Malware Analysis Report

2025-03-15 08:12

Sample ID 240529-xrtftaec8w
Target 2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike
SHA256 1a0143debf12deec42c507272f51498fc613b68cc800f6acbc96031861caee50
Tags
cobaltstrike xmrig backdoor miner trojan upx 0
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1a0143debf12deec42c507272f51498fc613b68cc800f6acbc96031861caee50

Threat Level: Known bad

The file 2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig backdoor miner trojan upx 0

Xmrig family

Detects executables containing URLs to raw contents of a Github gist

Cobaltstrike family

UPX dump on OEP (original entry point)

XMRig Miner payload

xmrig

Cobaltstrike

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Detects executables containing URLs to raw contents of a Github gist

XMRig Miner payload

UPX packed file

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Drops autorun.inf file

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Modifies Internet Explorer start page

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-29 19:05

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 19:05

Reported

2024-05-29 19:08

Platform

win7-20240419-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\EST5 C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libpodcast_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_settings.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\settings.html C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-highlight.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-options.xml C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_over.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InputPersonalization.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\1047x576black.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\alt-rt.jar C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\SpiderSolitaire.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libwin_hotkeys_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\service.js C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ga.txt C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\config.ini C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libtwolame_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatsh.dat C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Journal\ja-JP\jnwmon.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\settings.html C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\7-Zip\7z.dll.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\vi.txt C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_snow.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Luis C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Printing.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up_BIDI.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Media Player\ja-JP\wmpnetwk.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\en-US\wab32res.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\ShvlRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libaudiobargraph_v_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\library.js C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\weather.css C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fi.pak C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Metlakatla C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Guatemala C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\freebl3.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_ja.jar C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-util-enumerations.xml_hidden C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-compat.xml C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\update-settings.ini C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Internet Explorer\F12Tools.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Puerto_Rico C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\orb.idl C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Seoul C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nb.pak C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.QrirMLTTSf.com" C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.BdtozfAusb.com" C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.lEdEfzhsHC.com" C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.FLLlUTohWA.com" C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.IvEhgqudqU.com" C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.lujkWmJXWf.com" C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca60f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba87030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a919000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 en6yogdxz5mjo.x.pipedream.net udp
US 8.8.8.8:53 SXE.bitbucket.com udp
GB 185.166.141.8:443 SXE.bitbucket.com tcp
US 34.198.18.32:443 en6yogdxz5mjo.x.pipedream.net tcp
US 34.198.18.32:443 en6yogdxz5mjo.x.pipedream.net tcp
US 34.198.18.32:443 en6yogdxz5mjo.x.pipedream.net tcp
US 8.8.8.8:53 M.bitbucket.com udp
GB 185.166.141.9:443 M.bitbucket.com tcp
US 8.8.8.8:53 XpgoVVVxzbH.bitbucket.com udp
GB 185.166.141.9:443 XpgoVVVxzbH.bitbucket.com tcp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.238:443 drive.google.com tcp
US 8.8.8.8:53 mega.nz udp
LU 31.216.145.5:443 mega.nz tcp
US 8.8.8.8:53 dswcaCowq.vtcqEGbYzsAKbhfxQygR.readme.io udp
US 104.16.241.118:443 dswcaCowq.vtcqEGbYzsAKbhfxQygR.readme.io tcp
US 8.8.8.8:53 AfftrlbR.lNMSxRKmuJpHuWvPxQLG.readme.io udp
US 104.16.241.118:443 AfftrlbR.lNMSxRKmuJpHuWvPxQLG.readme.io tcp
US 8.8.8.8:53 Fcoxt.kZKzWVgUSaysgkccRPRT.readme.io udp
US 104.16.242.118:443 Fcoxt.kZKzWVgUSaysgkccRPRT.readme.io tcp
US 8.8.8.8:53 suOPjDy.CWutPDybxOCEAjAEehzQ.readme.io udp
US 104.16.241.118:443 suOPjDy.CWutPDybxOCEAjAEehzQ.readme.io tcp
US 8.8.8.8:53 LhWNLcXGkBeJ.GWlwUoLXTBIVNYWYLXev.readme.io udp
US 104.16.241.118:443 LhWNLcXGkBeJ.GWlwUoLXTBIVNYWYLXev.readme.io tcp
US 8.8.8.8:53 rIEd.sPGjBrEdaXooelizWJqE.readme.io udp
US 104.16.241.118:443 rIEd.sPGjBrEdaXooelizWJqE.readme.io tcp
US 8.8.8.8:53 www.dropbox.com udp
GB 162.125.64.18:443 www.dropbox.com tcp
LU 31.216.145.5:443 mega.nz tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 XeHgHxOE.bitbucket.com udp
GB 185.166.141.8:443 XeHgHxOE.bitbucket.com tcp
US 8.8.8.8:53 GSCJjWL.bitbucket.com udp
GB 185.166.141.7:443 GSCJjWL.bitbucket.com tcp
US 8.8.8.8:53 IRsccTPfqBcb.bitbucket.com udp
GB 185.166.141.7:443 IRsccTPfqBcb.bitbucket.com tcp
US 8.8.8.8:53 sFGRct.bitbucket.com udp
GB 185.166.141.9:443 sFGRct.bitbucket.com tcp
US 8.8.8.8:53 noscullsnow.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 kampower.com udp
US 185.148.131.244:443 kampower.com tcp
US 8.8.8.8:53 ANPXaC.sfndNPbZezSrKBDDkPFd.readme.io udp
US 104.16.242.118:443 ANPXaC.sfndNPbZezSrKBDDkPFd.readme.io tcp
US 8.8.8.8:53 xwchn.net udp
US 8.8.8.8:53 codeload.github.com udp
GB 20.26.156.216:443 codeload.github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/2248-1-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2248-0-0x00000000002E0000-0x00000000002F0000-memory.dmp

