Malware Analysis Report

2025-03-15 08:09

Sample ID 240530-lkxn4seb65
Target 2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike
SHA256 557e35d9f9be9364349dcb2af342837fa97a8d24665baa5a09fc11d54fbfec8a
Tags
cobaltstrike xmrig backdoor miner trojan upx 0 persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

557e35d9f9be9364349dcb2af342837fa97a8d24665baa5a09fc11d54fbfec8a

Threat Level: Known bad

The file 2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig backdoor miner trojan upx 0 persistence

XMRig Miner payload

Xmrig family

Detects executables containing URLs to raw contents of a Github gist

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

xmrig

Cobaltstrike family

Cobaltstrike

UPX dump on OEP (original entry point)

Detects executables containing URLs to raw contents of a Github gist

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Loads dropped DLL

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Drops desktop.ini file(s)

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer start page

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 09:36

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 09:36

Reported

2024-05-30 09:38

Platform

win7-20240220-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Grand_Turk C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\fr-FR\Chess.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.lnk C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\jhall-2.0_05.jar C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-ui.jar C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Reykjavik C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-hot.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_docked.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\timeZones.js C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Monrovia C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Printing.resources.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)greenStateIcon.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\weather.css C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\StopWatch.M2TS C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\msadc\adcvbs.inc C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DissolveNoise.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\es-ES\DVDMaker.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\th.pak C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-9 C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspeex_resampler_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Journal\Templates\Shorthand.jtp C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Marquesas C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_bridge_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montreal C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libtaglib_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_flac_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\application.ini C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libgain_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\gadget.xml C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\localizedStrings.js C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\profile.jfc C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\New_York C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-actions.jar C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiler.jar C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_few-showers.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libau_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mshwLatin.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Efate C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.soVXBSUUvo.com" C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.gnjHRFrwxS.com" C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 en6yogdxz5mjo.x.pipedream.net udp
