjavas.inc C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtobe C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+8 C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG.wmv C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_socket.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Oslo C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montreal C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\profile.jfc C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\msinfo32.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\WMM2CLIP.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novokuznetsk C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.qXiOSQRyvu.com" C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.hCSGoFPchR.com" C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.MwqRSdGpdK.com" C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.UfhDKjwUlW.com" C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.abGtHzlsUx.com" C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 en88lwtnlt6us.x.pipedream.net udp
US 34.196.63.177:443 en88lwtnlt6us.x.pipedream.net tcp
US 34.196.63.177:443 en88lwtnlt6us.x.pipedream.net tcp
US 34.196.63.177:443 en88lwtnlt6us.x.pipedream.net tcp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 codeload.github.com udp
GB 20.26.156.216:443 codeload.github.com tcp
US 8.8.8.8:53 qZq.bitbucket.com udp
GB 185.166.141.8:443 qZq.bitbucket.com tcp
US 8.8.8.8:53 ULMLebm.bitbucket.com udp
GB 185.166.141.9:443 ULMLebm.bitbucket.com tcp
US 8.8.8.8:53 OiLDsUn.bitbucket.com udp
GB 185.166.141.8:443 OiLDsUn.bitbucket.com tcp
US 8.8.8.8:53 rNMVcxek.bitbucket.com udp
GB 185.166.141.7:443 rNMVcxek.bitbucket.com tcp
US 8.8.8.8:53 SIGfcnJT.bitbucket.com udp
GB 185.166.141.8:443 SIGfcnJT.bitbucket.com tcp
US 8.8.8.8:53 pMnAKCjBZOwSGR.bitbucket.com udp
GB 185.166.141.9:443 pMnAKCjBZOwSGR.bitbucket.com tcp
US 8.8.8.8:53 www.apkmirror.com udp
US 104.19.135.58:443 www.apkmirror.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.153:80 apps.identrust.com tcp
US 8.8.8.8:53 mega.nz udp
LU 31.216.145.5:443 mega.nz tcp
US 8.8.8.8:53 xwchn.net udp
US 8.8.8.8:53 kampower.com udp
US 185.148.131.244:443 kampower.com tcp
US 8.8.8.8:53 tVkDBjvKLY.gTpPFOzDvEDfDOHtyXvB.readme.io udp
US 104.16.242.118:443 tVkDBjvKLY.gTpPFOzDvEDfDOHtyXvB.readme.io tcp
US 8.8.8.8:53 FwvTQ.IOgNlITLBqHFDlKxQZLN.readme.io udp
US 104.16.241.118:443 FwvTQ.IOgNlITLBqHFDlKxQZLN.readme.io tcp
US 8.8.8.8:53 vrODHHNg.LIQzEansVzRwsNfPEuUr.readme.io udp
US 104.16.241.118:443 vrODHHNg.LIQzEansVzRwsNfPEuUr.readme.io tcp
LU 31.216.145.5:443 mega.nz tcp
US 8.8.8.8:53 www.dropbox.com udp
GB 162.125.64.18:443 www.dropbox.com tcp
US 8.8.8.8:53 yYXC.SsSmypYHfapzJLqvZWco.readme.io udp
US 104.16.242.118:443 yYXC.SsSmypYHfapzJLqvZWco.readme.io tcp
US 8.8.8.8:53 XAdsGZ.HDyYLBBsDPwgtvhUEZCK.readme.io udp
US 104.16.242.118:443 XAdsGZ.HDyYLBBsDPwgtvhUEZCK.readme.io tcp
US 8.8.8.8:53 MJFKi.uctINxhbvfUoXVWBkogj.readme.io udp
US 104.16.241.118:443 MJFKi.uctINxhbvfUoXVWBkogj.readme.io tcp
US 8.8.8.8:53 uWgvTOPcHT.BbOSucvBKcbhwmeIJNPN.readme.io udp
US 104.16.242.118:443 uWgvTOPcHT.BbOSucvBKcbhwmeIJNPN.readme.io tcp
US 8.8.8.8:53 PoHjqUTALDSxN.qCMxjuxxVGkYHjQljUJX.readme.io udp
US 104.16.242.118:443 PoHjqUTALDSxN.qCMxjuxxVGkYHjQljUJX.readme.io tcp
US 8.8.8.8:53 DmUhgHIwhOM.lcuvrTHGNEervnPTfHEU.readme.io udp
US 104.16.241.118:443 DmUhgHIwhOM.lcuvrTHGNEervnPTfHEU.readme.io tcp
US 8.8.8.8:53 siCSBfbEcRxVV.txQgXrQwXnqvYGHHbYup.readme.io udp
US 104.16.242.118:443 siCSBfbEcRxVV.txQgXrQwXnqvYGHHbYup.readme.io tcp
US 8.8.8.8:53 Iy.VWQopSzAQMWLJmazkSfy.readme.io udp
US 104.16.241.118:443 Iy.VWQopSzAQMWLJmazkSfy.readme.io tcp
US 8.8.8.8:53 y.VZKmgRCcdGArQZhhCvmI.readme.io udp
US 104.16.242.118:443 y.VZKmgRCcdGArQZhhCvmI.readme.io tcp
US 8.8.8.8:53 KTnIedo.WhxwDYdPFPjRYiLaATqO.readme.io udp
US 104.16.241.118:443 KTnIedo.WhxwDYdPFPjRYiLaATqO.readme.io tcp
US 8.8.8.8:53 BlLGruZPt.EiDAHVmMmMnXylNxSolW.readme.io udp
US 104.16.242.118:443 BlLGruZPt.EiDAHVmMmMnXylNxSolW.readme.io tcp
US 8.8.8.8:53 www.jmxyc.com udp

