Malware Analysis Report

2025-03-15 08:12

Sample ID 240529-xsph9afc43
Target 2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike
SHA256 56f44c13fe7fe3d2015fc9f8c47325f629e97154bace250954e1ba94de606bac
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

56f44c13fe7fe3d2015fc9f8c47325f629e97154bace250954e1ba94de606bac

Threat Level: Known bad

The file 2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Detects executables containing URLs to raw contents of a Github gist

XMRig Miner payload

xmrig

Cobalt Strike reflective loader

Cobaltstrike family

Detects Reflective DLL injection artifacts

Xmrig family

Cobaltstrike

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Detects executables containing URLs to raw contents of a Github gist

UPX dump on OEP (original entry point)

XMRig Miner payload

UPX packed file

Legitimate hosting services abused for malware hosting/C2

Drops desktop.ini file(s)

Drops autorun.inf file

Drops file in Program Files directory

Unsigned PE

Modifies Internet Explorer start page

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-29 19:07

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 19:07

Reported

2024-05-29 19:09

Platform

win7-20240221-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\gadget.xml C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_ja.jar C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Lima C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6 C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Juneau C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Media Player\ja-JP\WMPDMC.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-io.jar C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Rothera C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\install.log C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Conversion.v3.5.resources.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows NT\TableTextService\TableTextServiceYi.txt C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\default.jfc C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libmmdevice_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoBeta.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bogota C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kabul C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\drag.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tongatapu C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tk.txt C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\ado\adovbs.inc C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\release C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.ServiceModel.Resources.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_a52_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_dot.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jce.jar C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_gtk.css C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\weather.css C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\cpu.html C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cs.txt C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_it.jar C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.ZycnhRaIxJ.com" C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.dfHSVLEwYF.com" C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 en6yogdxz5mjo.x.pipedream.net udp
US 8.8.8.8:53 sl.FdxYMFGPMDelGEgbVpbi.readme.io udp
US 50.17.249.53:443 en6yogdxz5mjo.x.pipedream.net tcp
US 50.17.249.53:443 en6yogdxz5mjo.x.pipedream.net tcp
US 50.17.249.53:443 en6yogdxz5mjo.x.pipedream.net tcp
US 104.16.241.118:443 sl.FdxYMFGPMDelGEgbVpbi.readme.io tcp
US 8.8.8.8:53 IkqTe.RiOgLdMTyJJHoTZHlqsA.readme.io udp