US 8.8.8.8:53 YEHOWMSPTMAlV.fwNUACxvwZdykDSRchMv.readme.io udp
US 100.25.58.152:443 en6yogdxz5mjo.x.pipedream.net tcp
US 100.25.58.152:443 en6yogdxz5mjo.x.pipedream.net tcp
US 100.25.58.152:443 en6yogdxz5mjo.x.pipedream.net tcp
US 104.16.241.118:443 YEHOWMSPTMAlV.fwNUACxvwZdykDSRchMv.readme.io tcp
US 8.8.8.8:53 zzOcqXYFWwwf.wPxFHgEoOwYqmqflrBjf.readme.io udp
US 104.16.241.118:443 zzOcqXYFWwwf.wPxFHgEoOwYqmqflrBjf.readme.io tcp
US 8.8.8.8:53 FGxuu.lVjIEdGeoetdHTuWSjve.readme.io udp
US 104.16.241.118:443 FGxuu.lVjIEdGeoetdHTuWSjve.readme.io tcp
US 8.8.8.8:53 AiuUnqhMm.LjOzxtbwbWghhxThklpt.readme.io udp
US 104.16.242.118:443 AiuUnqhMm.LjOzxtbwbWghhxThklpt.readme.io tcp
US 8.8.8.8:53 efakpDUWxKUH.YAizCtGrQmvYjUfVcnyZ.readme.io udp
US 104.16.241.118:443 efakpDUWxKUH.YAizCtGrQmvYjUfVcnyZ.readme.io tcp
US 8.8.8.8:53 Xg.TJaFXStztWJgzErvmWLY.readme.io udp
US 104.16.241.118:443 Xg.TJaFXStztWJgzErvmWLY.readme.io tcp
US 8.8.8.8:53 gzlAvfKuT.RlbPTcStIAkaGYXTwapH.readme.io udp
US 104.16.242.118:443 gzlAvfKuT.RlbPTcStIAkaGYXTwapH.readme.io tcp
US 8.8.8.8:53 rFLIDItelZ.BWhgUVJIEkatLXIdhnuU.readme.io udp
US 104.16.242.118:443 rFLIDItelZ.BWhgUVJIEkatLXIdhnuU.readme.io tcp
US 8.8.8.8:53 etxUiEcz.euWfdEJFZAiyEPsevIVH.readme.io udp
US 104.16.241.118:443 etxUiEcz.euWfdEJFZAiyEPsevIVH.readme.io tcp
US 8.8.8.8:53 XnHFIHBquAQ.GofnPkHcMXpvYbTfoMbo.readme.io udp
US 104.16.242.118:443 XnHFIHBquAQ.GofnPkHcMXpvYbTfoMbo.readme.io tcp
US 8.8.8.8:53 Ekx.EGaEddWPvywlnEfBhqsO.readme.io udp
US 104.16.241.118:443 Ekx.EGaEddWPvywlnEfBhqsO.readme.io tcp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 jmbvmwp.mxp4037.com udp
US 8.8.8.8:53 e.xbwpLLIQhQwefezRpgPO.readme.io udp
US 104.16.242.118:443 e.xbwpLLIQhQwefezRpgPO.readme.io tcp
US 8.8.8.8:53 QFUAhyGMH.uowjPxZtpJJSqrxnYxzJ.readme.io udp
US 104.16.241.118:443 QFUAhyGMH.uowjPxZtpJJSqrxnYxzJ.readme.io tcp
US 8.8.8.8:53 k.sndvgqpxicbzszcawBtg.readme.io udp
US 104.16.242.118:443 k.sndvgqpxicbzszcawBtg.readme.io tcp
US 8.8.8.8:53 wUTPVLumEOTIU.MXaErQiEManRMIHBRWbp.readme.io udp
US 104.16.241.118:443 wUTPVLumEOTIU.MXaErQiEManRMIHBRWbp.readme.io tcp
US 8.8.8.8:53 Hhe.ZoYNKXHBfJZOBmLuMkpa.readme.io udp
US 104.16.242.118:443 Hhe.ZoYNKXHBfJZOBmLuMkpa.readme.io tcp
US 8.8.8.8:53 mMQMNbsMqtPF.rrVKrMzkLGaiSKotxybC.readme.io udp
US 104.16.242.118:443 mMQMNbsMqtPF.rrVKrMzkLGaiSKotxybC.readme.io tcp
US 8.8.8.8:53 vBTvC.YcToquMilrDIEQTPQndp.readme.io udp
US 104.16.242.118:443 vBTvC.YcToquMilrDIEQTPQndp.readme.io tcp
US 8.8.8.8:53 noscullsnow.com udp
US 8.8.8.8:53 mega.nz udp
LU 31.216.145.5:443 mega.nz tcp
US 8.8.8.8:53 www.dropbox.com udp
GB 162.125.64.18:443 www.dropbox.com tcp
US 8.8.8.8:53 BFCol.bitbucket.com udp
GB 185.166.141.9:443 BFCol.bitbucket.com tcp
US 8.8.8.8:53 WErAjhVuMlRyM.bitbucket.com udp
GB 185.166.141.8:443 WErAjhVuMlRyM.bitbucket.com tcp
US 8.8.8.8:53 tcoQPsDw.bitbucket.com udp
GB 185.166.141.8:443 tcoQPsDw.bitbucket.com tcp
US 8.8.8.8:53 qlaFSGV.bitbucket.com udp
GB 185.166.141.7:443 qlaFSGV.bitbucket.com tcp
US 8.8.8.8:53 kampower.com udp
US 185.148.131.244:443 kampower.com tcp
US 8.8.8.8:53 qNlRSFDfwVSd.FwjAcMgDTdLwRrnbOhfc.readme.io udp
US 104.16.241.118:443 qNlRSFDfwVSd.FwjAcMgDTdLwRrnbOhfc.readme.io tcp
US 8.8.8.8:53 FIt.bitbucket.com udp
GB 185.166.141.8:443 FIt.bitbucket.com tcp
US 8.8.8.8:53 EHNSENBXRp.bitbucket.com udp
GB 185.166.141.8:443 EHNSENBXRp.bitbucket.com tcp
US 8.8.8.8:53 gBsTv.qGkFRZlLrLXaezMwsDpz.readme.io udp
US 104.16.241.118:443 gBsTv.qGkFRZlLrLXaezMwsDpz.readme.io tcp
US 8.8.8.8:53 csk.qmhHpTbPNndHtckBwShs.readme.io udp
US 104.16.242.118:443 csk.qmhHpTbPNndHtckBwShs.readme.io tcp
US 8.8.8.8:53 ZjWOylQz.adZaSzClWBczHZSKIjOA.readme.io udp
US 104.16.241.118:443 ZjWOylQz.adZaSzClWBczHZSKIjOA.readme.io tcp
US 8.8.8.8:53 QhswVkaZoj.DserjYuggjaIYQZxnglw.readme.io udp
US 104.16.241.118:443 QhswVkaZoj.DserjYuggjaIYQZxnglw.readme.io tcp
US 8.8.8.8:53 HuqTLe.wwwisCigKnWwJrZcPguE.readme.io udp
US 104.16.242.118:443 HuqTLe.wwwisCigKnWwJrZcPguE.readme.io tcp

