Malware Analysis Report

2025-03-15 08:09

Sample ID 240530-lmrkwaec29
Target 2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike
SHA256 4e26cdea03ade9918fdf4bd31a3694b60dee5f290b5e3c7650cf4fa89164f56d
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4e26cdea03ade9918fdf4bd31a3694b60dee5f290b5e3c7650cf4fa89164f56d

Threat Level: Known bad

The file 2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Detects executables containing URLs to raw contents of a Github gist

Xmrig family

UPX dump on OEP (original entry point)

xmrig

XMRig Miner payload

Cobaltstrike

Cobaltstrike family

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Detects executables containing URLs to raw contents of a Github gist

XMRig Miner payload

UPX packed file

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Drops autorun.inf file

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer start page

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 09:39

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 09:39

Reported

2024-05-30 09:41

Platform

win7-20240221-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Indianapolis C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Costa_Rica C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Curacao C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\uk.pak C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\de-DE\Mahjong.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmpc_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Defender\MpCommu.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_over.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\nio.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Riga C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdatl3.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-io-ui.xml_hidden C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Jamaica C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_http_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwaveout_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\nss3.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\management\jmxremote.access C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationCore.resources.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libwindrive_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\gadget.xml C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\EST C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libreal_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Adak C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lindeman C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Havana C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpostproc_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jli.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text_3.9.1.v20140827-1810.jar C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-actions.jar C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Java\jre7\bin\server\classes.jsa C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Midway C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot_lrg.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_foggy.