US 104.16.242.118:443 IkqTe.RiOgLdMTyJJHoTZHlqsA.readme.io tcp
US 8.8.8.8:53 sEviRkhHao.EoOgPjcdKkOVbQXTczhR.readme.io udp
US 104.16.241.118:443 sEviRkhHao.EoOgPjcdKkOVbQXTczhR.readme.io tcp
US 8.8.8.8:53 JLAbQYuiCnUG.AUMQferRXcOUXbMzwfhc.readme.io udp
US 104.16.241.118:443 JLAbQYuiCnUG.AUMQferRXcOUXbMzwfhc.readme.io tcp
US 8.8.8.8:53 MXBpOCUWooGT.QtxxplKUQcGmLjNewxQA.readme.io udp
US 104.16.242.118:443 MXBpOCUWooGT.QtxxplKUQcGmLjNewxQA.readme.io tcp
US 8.8.8.8:53 poPv.NoFXKSPpmPgdceIfYEeC.readme.io udp
US 104.16.242.118:443 poPv.NoFXKSPpmPgdceIfYEeC.readme.io tcp
US 8.8.8.8:53 LeJmWi.gqyZczyubKPasBZHEOLk.readme.io udp
US 104.16.241.118:443 LeJmWi.gqyZczyubKPasBZHEOLk.readme.io tcp
US 8.8.8.8:53 UVzb.cJKcAxXUdkBlprjrZxZa.readme.io udp
US 104.16.242.118:443 UVzb.cJKcAxXUdkBlprjrZxZa.readme.io tcp
US 8.8.8.8:53 UhEQR.WjUomZeAVPZTGWmeIicd.readme.io udp
US 104.16.241.118:443 UhEQR.WjUomZeAVPZTGWmeIicd.readme.io tcp
US 8.8.8.8:53 bCuOVgfgr.miiLdMiEqcICqIGsUkRI.readme.io udp
US 104.16.242.118:443 bCuOVgfgr.miiLdMiEqcICqIGsUkRI.readme.io tcp
US 8.8.8.8:53 NTyYkikENQLFU.RpHbmPahVhaKdtrysLax.readme.io udp
US 104.16.241.118:443 NTyYkikENQLFU.RpHbmPahVhaKdtrysLax.readme.io tcp
US 8.8.8.8:53 cVZkxEPquvTy.eygWaTaENuaFnVCkpOyO.readme.io udp
US 104.16.241.118:443 cVZkxEPquvTy.eygWaTaENuaFnVCkpOyO.readme.io tcp
US 8.8.8.8:53 kkYYHYctlOx.LFOcPEUsYrHgnRkKVHkz.readme.io udp
US 104.16.241.118:443 kkYYHYctlOx.LFOcPEUsYrHgnRkKVHkz.readme.io tcp
US 8.8.8.8:53 vqS.VyiWKtvmSrsiiQbIISRU.readme.io udp
US 104.16.241.118:443 vqS.VyiWKtvmSrsiiQbIISRU.readme.io tcp
US 8.8.8.8:53 h.RVaqIUZXBqnFIYdushzL.readme.io udp
US 104.16.241.118:443 h.RVaqIUZXBqnFIYdushzL.readme.io tcp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 codeload.github.com udp
GB 20.26.156.216:443 codeload.github.com tcp
US 8.8.8.8:53 mega.nz udp
LU 31.216.144.5:443 mega.nz tcp
US 8.8.8.8:53 www.dropbox.com udp
GB 162.125.64.18:443 www.dropbox.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
LU 31.216.144.5:443 mega.nz tcp
US 8.8.8.8:53 WMhpu.bitbucket.com udp
GB 185.166.141.8:443 WMhpu.bitbucket.com tcp
US 8.8.8.8:53 jivqyPK.bitbucket.com udp
GB 185.166.141.8:443 jivqyPK.bitbucket.com tcp
US 8.8.8.8:53 iAVaLy.bitbucket.com udp
GB 185.166.141.9:443 iAVaLy.bitbucket.com tcp
US 8.8.8.8:53 oTcrDEWbsTOFAp.bitbucket.com udp
GB 185.166.141.9:443 oTcrDEWbsTOFAp.bitbucket.com tcp
US 8.8.8.8:53 jZhnXSlQgAUf.bitbucket.com udp
GB 185.166.141.8:443 jZhnXSlQgAUf.bitbucket.com tcp
US 8.8.8.8:53 TeYhjDFWpkul.bitbucket.com udp
GB 185.166.141.9:443 TeYhjDFWpkul.bitbucket.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 saPiPod.dHrSasCHkojgOuBDUjnH.readme.io udp
US 104.16.241.118:443 saPiPod.dHrSasCHkojgOuBDUjnH.readme.io tcp
US 8.8.8.8:53 iyEHsQS.LfuuMeSNkjBmrSlcFShv.readme.io udp
US 104.16.241.118:443 iyEHsQS.LfuuMeSNkjBmrSlcFShv.readme.io tcp
US 8.8.8.8:53 SzjFBuHs.GwTeeZZeSDgzbWhgtsCE.readme.io udp
US 104.16.241.118:443 SzjFBuHs.GwTeeZZeSDgzbWhgtsCE.readme.io tcp
US 104.16.242.118:443 SzjFBuHs.GwTeeZZeSDgzbWhgtsCE.readme.io tcp
US 8.8.8.8:53 NWE.MTIrybfOcnrMqWqybUta.readme.io udp
US 104.16.242.118:443 NWE.MTIrybfOcnrMqWqybUta.readme.io tcp
US 8.8.8.8:53 rRVnH.BmMSmIllPiuRkpEMchfb.readme.io udp
US 104.16.241.118:443 rRVnH.BmMSmIllPiuRkpEMchfb.readme.io tcp
US 8.8.8.8:53 jmbvmwp.mxp4037.com udp
US 8.8.8.8:53 cUK.EcLMEqNOrHONiDuIfxHl.readme.io udp
US 104.16.242.118:443 cUK.EcLMEqNOrHONiDuIfxHl.readme.io tcp
US 8.8.8.8:53 e.MQGvuexOMMoJaqJhOzRS.readme.io udp
US 104.16.242.118:443 e.MQGvuexOMMoJaqJhOzRS.readme.io tcp
US 8.8.8.8:53 jJGX.OLyrLzumcCEylveNSgdi.readme.io udp
US 104.16.242.118:443 jJGX.OLyrLzumcCEylveNSgdi.readme.io tcp
US 8.8.8.8:53 kampower.com udp
US 185.148.131.244:443 kampower.com tcp