Files

memory/1728-0-0x00000000002E0000-0x00000000002F0000-memory.dmp

memory/1728-1-0x0000000000400000-0x00000000010B6000-memory.dmp

C:\Program Files\7-Zip\7-zip32.dll.exe

MD5 f794781e5050af8624fbeecfc8d012e7
SHA1 8f31bbcb5bb2daca2a6644ea25c2d0668e59eb4d
SHA256 ffa2cf73e851af3696fe659174d309d5b9df767d685b0cd02a220a0e9b604662
SHA512 a35fe9deee8b11fb670db0e2f52e174ab0d2fe13f84cd40c9e5728aae815697049ca914493e1e96fc1eea374410aaea5238ea70b7f20e3d60b4f7e83baa0c18b

C:\Users\Admin\AppData\Local\Temp\Cab191E.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar1950.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\Cab19ED.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1A23.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3939e96c8f3fe60f9448cd8ec2186e5
SHA1 2380ec007dc9d6d5e808e859758ccfd2bf29c0f2
SHA256 7728d8eba90a18b4c99c6ac2b4267b0d39851c94db91b527265e1aa1e1d2be72
SHA512 3cffe39d7a043014012ddb06decee16ecdbe4a90acc3eaec6bb537142bd69d41f1accbd783047893abcec005a2a8520ea802f90d52a00cf17dff336998510f26

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 570eb4b1fc29d5045a7c360b2ecf43e5
SHA1 bf80ffc7ca7902a8dce9e5d6ebe00cd6897b8599
SHA256 3de8274956eea491b53c69bbb35566972d427ca8937e46f0e9d74bb098f93a3e
SHA512 42b6b092e699b86a6e775ec49f2c1307094806916169ea0561ce2fe51c38e44d7131386230daaa9f0c556c9a2eb100e552dd80d00a2d787ab42362a1e0a3c526

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 f18f405983beb0ae5418c2996c8189dc
SHA1 6bf19baef944b409d208a83ace4b8294c3876d48
SHA256 1c340e291746b9688c1cd7ed5f1c61719fc9775f9405fe5707fe6f38bfe75315
SHA512 ac3cb232dd759355ab1a3db88981a82a9a68dc62d02388bacd04ae76161ccab1527ca5930f6aa79be93dc2ba281a99c8f6db4a0237d434488e9e18fb6b2c8bfd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa0ffd7d89a4a4cc0241eed49a96b687
SHA1 fecc3d129354c73e38fe6065417f0fabb83c7ab9
SHA256 135e047764d8443f21862abb6b24b97cf1aae75b7770272dac1c77b0872426f1
SHA512 1055ed5a47ca8f4cba01e89f607b1fd1a6b6e8901d86d9b263db59a84701e98aa819bcb36c7bed7ee67c249ac8d1fae7514d8d0e646867b5fd5a4951218768cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 578b24e89aeaae740cf773be8d591d7f
SHA1 a1c5e961e94d68510f7b85849f5964495c1a9d7b
SHA256 d010e2e2862021ed96cf9fabb30ab827641f9ea32c951c947ee57dc79c2cbd5b
SHA512 6c6a77611a83c59a296b8b4496775334180398b07db6399650ef787f361c9ab81da12568f51ff9f9c60b37c3cfd963313df6582a2c5a0359f3781f3d442ea8e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 381c3ad82de9d8115c0cbe9a31890ad8
SHA1 eb68470b0320315a5b3490bbef5504b93f577348
SHA256 7e5d16227dde0c8802deec14c8283228bd17fff1119914245e806acf1a8d71ca
SHA512 38e69f3ebeb9eed2709d81f603f6b9b477e7a805b720db9ca06b907c9061adaa61eb9713806a485ddec96b47ba3ffea55c5068f202c46d926e62f67f948c4344