Files

memory/2196-0-0x00000000002E0000-0x00000000002F0000-memory.dmp

memory/2196-1-0x0000000000400000-0x00000000010B6000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml

MD5 068f52458893161260b602cbd7ca0648
SHA1 a2d78d3df65ef2febfcdc9459a48b62d3ad6b17f
SHA256 3a2dc79c5ea3a9e90307d89fbe1f188398d7005f2c0857114d06e3bd5316d7ca
SHA512 b38fc6f68f4fe9e3ea23bb99c90692635208dee990642123ef600d50a80370b504dc1b47eac31a86faf0346121014dd2dfed3c3db2869d7226c2fd9f4abe1029

C:\Users\Admin\AppData\Local\Temp\Cab847D.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar84A0.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar85AF.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82da6553c4fc3c20b1ef16585c66f08c
SHA1 dbea1fa3268e58e81b54b0b768a0bef19b460b6e
SHA256 805f443201ac8911984ea0222e9823261763ae44a13d3ffdf86601a998d485af
SHA512 cb2c624fc8b4150511ebb9c66e2236a78c83c92a745c05c9cd9efeeaef62e2db3c9536ffd8ce9229c7a77c4e2aee09eb671a11a0d32e9c9e46f4678d0d426649

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3215b620e4b415221361ba5382e48e4c
SHA1 fb6fac5ba037a695756609b1984039289ec6fef5
SHA256 0b5c08f344274ceeb5f603f455a4899db5d7d7048479b69b52ff7ee39197afbf
SHA512 328f1e5e2ee040f98a644d54d08f8359524ec5655ad042bdd0393eac0c0d9af0530c8dc06cb1ec72e4706698be32d12bca2fbaed0899a6346ecaf9c30da01bed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 0490ac10944de4aba592612293278588
SHA1 2ba5cb64e183490ff64b6b046fa74bfeb05f38a1
SHA256 b308ad3f5d00247d7e6088d59b2c5ccbd12422223444ed9497f3803e7126d63a
SHA512 c2e1dc76c7a60d11989f3559928f2b369f2da830c772a846e09bf0362e37cf52806d4a813adfcf276a5eb0d2fd582414e8f9e66b4a09cead6ad1c44f632b0167