C:\Program Files\7-Zip\7-zip32.dll.exe

MD5 839e6201004422bd950a5f1f7e2d28ca
SHA1 ba12e30f3568fcc756998c12db0e59c57d303678
SHA256 be4554e6f370f5994c6b5d7cafb2cb7758969579a6c0a83f66b8f4fb27885a2a
SHA512 4d9639b0274c504fe8e156b635200cb47f32fa177a87290c198bf0fd0a917e09ca9b7d7af3d4ab529d834111fb575ce2c491925f4e0d2077311d8c1a80ad4843

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar94B.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 29190c7157663709fd64a8f3f955a4a6
SHA1 e55b5befead5b6ccd94248c3df4f291b5ebf2dc2
SHA256 f216699baec7164ead03e1b17ca068394232fc1a7d87a754be5f18d9e6f1f774
SHA512 654ee82315d0fcb23e721c48e6a2f1797392e2acc725d0352d021ac81693da264aff7612105f4b529632feaa41544484af3851aece9242163c5f5a9e2b36c0e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f0ceff61d596fcebd2806ca989c9d89
SHA1 3f05f4a5333a4391326d4a4fb5dd6f111a85ff5a
SHA256 ee92aa51efa1a4570bc12deecef149acae2f40dc201dd8274d4f053e1686ded8
SHA512 c4a45518f2c964c45cbd29340112f01d005669df53ff5d81e64e1b09f38139b6b690de664a03d7d58220568487e11e558db430480327545ff06195cffafda139