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a6d202fa67623f3eb2a946510f934b7
SHA1 13ae320910d29c9b526bae10cad1fe892bec1ca9
SHA256 9b05e0b5c2c3210217bd8066752859060bf57ce4694daada1a1b052a62f51084
SHA512 9f89af142719232c10cb88464639386c1cc0800e5331dafd088fd08bda49a87c53fd0b056632446e7f1d66eb2209e6a7b04ff6bedc1678072ff306be9bad0bf2

memory/1728-1030-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/1728-1043-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/1728-2067-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/1728-3065-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/1728-3956-0x0000000000400000-0x00000000010B6000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 01d0955f69e166b12ef760d4f3c5119b
SHA1 bb5cf87c268da911db04df83ec459106d56aacbd
SHA256 0b5d770be3203013ee1fc278784cf60603843cb5fc01cb9c26247153d8034a86
SHA512 6dfc6d7916de08b52cdf6d046acc21f2178aa9ec6cf6b83a3bd88fc9fc328a996ae0664eb0f106d36aafffc1c329e3c1d7b9717a3f50ba6273e6088e9bf14610

memory/1728-4229-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/1728-4284-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1728-4285-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/1728-4286-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/1728-4287-0x00000000002F0000-0x0000000000330000-memory.dmp

memory/1728-4288-0x0000000000330000-0x0000000000352000-memory.dmp

memory/1728-4289-0x0000000000360000-0x0000000000370000-memory.dmp

memory/1728-4290-0x0000000000370000-0x0000000000380000-memory.dmp

memory/1728-4291-0x0000000000380000-0x0000000000390000-memory.dmp

memory/1728-4292-0x00000000003B0000-0x00000000003F0000-memory.dmp

memory/1728-4293-0x00000000003F0000-0x0000000000400000-memory.dmp

memory/1728-4294-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/1728-4295-0x0000000000401000-0x00000000010B5000-memory.dmp

memory/1728-4296-0x0000000004680000-0x0000000004681000-memory.dmp

memory/1728-4299-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/1728-4300-0x0000000000401000-0x00000000010B5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 09:36