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Office\Office14\MSOHEVI.DLL C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Thimphu C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Menominee C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Montevideo C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.xOCalutRaC.com" C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.kwEMPmpVep.com" C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.MSltqTgMYk.com" C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.rMNfutANjG.com" C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.fmXTopPmVo.com" C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.CDebxrvpbG.com" C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 en6yogdxz5mjo.x.pipedream.net udp
US 3.233.47.96:443 en6yogdxz5mjo.x.pipedream.net tcp
US 3.233.47.96:443 en6yogdxz5mjo.x.pipedream.net tcp
US 3.233.47.96:443 en6yogdxz5mjo.x.pipedream.net tcp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 oCNdzXMlfeq.bitbucket.com udp
GB 185.166.141.7:443 oCNdzXMlfeq.bitbucket.com tcp
US 8.8.8.8:53 hcvUfgNDnImamA.bitbucket.com udp
GB 185.166.141.7:443 hcvUfgNDnImamA.bitbucket.com tcp
US 8.8.8.8:53 QtsiYxPa.bitbucket.com udp
GB 185.166.141.9:443 QtsiYxPa.bitbucket.com tcp
US 8.8.8.8:53 pr.bitbucket.com udp
GB 185.166.141.9:443 pr.bitbucket.com tcp
US 8.8.8.8:53 agp.bitbucket.com udp
GB 185.166.141.9:443 agp.bitbucket.com tcp
US 8.8.8.8:53 bDOYRQtc.bitbucket.com udp
GB 185.166.141.7:443 bDOYRQtc.bitbucket.com tcp
US 8.8.8.8:53 kampower.com udp
US 185.148.131.244:443 kampower.com tcp
US 8.8.8.8:53 EbKMT.bitbucket.com udp
GB 185.166.141.8:443 EbKMT.bitbucket.com tcp
US 8.8.8.8:53 wiSRqRmXNwg.bitbucket.com udp
GB 185.166.141.7:443 wiSRqRmXNwg.bitbucket.com tcp
US 8.8.8.8:53 O.bitbucket.com udp
GB 185.166.141.8:443 O.bitbucket.com tcp
US 8.8.8.8:53 oKrcjzdg.bitbucket.com udp
GB 185.166.141.7:443 oKrcjzdg.bitbucket.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 mega.nz udp
LU 31.216.145.5:443 mega.nz tcp
US 8.8.8.8:53 GLIIubnZ.bitbucket.com udp
GB 185.166.141.9:443 GLIIubnZ.bitbucket.com tcp
US 8.8.8.8:53 AFbdoblg.bitbucket.com udp
GB 185.166.141.9:443 AFbdoblg.bitbucket.com tcp
US 8.8.8.8:53 hMoNGF.bitbucket.com udp
GB 185.166.141.9:443 hMoNGF.bitbucket.com tcp
US 8.8.8.8:53 TLHLR.bitbucket.com udp
GB 185.166.141.8:443 TLHLR.bitbucket.com tcp
US 8.8.8.8:53 XA.bitbucket.com udp
GB 185.166.141.8:443 XA.bitbucket.com tcp
US 8.8.8.8:53 Z.bitbucket.com udp
GB 185.166.141.9:443 Z.bitbucket.com tcp
US 8.8.8.8:53 usZJqQy.bitbucket.com udp
GB 185.166.141.7:443 usZJqQy.bitbucket.com tcp
US 8.8.8.8:53 gxFrJ.bitbucket.com udp
GB 185.166.141.7:443 gxFrJ.bitbucket.com tcp
US 8.8.8.8:53 CaqYPMub.bitbucket.com udp
GB 185.166.141.9:443 CaqYPMub.bitbucket.com tcp
US 8.8.8.8:53 xwchn.net udp
US 8.8.8.8:53 XozuHBYbEVDAj.bitbucket.com udp
GB 185.166.141.7:443 XozuHBYbEVDAj.bitbucket.com tcp
US 8.8.8.8:53 taCaXR.bitbucket.com udp
GB 185.166.141.9:443 taCaXR.bitbucket.com tcp
US 8.8.8.8:53 HwxpTLLqnvFd.bitbucket.com udp
GB 185.166.141.9:443 HwxpTLLqnvFd.bitbucket.com tcp
US 8.8.8.8:53 tuJmep.bitbucket.com udp
GB 185.166.141.7:443 tuJmep.bitbucket.com tcp
US 8.8.8.8:53 mega.co.nz udp
LU 66.203.124.31:443 mega.co.nz tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 wRMw.bitbucket.com udp
GB 185.166.141.7:443 wRMw.bitbucket.com tcp
US 8.8.8.8:53 OuLwHkJ.bitbucket.com udp
GB 185.166.141.9:443 OuLwHkJ.bitbucket.com tcp
US 8.8.8.8:53 Hm.bitbucket.com udp
GB 185.166.141.8:443 Hm.bitbucket.com tcp