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 697a0d889020c511c2a1ed5fb77a3f2c
SHA1 485812176eb24fe36b47f82cf4e396976d606811
SHA256 b109ed3469ed405d5680a12c06581e6524dc08db24593e854cf3ca3af62e5544
SHA512 eae760b0512cb27f53a9bc798ea9d69638e422ac9d3d30acfa6b70dd417f8c4b9b852aea9f9c445d70f3ad4c76d7e3a3826e3a389fa7197304c5b7fbeb40dcb7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad4628bd6937b13f2847f30baa3f7034
SHA1 9a225d443acb5e65af74b22546a22138f9696769
SHA256 9b5172030435ce52ae513e3a749552125ff4d6c3aa75072cb3e7fac22aef41ff
SHA512 dc36546bc9f226b5cccf1ee5a5690ff779ee9f4e798ca640be51d112568da5d2da1abd767b2f903160702d2d9e599a8676979d6f93c596a5dd08ddad618fbf83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 c5806cbfa94aef364a1c4577b0ebba61
SHA1 16dc093ccba2f13ecfe0c0d96c4b72013d0ea581
SHA256 2cd34782b4a895a6cd123f7d21464c4a8ee6ab573a5e0c1dcaaf8c4afb106990
SHA512 bfd7e1e3e85e7cd8d7b349354ba21d4af29e3c1978301dee96fb8cce7241d28c90113e14a8789068282f803084548a50cc4de194b9ee06017601d4f9f7e6fbca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 867307b4441e2678e3911fc3baac8210
SHA1 1ddb85260d44cdc7be55cddb50f7454d51b97bf5
SHA256 c0d3e5ceeea4c7e8f52d56e92a20ddf9abec52241e659b91578fd2f41c820f90
SHA512 9c35fab948af9352531c96a085ee50abdf54f0126193d68b47d62319c875c880304dd05feda7dd8208d549bd222fee6a3d52468d9452454ab3749927495c322b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f8cba65843934074279025b577a8d00
SHA1 50f3e4563a797f2452171987cefc9c931c51794b
SHA256 e5441a1fe2a6565368c02236db15bcd7bcfe064be5f4d7b3be8747ec5d097bd5
SHA512 7ea2e2a0260b57e969b79f55948ccf12afbdcf86ff7c9304190e8c50df3208d5685b1821bfa974448387bc2e98a1d23a0f8345e2b30ca27e12b6250cce8217ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88dbed960f71592ec472465f3875f869
SHA1 a4e55535d1638b37e6b9718cdab19816f6b3bf90
SHA256 a60de8059a16f82be928a0e200e6f4b1e3634f464ce28e141ef6affb91a4de55
SHA512 fe4861f663784853a202db1e54709866f73c132760bdffe9bb9a4e3e3aeed6f673576f1b0bb1601808a713a47c19dbf2e59eb2138b84176c723197b654570ee7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9f69348b9b689903178d67372c67321
SHA1 87b6e361fc58fd010df776d2f3b97c62636a0a5a
SHA256 382dbd6baec93eddb269652367533db397fa535a75addad4c021890d9340b0b5
SHA512 cd1364d1859c2b0e47c5e01872498fc751beca30813f28c93cf2d8b0c82ad831e40eaeada81bc1d6f7944670cb087080217ee8edbd1eb6e37ff033649494f5fa

memory/2248-1128-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2248-1133-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2248-2178-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2248-3282-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2248-4239-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2248-4607-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2248-4610-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2248-4611-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2248-4612-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/2248-4614-0x0000000000370000-0x0000000000380000-memory.dmp

memory/2248-4615-0x0000000000380000-0x0000000000390000-memory.dmp

memory/2248-4616-0x0000000000390000-0x00000000003D0000-memory.dmp

memory/2248-4617-0x00000000003D0000-0x00000000003F2000-memory.dmp

memory/2248-4618-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2248-4619-0x0000000000401000-0x00000000010B5000-memory.dmp

memory/2248-4620-0x00000000046A0000-0x00000000046A1000-memory.dmp

memory/2248-4623-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2248-4624-0x0000000000401000-0x00000000010B5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 19:05