Reported

2024-05-30 09:38

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sQGXjfr = "c:\\Windows\\System32\\sQGXjfr.exe" C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\sQGXjfr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\msapp-error.css C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Fur.jpg C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FDATE.DLL C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-400_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square71x71Logo.scale-150.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\4px.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-150.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_03.jpg C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\wmpnetwk.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalMedTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\Unipulator.mp4 C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-file-l2-1-0.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Square310x310Logo.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\SmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\zh-TW.pak C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FPLACE.DLL C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-handle-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\osmmui.msi.16.en-us.tree.dat C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\wmpnscfg.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdirectory_demux_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\offfiltx.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\installation_telemetry.json C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Configuration.winmd C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxslt.md C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\ado\msadox.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\mscss7fr.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1XTOR.DLL C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\README.txt C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_small.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-32_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\WideTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.MmXiRoMaft.com" C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.creTOnmZXJ.com" C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.VSCCCsqJlN.com" C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.YbgyOlZuoW.com" C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_93306db8a73f2fece7c57f25061f5a22_cobalt-strike_cobaltstrike.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 W.gEceDAfPVvGqRcEwHZsP.readme.io udp
US 8.8.8.8:53 en6yogdxz5mjo.x.pipedream.net udp
US 100.25.58.152:443 en6yogdxz5mjo.x.pipedream.net tcp
US 100.25.58.152:443 en6yogdxz5mjo.x.pipedream.net tcp
US 100.25.58.152:443 en6yogdxz5mjo.x.pipedream.net tcp
US 104.16.241.118:443 W.gEceDAfPVvGqRcEwHZsP.readme.io tcp
US 8.8.8.8:53 HW.CmhroxFwMLhcrxrftmXy.readme.io udp
US 104.16.242.118:443 HW.CmhroxFwMLhcrxrftmXy.readme.io tcp
US 8.8.8.8:53 DFGjyDNeQbXsX.EWFmRmZuxpAnkWvuZhZP.readme.io udp
US 104.16.241.118:443 DFGjyDNeQbXsX.EWFmRmZuxpAnkWvuZhZP.readme.io tcp
US 8.8.8.8:53 GICHyEher.XIUJhuxtRQfDxEhicQpc.readme.io udp
US 104.16.241.118:443 GICHyEher.XIUJhuxtRQfDxEhicQpc.readme.io tcp
US 8.8.8.8:53 aJwebOkDBu.TgQVBNttcRwoVRDsmSwA.readme.io udp
US 104.16.241.118:443 aJwebOkDBu.TgQVBNttcRwoVRDsmSwA.readme.io tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 152.58.25.100.in-addr.arpa udp
US 8.8.8.8:53 118.241.16.104.in-addr.arpa udp
US 8.8.8.8:53 118.242.16.104.in-addr.arpa udp
US 8.8.8.8:53 38.201.222.52.in-addr.arpa udp
US 8.8.8.8:53 TTZs.UPZLOBpTojBzATHRqbsG.readme.io udp
US 104.16.242.118:443 TTZs.UPZLOBpTojBzATHRqbsG.readme.io tcp
US 8.8.8.8:53 qz.PVORmwVsNYdZbNEGvosF.readme.io udp
US 104.16.241.118:443 qz.PVORmwVsNYdZbNEGvosF.readme.io tcp
US 8.8.8.8:53 tLimgzwcJPL.oPRlqIzpPyzqUbbxkBMO.readme.io udp
US 104.16.242.118:443 tLimgzwcJPL.oPRlqIzpPyzqUbbxkBMO.readme.io tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 jQcFCMRHCR.qfXMarblcOHsFFMzDoIi.readme.io udp
US 104.16.241.118:443 jQcFCMRHCR.qfXMarblcOHsFFMzDoIi.readme.io tcp
US 8.8.8.8:53 NDwiVfw.SoyeEeQUueYbMGYiLXZw.readme.io udp
US 104.16.241.118:443 NDwiVfw.SoyeEeQUueYbMGYiLXZw.readme.io tcp
US 8.8.8.8:53 Vg.oufXJDqoKzoyiQKNqkxE.readme.io udp
US 104.16.242.118:443 Vg.oufXJDqoKzoyiQKNqkxE.readme.io tcp
US 8.8.8.8:53 lpnwkSMqPPIO.cOuRFPiwNcpUvNRBJKnt.readme.io udp
US 104.16.241.118:443 lpnwkSMqPPIO.cOuRFPiwNcpUvNRBJKnt.readme.io tcp
BE 2.17.196.163:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 163.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 mega.nz udp
LU 31.216.145.5:443 mega.nz tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 5.145.216.31.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 Wo.siADDlXYYXvVbjHlJReA.readme.io udp
US 104.16.241.118:443 Wo.siADDlXYYXvVbjHlJReA.readme.io tcp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 vVeY.gjztAZFanTWCNqSxDCDO.readme.io udp