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 55db452a84a2308965456dc00aecc225
SHA1 3c164a8f7f51fd0c50e4e3acca7af2abbbe8f3f3
SHA256 bb5460312f33b0325d66d2eb1fc52758d7ed14303731db39845bc15e253c9d65
SHA512 57978ce1d0ccc0cbda063bde1d575ef73391b167b1c868cced2c1db0f56b52c5a7a9efd9c5b8f2a73888cc0bfdd3e5faf9ae7cda0f888dbcc117343625da6c70

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cdb651b448902f46c5c51cedbbf43e0f
SHA1 d586ba7bc6fc5508b55015dc483a8c0f59ca1765
SHA256 f383d075cdd4402c17b3a02ad124054bda752e5ddad1ec7d2ab5acaffaa026c8
SHA512 eaef9a97252c91c958d6c88f8d3d97c0d63e7d6a82f9567c8e97f21e3da48814ea61eec860a9c80d1310c286d659cf4416e4a51c80b1b02ec094746018ae95ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 957cfefb6e4b1f1560e8dd0630b1f737
SHA1 2cbd0484189996559befba85fbf054a52015bec3
SHA256 96a6bcd2e2ab8944c7b9a82bc7667487fc634934650b71dc178e607c5a8ce889
SHA512 b11a5fe112c67bda446b47ecee2a359a814dae734f3ef5de973ef0ffba43353628647f8bc957c7172dfa58f40d1029011fbccb91fade3e9706407c1f42d25f70

memory/2196-741-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2196-971-0x0000000000400000-0x00000000010B6000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b79a6843798853361b67f4060f0a4083
SHA1 0e923e675371ddbc22d9262e8cb67a4332f839f6
SHA256 22371ccef457cbe9ab9b2a9e323d89e198cfb5ac7d79bf4145704ddcec4a4bd7
SHA512 497be31d6b655f3b6b66a6dbb3419c40775c63ff743ed756e68e3b664b05148c7c04ddee745013951b8066f255e7acc3f9f6ff0e8e39ef8d60ab36268db13640

memory/2196-1103-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2196-1329-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2196-1521-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2196-1746-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2196-1815-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2196-1819-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2196-1821-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/2196-1824-0x00000000002F0000-0x0000000000330000-memory.dmp

memory/2196-1826-0x0000000000330000-0x0000000000340000-memory.dmp

memory/2196-1828-0x0000000000340000-0x0000000000350000-memory.dmp

memory/2196-1830-0x0000000000350000-0x0000000000360000-memory.dmp

memory/2196-1832-0x0000000000360000-0x0000000000382000-memory.dmp

memory/2196-1835-0x0000000000390000-0x00000000003D0000-memory.dmp

memory/2196-1836-0x00000000003D0000-0x00000000003F2000-memory.dmp

memory/2196-1840-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2196-1841-0x0000000000401000-0x00000000010B5000-memory.dmp

memory/2196-1842-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2196-1843-0x0000000000401000-0x00000000010B5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 16:23