Reported

2024-05-29 19:08

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdaosp.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\QUAD.ELM C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerLargeTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\2.jpg C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\powerpivot.x-none.msi.16.x-none.vreg.dat C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ShareProvider_CopyLink24x24.scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-80.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageMedTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.SqlServer.Configuration.SString.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare71x71Logo.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookWideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mfc140u.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\README.txt C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows NT\TableTextService\TableTextService.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymb.ttf C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.SapBwProvider.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOIDCLIL.DLL C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libdolby_surround_decoder_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MINSBPROXY.DLL C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.resources.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-private-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-sysinfo-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsFormsIntegration.resources.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\LibrarySquare150x150Logo.scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_Cliffhouse.jpg C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\informix.xsl C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\NoProfilePicture.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jsound.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-80.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL090.XML C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_nv12_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\javafx.properties C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-30_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.DApLCJUypr.com" C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.jFbFiQryor.com" C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.QrQbCGgSGg.com" C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.AUBxbxjkxF.com" C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.cQSpXtwTJV.com" C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.SdQAuYjUlP.com" C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 en6yogdxz5mjo.x.pipedream.net udp
US 54.85.81.111:443 en6yogdxz5mjo.x.pipedream.net tcp
US 54.85.81.111:443 en6yogdxz5mjo.x.pipedream.net tcp
US 54.85.81.111:443 en6yogdxz5mjo.x.pipedream.net tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 11.174.240.54.in-addr.arpa udp
US 8.8.8.8:53 111.81.85.54.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 mega.nz udp
LU 31.216.144.5:443 mega.nz tcp
US 8.8.8.8:53 5.144.216.31.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 www.jmxyc.com udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 yOqwTE.MyivMBbWHqutJGNgJmWu.readme.io udp