US 104.16.242.118:443 vVeY.gjztAZFanTWCNqSxDCDO.readme.io tcp
US 8.8.8.8:53 pGFY.feiiPuMeFsSIbArOrOfV.readme.io udp
US 104.16.241.118:443 pGFY.feiiPuMeFsSIbArOrOfV.readme.io tcp
US 8.8.8.8:53 cV.qAwNFLNiNCZhZSbZYoSa.readme.io udp
US 104.16.242.118:443 cV.qAwNFLNiNCZhZSbZYoSa.readme.io tcp
US 8.8.8.8:53 BgflHFb.xDfGwDsoHYqhHfGpkSpa.readme.io udp
US 104.16.241.118:443 BgflHFb.xDfGwDsoHYqhHfGpkSpa.readme.io tcp
US 8.8.8.8:53 aTFBAajNYESdWr.gGgaiauhriprYiInYXJM.readme.io udp
US 104.16.242.118:443 aTFBAajNYESdWr.gGgaiauhriprYiInYXJM.readme.io tcp
US 8.8.8.8:53 tKWxd.lsfbHVLKYizVMiykumxd.readme.io udp
US 104.16.241.118:443 tKWxd.lsfbHVLKYizVMiykumxd.readme.io tcp
US 8.8.8.8:53 KpTf.XzhOrPIlKqTYrQAhufxl.readme.io udp
US 104.16.241.118:443 KpTf.XzhOrPIlKqTYrQAhufxl.readme.io tcp
US 8.8.8.8:53 jmbvmwp.mxp4037.com udp
US 8.8.8.8:53 eAyKsSaKegK.KfnbpjltcLfcixsRspog.readme.io udp
US 104.16.241.118:443 eAyKsSaKegK.KfnbpjltcLfcixsRspog.readme.io tcp
US 8.8.8.8:53 Qajj.zTYqtAKMEFXSMdYJkRlX.readme.io udp
US 104.16.241.118:443 Qajj.zTYqtAKMEFXSMdYJkRlX.readme.io tcp
US 8.8.8.8:53 XUaJGFbSoDtR.vfAPhQRcZzksOBlFMjNY.readme.io udp
US 104.16.241.118:443 XUaJGFbSoDtR.vfAPhQRcZzksOBlFMjNY.readme.io tcp
US 8.8.8.8:53 yVzWRiqmDAzFG.guPuZOzvjrHNBPfrPGCx.readme.io udp
US 104.16.241.118:443 yVzWRiqmDAzFG.guPuZOzvjrHNBPfrPGCx.readme.io tcp
US 8.8.8.8:53 iaHwFxqQ.EasDFtZibYqNXqIHBtRR.readme.io udp
US 104.16.241.118:443 iaHwFxqQ.EasDFtZibYqNXqIHBtRR.readme.io tcp
US 8.8.8.8:53 ZnMI.nWuTBMjiambhEdCwGgmA.readme.io udp
US 104.16.242.118:443 ZnMI.nWuTBMjiambhEdCwGgmA.readme.io tcp
US 8.8.8.8:53 eOUTynF.cazUfuRWmxhhzNZNFIqd.readme.io udp
US 104.16.242.118:443 eOUTynF.cazUfuRWmxhhzNZNFIqd.readme.io tcp
US 8.8.8.8:53 BkLCBJTqgTU.TyCkjMIXsAwaGWLWUXhi.readme.io udp
US 104.16.241.118:443 BkLCBJTqgTU.TyCkjMIXsAwaGWLWUXhi.readme.io tcp
US 8.8.8.8:53 ky.dJJvsaViBcHeOIGXwPSD.readme.io udp
US 104.16.242.118:443 ky.dJJvsaViBcHeOIGXwPSD.readme.io tcp
US 8.8.8.8:53 ueCXMHaSAHrK.saqcaZsEbRDVugOYxcYt.readme.io udp
US 104.16.242.118:443 ueCXMHaSAHrK.saqcaZsEbRDVugOYxcYt.readme.io tcp
US 8.8.8.8:53 PVcw.bitbucket.com udp
GB 185.166.141.9:443 PVcw.bitbucket.com tcp
US 8.8.8.8:53 bitbucket.org udp
AU 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 H.bitbucket.com udp
GB 185.166.141.8:443 H.bitbucket.com tcp
US 8.8.8.8:53 9.141.166.185.in-addr.arpa udp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 8.8.8.8:53 8.141.166.185.in-addr.arpa udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 www.apkmirror.com udp
US 104.19.132.58:443 www.apkmirror.com tcp
US 8.8.8.8:53 apps.identrust.com udp
IE 2.18.24.9:80 apps.identrust.com tcp
US 8.8.8.8:53 58.132.19.104.in-addr.arpa udp
US 8.8.8.8:53 9.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 JukLvc.bitbucket.com udp
US 8.8.8.8:53 abrakadabra.host udp
GB 185.166.141.8:443 JukLvc.bitbucket.com tcp
US 8.8.8.8:53 iERsQbQCFFGjhM.bitbucket.com udp
GB 185.166.141.8:443 iERsQbQCFFGjhM.bitbucket.com tcp
US 8.8.8.8:53 LHFbNIbdEg.bitbucket.com udp
GB 185.166.141.8:443 LHFbNIbdEg.bitbucket.com tcp
US 8.8.8.8:53 n.bitbucket.com udp
GB 185.166.141.9:443 n.bitbucket.com tcp
LU 31.216.145.5:443 mega.nz tcp
US 8.8.8.8:53 QaZZtSLA.xiReUYfrAYfxKvIxsDmh.readme.io udp
US 104.16.242.118:443 QaZZtSLA.xiReUYfrAYfxKvIxsDmh.readme.io tcp
US 8.8.8.8:53 C.npRTqqOrpwNvPpbKFonP.readme.io udp
US 104.16.241.118:443 C.npRTqqOrpwNvPpbKFonP.readme.io tcp
US 8.8.8.8:53 fK.MtkdTnbuxrdoqBJUSwNw.readme.io udp
US 104.16.241.118:443 fK.MtkdTnbuxrdoqBJUSwNw.readme.io tcp
US 8.8.8.8:53 KfW.nCKNpYunwDAsEobZDsyy.readme.io udp
US 104.16.241.118:443 KfW.nCKNpYunwDAsEobZDsyy.readme.io tcp
US 8.8.8.8:53 mzuDKFMiFLzX.GZJGkuEcMuwBOjIWnfim.readme.io udp
US 104.16.241.118:443 mzuDKFMiFLzX.GZJGkuEcMuwBOjIWnfim.readme.io tcp
US 8.8.8.8:53 NpcktySx.ahCrHNoNQhHiotQNyIVh.readme.io udp
US 104.16.242.118:443 NpcktySx.ahCrHNoNQhHiotQNyIVh.readme.io tcp
US 8.8.8.8:53 www.bates.edu udp
US 134.181.132.45:443 www.bates.edu tcp
US 8.8.8.8:53 45.132.181.134.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 xwchn.net udp
US 8.8.8.8:53 gpNU.bitbucket.com udp
GB 185.166.141.8:443 gpNU.bitbucket.com tcp
US 8.8.8.8:53 ddNc.bitbucket.com udp
GB 185.166.141.8:443 ddNc.bitbucket.com tcp
US 8.8.8.8:53 cG.bitbucket.com udp
GB 185.166.141.8:443 cG.bitbucket.com tcp
US 8.8.8.8:53 AkCICmQnelCh.bitbucket.com udp
GB 185.166.141.8:443 AkCICmQnelCh.bitbucket.com tcp
US 8.8.8.8:53 HHkqBZanvb.bitbucket.com udp
GB 185.166.141.8:443 HHkqBZanvb.bitbucket.com tcp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 XY.bitbucket.com udp
GB 185.166.141.9:443 XY.bitbucket.com tcp
US 8.8.8.8:53 jmbvmwp.mxp4037.com udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 abrakadabra.host udp
LU 31.216.145.5:443 mega.nz tcp
LU 31.216.145.5:443 mega.nz tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/4784-0-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/4784-1-0x00000000001F0000-0x0000000000200000-memory.dmp