Reported

2024-05-25 16:26

Platform

win10v2004-20240426-en

Max time kernel

140s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\$Recycle.Bin\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\STSUPLD.INTL.DLL C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\favicon.ico C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libaom_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\npt.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\PowerPointCapabilities.json C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-32_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-conio-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014 C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TinyTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_100_percent.pak C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\BuildInfo.xml C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\SPPRedist.msi C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.Design.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Media Player\Media Renderer\avtransport.xml C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\mecontrol.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Photo Viewer\PhotoBase.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l2-1-0.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\misc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Media Player\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\libGLESv2.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpuzzle_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ta.pak C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\officemui.msi.16.en-us.vreg.dat C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\es.pak C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\libssl-1_1-x64.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL120.XML C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\MedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\iheart-radio.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\clrcompression.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.Query.NetFX35.dll C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\03_lastfm.luac C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-48_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.iNqvdXRpOK.com" C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.HCdfCtMcDR.com" C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.YFneHDRszR.com" C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_18fe5738d772328617229f3f94081f88_cobalt-strike_cobaltstrike.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 codeload.github.com udp
US 8.8.8.8:53 en88lwtnlt6us.x.pipedream.net udp
GB 20.26.156.216:443 codeload.github.com tcp
US 8.8.8.8:53 abrakadabra.host udp
US 34.196.150.82:443 en88lwtnlt6us.x.pipedream.net tcp
US 34.196.150.82:443 en88lwtnlt6us.x.pipedream.net tcp
US 34.196.150.82:443 en88lwtnlt6us.x.pipedream.net tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 216.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 82.150.196.34.in-addr.arpa udp
US 8.8.8.8:53 65.140.162.3.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 asVdqVpsiOixy.nvLxNYZpYKcEWLaiMyko.readme.io udp