Files

memory/2932-0-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2932-1-0x00000000002E0000-0x00000000002F0000-memory.dmp

C:\Program Files\7-Zip\7-zip32.dll.exe

MD5 e77564ba918e30e0d2fa6a746316700d
SHA1 8334e7d2b9fd489865cdd7add3436dad32f81445
SHA256 5d2595de05675fc3c62ea8deebe89c5d4c1f1099840baa5bcee7e89567e569a2
SHA512 245ffde35403172cd8f0014459d772fd4c35a160eba2984b48e2cefecf25f41e23e66245a18fae30abc41a0d1f63bd5c386ab072e1c6f9f15fca0b06d091fa4f

C:\Users\Admin\AppData\Local\Temp\Cab11B1.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar11C1.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar132E.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a51a8c902629655448d77f654e4e05e
SHA1 1272d415e7b9a280d2e377def1c5c55f81279fa9
SHA256 d18b63f9e9a21e98647de2ec5c1c1ef618519dfdb406f47b873aaca4febc3587
SHA512 ccc50a710a722dc998ce10025bf53d280a51b1280fa541dbc420d29e3dd1aa020d1b2bafa7c56f9dd917f365052f0d80abf36d11d50c1a0288b76b4ce44682b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 850895167ed9e452756092d448fda63a
SHA1 6d9bd50eca1af8a56accf9f36383da332e7abba0
SHA256 5ffaf461b549e619238d40f9a2a238b704bf29d848153bb9d48e8a61e0bb9925
SHA512 8092559affd95f8f3bc550f3efaae8f932bfe071a422e7854c0c8d0d4b72a10816a1f222634eb5b968df68891d8f97a605eff9aa3ee6ac9f1221bc44f0c13e8c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 8eac5a6aa68ab28398e8121bc3d45ff9
SHA1 46f286f690a78da2eb1c83a7b6688f552f898705
SHA256 971a5d05fe3535d42baf46c8c2b999d6fb3a48323de6b2c739f184abbf1c1db5
SHA512 a57c8ab9ce0d4c76cc306f323cc1d175c52e6cc957ebb1fca1cea84870a07d1acddf950a40ec0203aeeca3326c8cede3aaad4eca76343bcfe30eb731010104e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b19b7ee56ffebdcf86f464ee1f3fdf2b
SHA1 f3caed3f2bc8a3c0c6c424431ec01dd1c42e3ef5
SHA256 884260356bd92f8cc71883849783c3ff0164b56a1eeef4a566f9b2ab1ed69f73
SHA512 54a368798bf84c7f6b79b3012bbe3e6e61d5c8636204f72a22bbe0aed95c50706da8b7e8b54aa0aa649bf36d992c25cbfac0dbc354ff182efc7fdcd78496f05b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f22328344609de2baac1dee0f8ca071
SHA1 8df0997f0ab289a4bf4231f87f86c1d300b75d15
SHA256 45513f84afc1b26a9f021ee2f29c2c61cfe3d4d40263798607bbb1b8c06aadf1
SHA512 f56d573b62340ac9f264ff88c49f588c27785859fb199ae9fa16caa1697ebffb3437b9691d22446e0e0e7ef941cfdd33a71af25f71e17f7f2fc8c76bb0316ae7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 549d367da5c9a2dfc3ed867afdb8aa1b
SHA1 c0105840398a097c213b6133f25bfb154944e680
SHA256 b2aae4f3c7bb8357a5ab18cfbd543fcdd0ad43611fe1ffcd30eceb3edcb83da6
SHA512 e33ce3c86e7a5fb9dbdb746452ad1ae7c170867db97a929498235e5655db3dfc682736ed1ba987e15702570e54626330116a660eda419db0c5561343e46d3900

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 762ecf1e5d0bb2966228e4620810e46f
SHA1 7b30c8cdf0471df3695175c606e5435d6657ff00
SHA256 7e925302573962e59e9676e65baea7af11392d7d01ce3e2fa2caf4ccc7ff55d4
SHA512 34556843c4ddab56528df3b25c9a04850472f6de11450d7109fdeae681a25a78a83bb20a7b83ab0281d78308c91bd40cc4af4543a49174027c124e002ff7d6e9

memory/2932-1259-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2932-1288-0x0000000000400000-0x00000000010B6000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9528309f4194e173b6553ca125c89c04
SHA1 8ed5d8f5322d82f991217c8ec6df557e953391f6
SHA256 2ad84a759cf7707177f104865db45e7b1546f9a0c70e86123780131bd2533bc8
SHA512 a9854b04fe936568d1db9da202b6713c3a5e8844f0aaccdf3c1ccb28eca20f1eaa54899fc2385e385172edfc936410f1961abee2ee179f5ffa69fb0812d6e5ba

memory/2932-2653-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2932-3926-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2932-5357-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2932-5421-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2932-5544-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2932-5545-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2932-5546-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/2932-5547-0x00000000002F0000-0x0000000000300000-memory.dmp

memory/2932-5548-0x0000000000300000-0x0000000000310000-memory.dmp

memory/2932-5549-0x0000000000310000-0x0000000000350000-memory.dmp

memory/2932-5550-0x0000000000350000-0x0000000000372000-memory.dmp

memory/2932-5551-0x0000000000380000-0x0000000000390000-memory.dmp

memory/2932-5552-0x00000000003B0000-0x00000000003F0000-memory.dmp

memory/2932-5553-0x00000000003F0000-0x0000000000400000-memory.dmp

memory/2932-5555-0x0000000000401000-0x00000000010B5000-memory.dmp

memory/2932-5556-0x0000000004860000-0x0000000004861000-memory.dmp

memory/2932-5554-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2932-5559-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2932-5560-0x0000000000401000-0x00000000010B5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 09:39