US 104.16.242.118:443 yOqwTE.MyivMBbWHqutJGNgJmWu.readme.io tcp
US 8.8.8.8:53 vOUIMdilRhPr.atUxookXYlyQmyYJAXgx.readme.io udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 118.242.16.104.in-addr.arpa udp
US 104.16.242.118:443 vOUIMdilRhPr.atUxookXYlyQmyYJAXgx.readme.io tcp
US 8.8.8.8:53 vqC.VPNKPOvaxMdJkHWUkNph.readme.io udp
US 104.16.241.118:443 vqC.VPNKPOvaxMdJkHWUkNph.readme.io tcp
US 8.8.8.8:53 xWK.bitbucket.com udp
GB 185.166.141.7:443 xWK.bitbucket.com tcp
US 8.8.8.8:53 bitbucket.org udp
AU 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 118.241.16.104.in-addr.arpa udp
US 8.8.8.8:53 7.141.166.185.in-addr.arpa udp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 8.8.8.8:53 yAZNGwRWJD.bitbucket.com udp
GB 185.166.141.8:443 yAZNGwRWJD.bitbucket.com tcp
LU 31.216.144.5:443 mega.nz tcp
US 8.8.8.8:53 8.141.166.185.in-addr.arpa udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 rVNkcWdSMViyvc.bitbucket.com udp
GB 185.166.141.9:443 rVNkcWdSMViyvc.bitbucket.com tcp
US 8.8.8.8:53 CneSDDIauQvdTz.bitbucket.com udp
GB 185.166.141.9:443 CneSDDIauQvdTz.bitbucket.com tcp
US 8.8.8.8:53 9.141.166.185.in-addr.arpa udp
US 8.8.8.8:53 iOkiuUneRbu.bitbucket.com udp
GB 185.166.141.8:443 iOkiuUneRbu.bitbucket.com tcp
US 8.8.8.8:53 mLQ.bitbucket.com udp
GB 185.166.141.7:443 mLQ.bitbucket.com tcp
US 8.8.8.8:53 lzhTpoSbeDQK.bitbucket.com udp
GB 185.166.141.8:443 lzhTpoSbeDQK.bitbucket.com tcp
US 8.8.8.8:53 nhjljMqHUD.bitbucket.com udp
GB 185.166.141.9:443 nhjljMqHUD.bitbucket.com tcp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 Wffg.JVdsOAFMcDcQeBBliBzV.readme.io udp
US 104.16.242.118:443 Wffg.JVdsOAFMcDcQeBBliBzV.readme.io tcp
US 8.8.8.8:53 ebxhraphtxosT.vsQXgaRyOIyJsjaZfXiG.readme.io udp
US 104.16.242.118:443 ebxhraphtxosT.vsQXgaRyOIyJsjaZfXiG.readme.io tcp
US 8.8.8.8:53 nTxD.IRCWlOfbAUTcWewuQALJ.readme.io udp
US 104.16.242.118:443 nTxD.IRCWlOfbAUTcWewuQALJ.readme.io tcp
US 8.8.8.8:53 NNdEGbJvwNddgV.sTwuBtLkImwAXnsgMzsY.readme.io udp
US 104.16.242.118:443 NNdEGbJvwNddgV.sTwuBtLkImwAXnsgMzsY.readme.io tcp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.238:443 drive.google.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 wsBysBoovp.bitbucket.com udp
GB 185.166.141.7:443 wsBysBoovp.bitbucket.com tcp
US 8.8.8.8:53 N.bitbucket.com udp
GB 185.166.141.9:443 N.bitbucket.com tcp
US 8.8.8.8:53 LZmDUHmeWt.bitbucket.com udp
GB 185.166.141.7:443 LZmDUHmeWt.bitbucket.com tcp
US 8.8.8.8:53 lW.bitbucket.com udp
GB 185.166.141.9:443 lW.bitbucket.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 www.jmxyc.com udp
US 8.8.8.8:53 uKElwv.qhDyErcYjhZnCnHPoTAx.readme.io udp
US 104.16.241.118:443 uKElwv.qhDyErcYjhZnCnHPoTAx.readme.io tcp
US 8.8.8.8:53 suXeOlDtgbW.RzwgUEhnIbPejWiXYAoU.readme.io udp
US 104.16.242.118:443 suXeOlDtgbW.RzwgUEhnIbPejWiXYAoU.readme.io tcp
US 8.8.8.8:53 mIJJkad.NdXgFoBUNwPdFArpFRXR.readme.io udp
US 104.16.242.118:443 mIJJkad.NdXgFoBUNwPdFArpFRXR.readme.io tcp
US 8.8.8.8:53 fUojoADvcGu.uczlSGlzXtbeKuunLbsP.readme.io udp
US 104.16.241.118:443 fUojoADvcGu.uczlSGlzXtbeKuunLbsP.readme.io tcp
US 8.8.8.8:53 bknIy.CcSlYRVPjJRJucspjHtK.readme.io udp
US 104.16.241.118:443 bknIy.CcSlYRVPjJRJucspjHtK.readme.io tcp
US 8.8.8.8:53 aiNhdLxkPYkxU.kduzGudPYYkMwnqVMKiF.readme.io udp
US 8.8.8.8:53 abrakadabra.host udp
US 104.16.241.118:443 aiNhdLxkPYkxU.kduzGudPYYkMwnqVMKiF.readme.io tcp