US 104.16.242.118:443 asVdqVpsiOixy.nvLxNYZpYKcEWLaiMyko.readme.io tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 CpBKPeR.QLunqyBlPjSwNvIdJdfM.readme.io udp
US 104.16.241.118:443 CpBKPeR.QLunqyBlPjSwNvIdJdfM.readme.io tcp
US 8.8.8.8:53 YUHGw.AmYwsraKKvVxoatMoYSW.readme.io udp
US 104.16.241.118:443 YUHGw.AmYwsraKKvVxoatMoYSW.readme.io tcp
US 8.8.8.8:53 u.MRipIEiQEpxcrqhhAaPt.readme.io udp
US 104.16.241.118:443 u.MRipIEiQEpxcrqhhAaPt.readme.io tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 AciVdFNQuU.PpAyUkpdXxnfFxLiUmUa.readme.io udp
US 104.16.241.118:443 AciVdFNQuU.PpAyUkpdXxnfFxLiUmUa.readme.io tcp
US 8.8.8.8:53 TkSI.zDrpvOpnkLnFccfugGxX.readme.io udp
US 104.16.242.118:443 TkSI.zDrpvOpnkLnFccfugGxX.readme.io tcp
US 8.8.8.8:53 G.RmTpNwMiFrBciDjelYqi.readme.io udp
US 104.16.241.118:443 G.RmTpNwMiFrBciDjelYqi.readme.io tcp
US 8.8.8.8:53 ctFPqaUzmMQesW.vPEHDydbzehccuIKeALU.readme.io udp
US 104.16.241.118:443 ctFPqaUzmMQesW.vPEHDydbzehccuIKeALU.readme.io tcp
US 8.8.8.8:53 118.242.16.104.in-addr.arpa udp
US 8.8.8.8:53 118.241.16.104.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 VoRgBQCURtEmdd.VRBRmOHSoykAIhubuchB.readme.io udp
US 104.16.241.118:443 VoRgBQCURtEmdd.VRBRmOHSoykAIhubuchB.readme.io tcp
US 8.8.8.8:53 DIhIeJtJuocw.ZNOgiVsibXOkzFnmTaOc.readme.io udp
US 8.8.8.8:53 abrakadabra.host udp
US 104.16.242.118:443 DIhIeJtJuocw.ZNOgiVsibXOkzFnmTaOc.readme.io tcp
US 8.8.8.8:53 PeuLr.nexUqxBhqKtzPUXReNnG.readme.io udp
US 104.16.241.118:443 PeuLr.nexUqxBhqKtzPUXReNnG.readme.io tcp
US 8.8.8.8:53 vKuHerXiQOyg.QIacwGvOoPtZrodfCTdy.readme.io udp
US 104.16.242.118:443 vKuHerXiQOyg.QIacwGvOoPtZrodfCTdy.readme.io tcp
US 8.8.8.8:53 NsCpMeTvPwIUp.QhNSOJyEMDjXziyaVrND.readme.io udp
US 104.16.242.118:443 NsCpMeTvPwIUp.QhNSOJyEMDjXziyaVrND.readme.io tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 CLEooAG.yymbonbnevuMvrdNgvvr.readme.io udp
US 104.16.241.118:443 CLEooAG.yymbonbnevuMvrdNgvvr.readme.io tcp
US 8.8.8.8:53 aRBdamvxiOeCQT.IcfsisvTUIBqqOChwCZa.readme.io udp
US 104.16.241.118:443 aRBdamvxiOeCQT.IcfsisvTUIBqqOChwCZa.readme.io tcp
US 8.8.8.8:53 COX.EnnFFtHHvTfOnPjUWJUz.readme.io udp
US 104.16.242.118:443 COX.EnnFFtHHvTfOnPjUWJUz.readme.io tcp
US 8.8.8.8:53 jmbvmwp.mxp4037.com udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 UaEzc.bitbucket.com udp
GB 185.166.141.9:443 UaEzc.bitbucket.com tcp
US 8.8.8.8:53 bitbucket.org udp
AU 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 9.141.166.185.in-addr.arpa udp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 8.8.8.8:53 MMxhSbnVRxHa.bitbucket.com udp
GB 185.166.141.9:443 MMxhSbnVRxHa.bitbucket.com tcp
US 8.8.8.8:53 CsmuSkwQNtSO.bitbucket.com udp
GB 185.166.141.9:443 CsmuSkwQNtSO.bitbucket.com tcp
US 8.8.8.8:53 gvAydIdehx.bitbucket.com udp
GB 185.166.141.9:443 gvAydIdehx.bitbucket.com tcp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 ZXklR.bitbucket.com udp
GB 185.166.141.7:443 ZXklR.bitbucket.com tcp
US 8.8.8.8:53 yQVIicDztcVvk.bitbucket.com udp
GB 185.166.141.8:443 yQVIicDztcVvk.bitbucket.com tcp
US 8.8.8.8:53 fdcBEcayE.bitbucket.com udp
GB 185.166.141.8:443 fdcBEcayE.bitbucket.com tcp
US 8.8.8.8:53 8.141.166.185.in-addr.arpa udp
US 8.8.8.8:53 7.141.166.185.in-addr.arpa udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 GJJA.qwXKUopBzNgxTEtTYRLf.readme.io udp