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 815a465735cd76d0f68095f84e227f75
SHA1 a55ae6f84fdf31d90f41852dd7c8e8426f767d3e
SHA256 37c69ff3e865082f8a7e7fc37c88f5e4a65894130e36a8af9ecdacb05c717df9
SHA512 276cffec6e834c99c602bbd124bddfc1ad3fc2d759d66929db2b95d3118fff7379a998f853bfde2cfc3c9e9cfae6dae322c4928ce53f233df3aced271fb73dc1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

memory/4784-598-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/4784-1671-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/4784-2254-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/4784-2789-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/4784-4031-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/4784-4335-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/4784-4338-0x0000000000060000-0x0000000000062000-memory.dmp

memory/4784-4341-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/4784-4342-0x0000000000401000-0x00000000010B5000-memory.dmp

memory/4784-4343-0x0000000005950000-0x0000000005951000-memory.dmp

memory/4784-4344-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/4784-4347-0x0000000000401000-0x00000000010B5000-memory.dmp

C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

MD5 720e528f247e6c743c693596eccf23d0
SHA1 5413c14c770efd3a3833b687dffc2035be0c8ba3
SHA256 876ace0fec5de0db3a61be842afbbbe23135f07f35aa7b60017ad3428e67bca5
SHA512 7e967056a778964036aaa996fb21e2b417aa64caa561d755cd3b950917ce90202d3461380d1c9c734d511b3bcccd48403ac4865af6e6b60e39969b0237626e5f

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 32d322680b13821af550da540b00d226
SHA1 23c85c1b3dd1345863e118dd54b8c4118670374c
SHA256 f6daaf0a1e8ce008d5b271392e1a7bcf3b79c8ade976f89789a190d2f3d6fcc2
SHA512 97864973cebc9d93554779823dbd228713f83af9ca8c484b0d9444e7257853f9ac32335cc85c32806c53d73c75a964207e2cd6d0ac999860a892dedd5cb3080b