Reported

2024-05-30 09:41

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Utils.CX.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\NIRMALAB.TTF C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\New_Skins.url C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-100_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN097.XML C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\CANYON.INF C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.White.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kab.txt C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liblibass_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN048.XML C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\management.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART5.BDR C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.bundle.map C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchMedTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\wmpnetwk.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_SplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-400_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\Unipulator.mp4 C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\MeasureSave.wmf C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square310x310Logo.scale-200.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xerces.md C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\29.jpg C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.targetsize-16.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Microsoft.Xaml.Interactivity.winmd C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FilePdf32x32.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_srt_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\mk-MK\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\COPYRIGHT C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.DirectoryServices.AccountManagement.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.Design.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DAT C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\instrument.dll C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN001.XML C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\RedAndBlackReport.dotx C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.oMfffHRYEq.com" C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.apZPRjcDub.com" C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_abfbe1df00939b4e4803ae434fac0933_cobalt-strike_cobaltstrike.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 en6yogdxz5mjo.x.pipedream.net udp
US 54.85.81.111:443 en6yogdxz5mjo.x.pipedream.net tcp
US 54.85.81.111:443 en6yogdxz5mjo.x.pipedream.net tcp
US 54.85.81.111:443 en6yogdxz5mjo.x.pipedream.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 111.81.85.54.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 51.201.222.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 mega.nz udp
LU 31.216.144.5:443 mega.nz tcp
LU 31.216.144.5:443 mega.nz tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 5.144.216.31.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 IcjIiTegURpEc.bitbucket.com udp
GB 185.166.141.7:443 IcjIiTegURpEc.bitbucket.com tcp
US 8.8.8.8:53 bitbucket.org udp
AU 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 7.141.166.185.in-addr.arpa udp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 8.8.8.8:53 QvwlgJm.bitbucket.com udp
GB 185.166.141.9:443 QvwlgJm.bitbucket.com tcp
US 8.8.8.8:53 9.141.166.185.in-addr.arpa udp
US 8.8.8.8:53 aKXchZD.bitbucket.com udp
GB 185.166.141.9:443 aKXchZD.bitbucket.com tcp
US 8.8.8.8:53 T.iXNyWAPiwFfdpdkZsLlo.readme.io udp
US 104.16.242.118:443 T.iXNyWAPiwFfdpdkZsLlo.readme.io tcp
US 8.8.8.8:53 B.RLssRfYOOSvNHJDueMFn.readme.io udp
US 104.16.242.118:443 B.RLssRfYOOSvNHJDueMFn.readme.io tcp