Files

memory/2936-0-0x00000000002E0000-0x00000000002F0000-memory.dmp

memory/2936-1-0x0000000000400000-0x00000000010B6000-memory.dmp

C:\Program Files\7-Zip\7-zip32.dll.exe

MD5 f274f601f7a024766d6b70b88f276732
SHA1 643012820e179e36c87f2fc88d0678d02404ed32
SHA256 62f5436529199962471eb5466369183d59e1a79dc33e1f1b2d0c7d5e71630591
SHA512 d547d461f32a7e91e2fd50e814018e5b41718c52f7a728a1d322250aaaa34fdad53e11953ee278bf6471b78d511047935bc9cf03ae07253453ce80c7f82ac08a

C:\Users\Admin\AppData\Local\Temp\Cab172C.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar174C.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\Cab18A5.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar18C9.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3003976ce345cce654780a0a9aa029cf
SHA1 298bf11d6d3ab4885964d42a6451c98490bac59c
SHA256 f1a7b26f585bcc9fa98aa399c9bb82801ae6a3bdf88b43827ff000fca19aa198
SHA512 0a5eeb3cb8683eb553371e85ea66905025e50aeb17ca25f913ad2c3c2d5e027d41e8917f5e60b69aa45a933721eb20bc2d1d101b1e1ab7a7a255db44fd845b76

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20f94b7818d8f9543dffae310789ffbb
SHA1 dd15f7f00aad3a3832f4b4a870a4b3653272b8be
SHA256 33f1f8f02e0a38d4629dd66293252af16f9a5f26c3401018571f8c4b29203a90
SHA512 18e1380efe47ebcbd0b8e91ba0d6fbc4bbb1df1b599655687c8f79abe5edd45fe5e949cc85fe828e8f4a36d10115d796468894ca0c4784ea8b6deb393aba2a08

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 57aa6e0268d0a307d0c115943d4e6806
SHA1 6c1e35a029a67541f4befc46d7d72905317eda2d
SHA256 bf2a8763b0b85828ed4e03db611ce192b065c99d764c68dc4da6d9071d063ce7
SHA512 e2b72c299c0c339d8ec34eb508988a70831818b94c33289b121d2d8886986f493c4825a099fb7933baa63eb8114b3eff7bed9f40084e6771a4f38b238180ec91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48a93b542e8a233a9e549b858658f6a5
SHA1 372768f7724f9627e3d00bea8205d035c4484391
SHA256 4dd7bc7d0ac7c68bb6f9b49c233371d93c0099fe21fb22468560ef3eb276ff82
SHA512 50416845e17472b267b73eca21df877536843b56f412cb6a3a21912fce2f4b149382edbbf96598816be6437b9ddf42a1e61103970d78f284f877cf0281de0f4f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 49925f6744a7ab41db46fcab9a75320b
SHA1 96af69dd46861d9daec25bbb26fa1f4940cf6874
SHA256 2b276925849f424f718aaa453f70b45f466b1bac94ba9f07005931d0eb3110c9
SHA512 05d04981bd509e44fa0533fffec2fcf82b7f57339ce62525ee6d09dda60eecf9d68b1ff40e02b33455deadd95067c9f4d41d01c95274250a0df3f5c2d23a9407