US 104.16.241.118:443 GJJA.qwXKUopBzNgxTEtTYRLf.readme.io tcp
US 8.8.8.8:53 qFynC.zKtUSMxFDYiMwqibKXOM.readme.io udp
US 104.16.241.118:443 qFynC.zKtUSMxFDYiMwqibKXOM.readme.io tcp
US 8.8.8.8:53 wsPOGNnZ.PWmJVitDMAkfPYFRzxyp.readme.io udp
US 104.16.242.118:443 wsPOGNnZ.PWmJVitDMAkfPYFRzxyp.readme.io tcp
US 8.8.8.8:53 TSHMUHTvsWf.uQWraaNeKBzoUOsJktZf.readme.io udp
US 104.16.242.118:443 TSHMUHTvsWf.uQWraaNeKBzoUOsJktZf.readme.io tcp
US 8.8.8.8:53 PkUXzZ.DGPiUQCLZeyyfzYpHaYI.readme.io udp
US 104.16.242.118:443 PkUXzZ.DGPiUQCLZeyyfzYpHaYI.readme.io tcp
US 8.8.8.8:53 Auw.SuiwKlVDqxabTwEdOSDx.readme.io udp
US 104.16.242.118:443 Auw.SuiwKlVDqxabTwEdOSDx.readme.io tcp
US 8.8.8.8:53 XlRu.bitbucket.com udp
GB 185.166.141.8:443 XlRu.bitbucket.com tcp
US 8.8.8.8:53 NDJElXGqwE.bitbucket.com udp
GB 185.166.141.9:443 NDJElXGqwE.bitbucket.com tcp
US 8.8.8.8:53 b.bitbucket.com udp
GB 185.166.141.9:443 b.bitbucket.com tcp
US 8.8.8.8:53 www.dropbox.com udp
GB 162.125.64.18:443 www.dropbox.com tcp
US 8.8.8.8:53 UtEvCTtzuocpJ.bitbucket.com udp
GB 185.166.141.9:443 UtEvCTtzuocpJ.bitbucket.com tcp
US 8.8.8.8:53 18.64.125.162.in-addr.arpa udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 FjyEyOSyb.bitbucket.com udp
GB 185.166.141.9:443 FjyEyOSyb.bitbucket.com tcp
US 8.8.8.8:53 SSAoJquMJvGkGh.bitbucket.com udp
GB 185.166.141.7:443 SSAoJquMJvGkGh.bitbucket.com tcp
US 8.8.8.8:53 Mwvmq.bitbucket.com udp
GB 185.166.141.9:443 Mwvmq.bitbucket.com tcp
US 8.8.8.8:53 FIiWrJXQquf.bitbucket.com udp
GB 185.166.141.7:443 FIiWrJXQquf.bitbucket.com tcp
US 8.8.8.8:53 swWfhNfq.bitbucket.com udp
GB 185.166.141.8:443 swWfhNfq.bitbucket.com tcp
US 8.8.8.8:53 PEoPPCs.bitbucket.com udp
GB 185.166.141.8:443 PEoPPCs.bitbucket.com tcp
US 8.8.8.8:53 Nwa.bitbucket.com udp
GB 185.166.141.9:443 Nwa.bitbucket.com tcp
US 8.8.8.8:53 jmbvmwp.mxp4037.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 jySXvqe.ZpfuTyZFkSeHwERIVPIm.readme.io udp
US 104.16.242.118:443 jySXvqe.ZpfuTyZFkSeHwERIVPIm.readme.io tcp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 QzzTSTXFIl.nYOFXyfcxcWtmQRjtDwM.readme.io udp
US 104.16.242.118:443 QzzTSTXFIl.nYOFXyfcxcWtmQRjtDwM.readme.io tcp
US 8.8.8.8:53 Zyj.wUtxovoxTJoxoFxxjIcf.readme.io udp
US 104.16.242.118:443 Zyj.wUtxovoxTJoxoFxxjIcf.readme.io tcp
US 8.8.8.8:53 GKbEeegErpiyH.OPsxdoSqiTMHNnStUUAI.readme.io udp
US 104.16.242.118:443 GKbEeegErpiyH.OPsxdoSqiTMHNnStUUAI.readme.io tcp
US 8.8.8.8:53 mega.nz udp
LU 31.216.145.5:443 mega.nz tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 5.145.216.31.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 EnTxgetiwiyIhh.lnARnETIoZxDKvcqKIRR.readme.io udp
US 104.16.241.118:443 EnTxgetiwiyIhh.lnARnETIoZxDKvcqKIRR.readme.io tcp
US 8.8.8.8:53 FKupGCq.eQUeQIRmZPZBBfJaucVf.readme.io udp
US 104.16.241.118:443 FKupGCq.eQUeQIRmZPZBBfJaucVf.readme.io tcp
US 8.8.8.8:53 qfmlZI.DzLTvKAWdswNhvNhiqwC.readme.io udp
US 104.16.242.118:443 qfmlZI.DzLTvKAWdswNhvNhiqwC.readme.io tcp
US 8.8.8.8:53 Evie.qHFZYNxIzrKdamkwvgcV.readme.io udp
US 104.16.241.118:443 Evie.qHFZYNxIzrKdamkwvgcV.readme.io tcp
US 8.8.8.8:53 XFAQEjNVxhL.cHzZbZDnOAkHBnabqbDL.readme.io udp
US 104.16.242.118:443 XFAQEjNVxhL.cHzZbZDnOAkHBnabqbDL.readme.io tcp
US 8.8.8.8:53 z.BXZIxOXzMuOkfFWelmdU.readme.io udp
US 104.16.241.118:443 z.BXZIxOXzMuOkfFWelmdU.readme.io tcp