US 8.8.8.8:53 thmmBwxv.kAKbVxNYxeLlilkvKWrd.readme.io udp
US 104.16.241.118:443 thmmBwxv.kAKbVxNYxeLlilkvKWrd.readme.io tcp
US 8.8.8.8:53 xwchn.net udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 jXsKCXmm.bKXcibAakJtyCXOonrti.readme.io udp
US 104.16.242.118:443 jXsKCXmm.bKXcibAakJtyCXOonrti.readme.io tcp
US 8.8.8.8:53 SRwYwp.FXxHoebUtlrAIDOJudyG.readme.io udp
US 104.16.242.118:443 SRwYwp.FXxHoebUtlrAIDOJudyG.readme.io tcp
US 8.8.8.8:53 JkPjRK.zdMJUrfqWDXdxcxZZovL.readme.io udp
US 104.16.241.118:443 JkPjRK.zdMJUrfqWDXdxcxZZovL.readme.io tcp
US 8.8.8.8:53 GMlUEKgb.OPwHPkaXzEyzPgMlpIEn.readme.io udp
US 104.16.242.118:443 GMlUEKgb.OPwHPkaXzEyzPgMlpIEn.readme.io tcp
US 8.8.8.8:53 jOHYmdTdmvKNon.xbqHwzLQnedTwbSdrqSE.readme.io udp
US 104.16.241.118:443 jOHYmdTdmvKNon.xbqHwzLQnedTwbSdrqSE.readme.io tcp
US 8.8.8.8:53 mVhlU.uQBJdniGuyeNUJOKGUpn.readme.io udp
US 104.16.242.118:443 mVhlU.uQBJdniGuyeNUJOKGUpn.readme.io tcp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 dPvokhLDorhQiu.eAbhDFYNbbEVhngFfUZm.readme.io udp
US 104.16.241.118:443 dPvokhLDorhQiu.eAbhDFYNbbEVhngFfUZm.readme.io tcp
US 8.8.8.8:53 JoHeGknc.ytaKTIMfkfjStCEobUrJ.readme.io udp
US 104.16.242.118:443 JoHeGknc.ytaKTIMfkfjStCEobUrJ.readme.io tcp
US 8.8.8.8:53 xwchn.net udp
US 8.8.8.8:53 ThtmlPr.OedKRijwXDCAITMFXGwu.readme.io udp
US 104.16.242.118:443 ThtmlPr.OedKRijwXDCAITMFXGwu.readme.io tcp
US 8.8.8.8:53 VOgXnOJP.uoqtnOcqDwqERIHEZMxA.readme.io udp
US 104.16.242.118:443 VOgXnOJP.uoqtnOcqDwqERIHEZMxA.readme.io tcp
US 8.8.8.8:53 N.JjZqwUMeMlIOuFoOBeWx.readme.io udp
US 104.16.241.118:443 N.JjZqwUMeMlIOuFoOBeWx.readme.io tcp
US 8.8.8.8:53 sEsCz.XYMZFsztoQEjuBGlHxeF.readme.io udp
US 104.16.241.118:443 sEsCz.XYMZFsztoQEjuBGlHxeF.readme.io tcp
US 8.8.8.8:53 ewkBtOgDyQSvW.XRgtDoXvyrUJfQehYRDf.readme.io udp
US 104.16.241.118:443 ewkBtOgDyQSvW.XRgtDoXvyrUJfQehYRDf.readme.io tcp
US 8.8.8.8:53 eDuchddp.wnLwKnypuxmIzrLPfFGc.readme.io udp
US 104.16.242.118:443 eDuchddp.wnLwKnypuxmIzrLPfFGc.readme.io tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1404-0-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/1404-1-0x00000000001E0000-0x00000000001F0000-memory.dmp

C:\Program Files\7-Zip\7-zip32.dll

MD5 904f62a8a5b760f030ec7fad9ff7843e
SHA1 f57e1581dcc843799a59c369cfc884fe23857aac
SHA256 94bd77a9c578a552e69c66b4d84ae86a47b40dbacc789c94b60c5f47e4e3a713
SHA512 8b25f10e171692d13f0b4f01fc81cbe651073b1bf9dd93becc03c2710bb63f3ac34e05c6fd4f47b67487fced3f9161e0ee57ccb1beee5bd4328cccf63b72fda4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

memory/1404-813-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/1404-2105-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/1404-2760-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/1404-3307-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/1404-4346-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/1404-4698-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/1404-4699-0x0000000000060000-0x0000000000062000-memory.dmp

memory/1404-4704-0x00000000001F0000-0x0000000000200000-memory.dmp

memory/1404-4705-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/1404-4706-0x0000000000401000-0x00000000010B5000-memory.dmp

memory/1404-4707-0x0000000005B60000-0x0000000005B61000-memory.dmp

memory/1404-4708-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/1404-4711-0x0000000000401000-0x00000000010B5000-memory.dmp