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a257ad25a0371e23f85debee178ec42
SHA1 e250a15d831e89723c90a4c1f863c09e0c1bc67c
SHA256 dd757f90debe71606d4126764dace771de72943ce0d8e13376502cd9e2c65aa6
SHA512 6db33a8c585c95be460a6d5afe39576e7bdba87aecb55add21fa899f381a2567b564277115a43786cb0cfa81430de45cb960b5a7a898560ccc5933a78ee3b0ed

memory/2936-1060-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2936-1074-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2936-2508-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2936-3817-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2936-4470-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2936-4471-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2936-4474-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2936-4475-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2936-4476-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/2936-4477-0x00000000002F0000-0x0000000000300000-memory.dmp

memory/2936-4478-0x0000000000300000-0x0000000000400000-memory.dmp

memory/2936-4479-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2936-4480-0x0000000000401000-0x00000000010B5000-memory.dmp

memory/2936-4481-0x0000000004690000-0x0000000004691000-memory.dmp

memory/2936-4485-0x0000000000401000-0x00000000010B5000-memory.dmp

memory/2936-4484-0x0000000000400000-0x00000000010B6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 19:07

Reported

2024-05-29 19:09

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A bitbucket.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A bitbucket.org N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-localization-l1-2-0.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\Mso50win32client.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\wmpnssci.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.LEX C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Photo Viewer\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.1d9d722e.pri C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-util-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-400_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\MicrosoftSolitaireWideTile.scale-200.jpg C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\comments.win32.tpn C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\tmpersistence_xl.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-400_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedLargeTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\liblogger_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSSOAP30.DLL C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.RunTime.Serialization.Resources.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsLargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\SmallLogo.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalResume.dotx C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OSFSHARED.DLL C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerpoint.x-none.msi.16.x-none.boot.tree.dat C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng.txt C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11cryptotoken.md C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libaom_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Design.Resources.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\82.jpg C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadce.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\msinfo32.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\1033\NATIVESHIM.RESOURCES.DLL C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\1033\msointl30.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\api-ms-win-core-file-l2-1-0.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.resources.dll C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.VCxlVBenun.com" C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.rjQhfwzMea.com" C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.eQeTMgAPhe.com" C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.rsUjHgrxwt.com" C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.JdwdETZMXX.com" C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.grBzTwpZxn.com" C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_c36382c8a4ce3c050f4b36777d76181b_cobalt-strike_cobaltstrike.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 en6yogdxz5mjo.x.pipedream.net udp
US 54.85.81.111:443 en6yogdxz5mjo.x.pipedream.net tcp
US 54.85.81.111:443 en6yogdxz5mjo.x.pipedream.net tcp
US 54.85.81.111:443 en6yogdxz5mjo.x.pipedream.net tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 113.174.240.54.in-addr.arpa udp
US 8.8.8.8:53 111.81.85.54.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 codeload.github.com udp
GB 20.26.156.216:443 codeload.github.com tcp
US 8.8.8.8:53 www.jmxyc.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 216.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 WcuDyDJLTBs.QgbhpRzlixLhfTvXRjIW.readme.io udp