US 8.8.8.8:53 apAQa.SXweCFncWFZYufprpWiD.readme.io udp
US 104.16.241.118:443 apAQa.SXweCFncWFZYufprpWiD.readme.io tcp
US 8.8.8.8:53 FTgTdHFj.YvtESvNRpzWZtCrmBcAn.readme.io udp
US 104.16.242.118:443 FTgTdHFj.YvtESvNRpzWZtCrmBcAn.readme.io tcp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 tkjszhFlYvvb.fFtdIJtivjsxvatbdwcI.readme.io udp
US 104.16.241.118:443 tkjszhFlYvvb.fFtdIJtivjsxvatbdwcI.readme.io tcp
US 8.8.8.8:53 YVNDErlt.WTTZOkZOhToBNNySLzKo.readme.io udp
US 104.16.241.118:443 YVNDErlt.WTTZOkZOhToBNNySLzKo.readme.io tcp
US 8.8.8.8:53 noscullsnow.com udp
US 8.8.8.8:53 mega.co.nz udp
LU 66.203.124.31:443 mega.co.nz tcp
US 8.8.8.8:53 31.124.203.66.in-addr.arpa udp
US 8.8.8.8:53 www.bates.edu udp
US 134.181.132.45:443 www.bates.edu tcp
US 8.8.8.8:53 45.132.181.134.in-addr.arpa udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 HVAK.zHEfQNSSueQbqlwmubYN.readme.io udp
US 104.16.241.118:443 HVAK.zHEfQNSSueQbqlwmubYN.readme.io tcp
US 8.8.8.8:53 ydPCUU.qBBTVgyFycvRMCosPOes.readme.io udp
US 104.16.241.118:443 ydPCUU.qBBTVgyFycvRMCosPOes.readme.io tcp
US 8.8.8.8:53 rOuHkxGnEAHfQI.bitbucket.com udp
US 8.8.8.8:53 abrakadabra.host udp
GB 185.166.141.7:443 rOuHkxGnEAHfQI.bitbucket.com tcp
US 8.8.8.8:53 uRdjkAR.bitbucket.com udp
GB 185.166.141.9:443 uRdjkAR.bitbucket.com tcp
US 8.8.8.8:53 aWlGrTqeNZhHJy.bitbucket.com udp
GB 185.166.141.9:443 aWlGrTqeNZhHJy.bitbucket.com tcp
US 8.8.8.8:53 r.bitbucket.com udp
GB 185.166.141.9:443 r.bitbucket.com tcp
US 8.8.8.8:53 umfMKYTBzg.bitbucket.com udp
GB 185.166.141.8:443 umfMKYTBzg.bitbucket.com tcp
US 8.8.8.8:53 H.bitbucket.com udp
GB 185.166.141.9:443 H.bitbucket.com tcp
US 8.8.8.8:53 aBFFxxWviW.bitbucket.com udp
GB 185.166.141.9:443 aBFFxxWviW.bitbucket.com tcp
US 8.8.8.8:53 W.bitbucket.com udp
GB 185.166.141.8:443 W.bitbucket.com tcp
US 8.8.8.8:53 ARxw.bitbucket.com udp
GB 185.166.141.8:443 ARxw.bitbucket.com tcp
US 8.8.8.8:53 vzncptLDpviU.bitbucket.com udp
GB 185.166.141.8:443 vzncptLDpviU.bitbucket.com tcp
LU 31.216.145.5:443 mega.nz tcp
US 8.8.8.8:53 xwchn.net udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/1928-0-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/1928-1-0x00000000001F0000-0x0000000000200000-memory.dmp

C:\Program Files\7-Zip\7-zip32.dll

MD5 a2d3973ec10c58348b6a375be43a32db
SHA1 3c1d579d890faacf30f896733cb4438e8f7d7dda
SHA256 fc7b38d143f6224d5c7b8ac222f90f265914695fbf42e20d02880c1ed6bbb72e
SHA512 9e498b2b3ff6cf5ac119188e83ee7e0564703dbfea6f5afb4136be27060f470ee1692db53b276a7914ece97304a26028d6c47ff329ee22b12ccd5ac954d91578

memory/1928-655-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/1928-1753-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/1928-2316-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/1928-2828-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/1928-3869-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/1928-4458-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/1928-4459-0x0000000000060000-0x0000000000062000-memory.dmp

memory/1928-4462-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/1928-4463-0x0000000000401000-0x00000000010B5000-memory.dmp

memory/1928-4465-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/1928-4466-0x0000000000401000-0x00000000010B5000-memory.dmp