US 104.16.241.118:443 WcuDyDJLTBs.QgbhpRzlixLhfTvXRjIW.readme.io tcp
US 8.8.8.8:53 jJG.KTFrrCBWUYLdzdUNdYSB.readme.io udp
US 8.8.8.8:53 118.241.16.104.in-addr.arpa udp
US 104.16.242.118:443 jJG.KTFrrCBWUYLdzdUNdYSB.readme.io tcp
US 8.8.8.8:53 cQAvgeQDgCvb.xeyxwjCvkizafJDiiGDC.readme.io udp
US 104.16.242.118:443 cQAvgeQDgCvb.xeyxwjCvkizafJDiiGDC.readme.io tcp
US 8.8.8.8:53 PHKbKI.zknZuczJFEEKNZWUPYGo.readme.io udp
US 104.16.241.118:443 PHKbKI.zknZuczJFEEKNZWUPYGo.readme.io tcp
US 8.8.8.8:53 ViL.mTeAKBvfbCvAMYWEoUUo.readme.io udp
US 104.16.242.118:443 ViL.mTeAKBvfbCvAMYWEoUUo.readme.io tcp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 fFipeteaHx.MuNKSjIFqcLTzXyPfBRe.readme.io udp
US 104.16.241.118:443 fFipeteaHx.MuNKSjIFqcLTzXyPfBRe.readme.io tcp
US 8.8.8.8:53 kcOzja.wVpTPNjTePzFXwuNLKxq.readme.io udp
US 104.16.242.118:443 kcOzja.wVpTPNjTePzFXwuNLKxq.readme.io tcp
US 8.8.8.8:53 Je.cZFZglrTSEYCShRCzRsH.readme.io udp
US 104.16.242.118:443 Je.cZFZglrTSEYCShRCzRsH.readme.io tcp
US 8.8.8.8:53 DhhbMpMFSPflrs.iTedwqLAAxBQiwUHUkXc.readme.io udp
US 104.16.242.118:443 DhhbMpMFSPflrs.iTedwqLAAxBQiwUHUkXc.readme.io tcp
US 8.8.8.8:53 tcYaamjxZ.bYWWpZNccfEwaMCJXHZS.readme.io udp
US 104.16.241.118:443 tcYaamjxZ.bYWWpZNccfEwaMCJXHZS.readme.io tcp
US 8.8.8.8:53 jmbvmwp.mxp4037.com udp
US 8.8.8.8:53 118.242.16.104.in-addr.arpa udp
US 8.8.8.8:53 mega.nz udp
LU 31.216.144.5:443 mega.nz tcp
US 8.8.8.8:53 5.144.216.31.in-addr.arpa udp
US 8.8.8.8:53 TgiBcRaKPA.bitbucket.com udp
GB 185.166.141.9:443 TgiBcRaKPA.bitbucket.com tcp
US 8.8.8.8:53 bitbucket.org udp
AU 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 9.141.166.185.in-addr.arpa udp
US 8.8.8.8:53 hUiJGzQHciU.bitbucket.com udp
GB 185.166.141.9:443 hUiJGzQHciU.bitbucket.com tcp
US 8.8.8.8:53 FsMtO.bitbucket.com udp
GB 185.166.141.7:443 FsMtO.bitbucket.com tcp
US 8.8.8.8:53 wKaIPXlBQZNO.bitbucket.com udp
GB 185.166.141.9:443 wKaIPXlBQZNO.bitbucket.com tcp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 8.8.8.8:53 7.141.166.185.in-addr.arpa udp
US 8.8.8.8:53 h.bitbucket.com udp
GB 185.166.141.8:443 h.bitbucket.com tcp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 8.141.166.185.in-addr.arpa udp
US 8.8.8.8:53 cTLMaZjr.FKNfuDqaYCMJewiSZXCm.readme.io udp
US 104.16.242.118:443 cTLMaZjr.FKNfuDqaYCMJewiSZXCm.readme.io tcp
US 8.8.8.8:53 UjDXADgAuz.zazDNYhhIbPQLrhGHgqu.readme.io udp
US 104.16.242.118:443 UjDXADgAuz.zazDNYhhIbPQLrhGHgqu.readme.io tcp
US 8.8.8.8:53 LfHDkq.mBCgYeQNAfkLINuEhuCs.readme.io udp
US 104.16.242.118:443 LfHDkq.mBCgYeQNAfkLINuEhuCs.readme.io tcp
US 8.8.8.8:53 QfJzria.UBXSzSXlBNujCMCmWTQw.readme.io udp
US 104.16.241.118:443 QfJzria.UBXSzSXlBNujCMCmWTQw.readme.io tcp
US 8.8.8.8:53 MGLo.JNAreUDpvvEZKOtUpEoC.readme.io udp
US 104.16.241.118:443 MGLo.JNAreUDpvvEZKOtUpEoC.readme.io tcp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 xwchn.net udp
US 8.8.8.8:53 www.bates.edu udp
US 134.181.132.45:443 www.bates.edu tcp
LU 31.216.144.5:443 mega.nz tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 45.132.181.134.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 GGOnr.bitbucket.com udp
GB 185.166.141.9:443 GGOnr.bitbucket.com tcp
US 8.8.8.8:53 mO.bitbucket.com udp
GB 185.166.141.8:443 mO.bitbucket.com tcp
US 8.8.8.8:53 boOoUjU.bitbucket.com udp
GB 185.166.141.8:443 boOoUjU.bitbucket.com tcp
US 8.8.8.8:53 EAQE.bitbucket.com udp
GB 185.166.141.8:443 EAQE.bitbucket.com tcp
US 8.8.8.8:53 beePUz.bitbucket.com udp
GB 185.166.141.9:443 beePUz.bitbucket.com tcp
US 8.8.8.8:53 hF.bitbucket.com udp
GB 185.166.141.9:443 hF.bitbucket.com tcp
US 8.8.8.8:53 abrakadabra.host udp
LU 31.216.144.5:443 mega.nz tcp
US 8.8.8.8:53 xwchn.net udp
US 8.8.8.8:53 idcomercial.com.br udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 lWSZl.yNeQSIYHMlMPTHDOncUt.readme.io udp
US 104.16.241.118:443 lWSZl.yNeQSIYHMlMPTHDOncUt.readme.io tcp
US 8.8.8.8:53 qtLVmMpTFU.ScEuIEfkVYyYDjSmxxGu.readme.io udp
US 104.16.242.118:443 qtLVmMpTFU.ScEuIEfkVYyYDjSmxxGu.readme.io tcp
US 8.8.8.8:53 EBQnWYEXCmh.yZxuXfasJRxFaOcCwpZj.readme.io udp
US 104.16.242.118:443 EBQnWYEXCmh.yZxuXfasJRxFaOcCwpZj.readme.io tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 mqcAtlehyT.oicxUWqDgcbthDCRJEWY.readme.io udp
US 104.16.241.118:443 mqcAtlehyT.oicxUWqDgcbthDCRJEWY.readme.io tcp
US 8.8.8.8:53 FX.tEXOMpOvshRhNuaLesZO.readme.io udp
US 104.16.242.118:443 FX.tEXOMpOvshRhNuaLesZO.readme.io tcp
US 8.8.8.8:53 pOGBNR.IoVbNBFXLtZIiSSAgvhg.readme.io udp
US 104.16.241.118:443 pOGBNR.IoVbNBFXLtZIiSSAgvhg.readme.io tcp
US 8.8.8.8:53 W.frddVjWvRnELjAsRXnay.readme.io udp
US 104.16.241.118:443 W.frddVjWvRnELjAsRXnay.readme.io tcp
US 8.8.8.8:53 bbCcogU.KsDDENMezHpBCSvzEVXE.readme.io udp
US 104.16.241.118:443 bbCcogU.KsDDENMezHpBCSvzEVXE.readme.io tcp
US 8.8.8.8:53 VvGS.ZrDaZjelBxGhGIEuvKzc.readme.io udp
US 104.16.241.118:443 VvGS.ZrDaZjelBxGhGIEuvKzc.readme.io tcp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/400-0-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/400-1-0x00000000000E0000-0x00000000000F0000-memory.dmp

C:\Program Files\7-Zip\7-zip32.dll

MD5 af5bd6ab7c4e710c256cf4ac0396f849
SHA1 b6a410e638fbd2ae584f6fe7da4ee2ce5acd4971
SHA256 ab94e574f6f2740a43a59b73d32b02b4d16edb9eb91531bc1ca76324a0eebb3e
SHA512 695a92c8e8e4abe413e93b8ec7f4c8844d556e6381487368c29a0931d14f9272d1359566b25ca526d71ffed6b5927f0f3c557a8ca003842dc33a5b704c50dd43

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 e424d94d16ddf38e3b59dc631cb89088
SHA1 147a622739131906f82961fe789aa331ac138025
SHA256 1e93a374cd2291b722847006d164a2c1834dbe9f3d6bbf6e777a185ac4fec3af
SHA512 c8699b58b61875353bd4c0a8a9d70cc9b8e6cc65ed2afdf5b297fdf831c902c090d2f7ef5675071e27b451da1484227392a426e9f11b4cf96b0b4ae012baa504

memory/400-751-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/400-1911-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/400-2505-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/400-3086-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/400-4193-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/400-4998-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/400-4999-0x0000000000060000-0x0000000000062000-memory.dmp

memory/400-5004-0x00000000001F0000-0x0000000000200000-memory.dmp

memory/400-5006-0x0000000005730000-0x0000000005731000-memory.dmp

memory/400-5005-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/400-5007-0x0000000000401000-0x00000000010B5000-memory.dmp

memory/400-5008-0x0000000000400000-0x00000000010B6000-memory.dmp