US 8.8.8.8:53 OTfmLFmRl.BRkKsIRdTVdGdkogKgdu.readme.io udp
US 104.16.241.118:443 OTfmLFmRl.BRkKsIRdTVdGdkogKgdu.readme.io tcp
US 8.8.8.8:53 o.bUrOlzTRZqPzWHzOozXd.readme.io udp
US 104.16.242.118:443 o.bUrOlzTRZqPzWHzOozXd.readme.io tcp
US 8.8.8.8:53 118.242.16.104.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 118.241.16.104.in-addr.arpa udp
US 8.8.8.8:53 xeQepfgctQYvm.vhpMFUGSZwPnaZqJVbdC.readme.io udp
US 104.16.241.118:443 xeQepfgctQYvm.vhpMFUGSZwPnaZqJVbdC.readme.io tcp
US 8.8.8.8:53 RYjbpW.CVvewTDIuDXaWWqYetpC.readme.io udp
US 104.16.242.118:443 RYjbpW.CVvewTDIuDXaWWqYetpC.readme.io tcp
US 8.8.8.8:53 TJToeVcaSaNh.bNPafmTjdHBTWtPnGdCv.readme.io udp
US 104.16.241.118:443 TJToeVcaSaNh.bNPafmTjdHBTWtPnGdCv.readme.io tcp
US 8.8.8.8:53 ojLLVHpYmYoXEb.NakwdMvDzDoUhTkozIWk.readme.io udp
US 104.16.242.118:443 ojLLVHpYmYoXEb.NakwdMvDzDoUhTkozIWk.readme.io tcp
US 8.8.8.8:53 jmbvmwp.mxp4037.com udp
LU 31.216.144.5:443 mega.nz tcp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 SqzKn.CQhwHNRhbKUhuxpwVVOg.readme.io udp
US 104.16.242.118:443 SqzKn.CQhwHNRhbKUhuxpwVVOg.readme.io tcp
US 8.8.8.8:53 Y.NJppamIwQRWUgCefZpOs.readme.io udp
US 104.16.242.118:443 Y.NJppamIwQRWUgCefZpOs.readme.io tcp
US 8.8.8.8:53 lUNYQ.LtmZiyEzdHuitVNEyUyM.readme.io udp
US 104.16.242.118:443 lUNYQ.LtmZiyEzdHuitVNEyUyM.readme.io tcp
US 8.8.8.8:53 pCSqjLEmw.IEQoeUsmGxSUZtINzhOw.readme.io udp
US 104.16.241.118:443 pCSqjLEmw.IEQoeUsmGxSUZtINzhOw.readme.io tcp
US 8.8.8.8:53 ZzSxTsM.KxVdKiHODRSGEnllQiov.readme.io udp
US 104.16.242.118:443 ZzSxTsM.KxVdKiHODRSGEnllQiov.readme.io tcp
US 8.8.8.8:53 idrYQnO.dBdWcIPIOLyBwRXrwIYc.readme.io udp
US 104.16.242.118:443 idrYQnO.dBdWcIPIOLyBwRXrwIYc.readme.io tcp
US 8.8.8.8:53 BHZSaLEhB.XuVaxGkyEuBtGqpBJhVv.readme.io udp
US 104.16.242.118:443 BHZSaLEhB.XuVaxGkyEuBtGqpBJhVv.readme.io tcp
US 8.8.8.8:53 bCmUQMObeTga.ETdTiqdqsDsNaUwtZfDp.readme.io udp
US 104.16.241.118:443 bCmUQMObeTga.ETdTiqdqsDsNaUwtZfDp.readme.io tcp
US 8.8.8.8:53 abrakadabra.host udp
LU 66.203.124.31:443 mega.co.nz tcp
US 8.8.8.8:53 wvQoOaV.LVvNHPlNnkAlJTtfowGt.readme.io udp
US 104.16.241.118:443 wvQoOaV.LVvNHPlNnkAlJTtfowGt.readme.io tcp
US 8.8.8.8:53 JpXRCPEqt.voNiKuEhCZXqnbTMXVoB.readme.io udp
US 104.16.241.118:443 JpXRCPEqt.voNiKuEhCZXqnbTMXVoB.readme.io tcp
US 8.8.8.8:53 31.124.203.66.in-addr.arpa udp
US 8.8.8.8:53 www.dropbox.com udp
GB 162.125.64.18:443 www.dropbox.com tcp
US 8.8.8.8:53 18.64.125.162.in-addr.arpa udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 htutWcLXDvqZdU.bitbucket.com udp
GB 185.166.141.8:443 htutWcLXDvqZdU.bitbucket.com tcp
US 8.8.8.8:53 k.bitbucket.com udp
GB 185.166.141.7:443 k.bitbucket.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 8.141.166.185.in-addr.arpa udp
US 8.8.8.8:53 PdxfaPjiVmkKTL.bitbucket.com udp
GB 185.166.141.8:443 PdxfaPjiVmkKTL.bitbucket.com tcp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 YlRQaQixyO.bitbucket.com udp
GB 185.166.141.8:443 YlRQaQixyO.bitbucket.com tcp
US 8.8.8.8:53 xwchn.net udp
US 8.8.8.8:53 noscullsnow.com udp
US 8.8.8.8:53 codeload.github.com udp
GB 20.26.156.216:443 codeload.github.com tcp
US 8.8.8.8:53 DrsJIPUyaTQdR.XoSaYKIKCOHrxrDaqoah.readme.io udp
US 104.16.241.118:443 DrsJIPUyaTQdR.XoSaYKIKCOHrxrDaqoah.readme.io tcp
US 8.8.8.8:53 Pl.jZulFQVLjKnSekrgCxLe.readme.io udp
US 104.16.242.118:443 Pl.jZulFQVLjKnSekrgCxLe.readme.io tcp
US 8.8.8.8:53 idcomercial.com.br udp
US 8.8.8.8:53 216.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 jmbvmwp.mxp4037.com udp
US 8.8.8.8:53 abrakadabra.host udp
LU 31.216.144.5:443 mega.nz tcp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 DfKnHZGWe.SnvXCOItFceFUjMNPkgo.readme.io udp
US 104.16.241.118:443 DfKnHZGWe.SnvXCOItFceFUjMNPkgo.readme.io tcp
US 8.8.8.8:53 xiHdP.fNhYcYaBgGWBQAmUOkSZ.readme.io udp
US 104.16.241.118:443 xiHdP.fNhYcYaBgGWBQAmUOkSZ.readme.io tcp
US 8.8.8.8:53 HPklz.tHrGCnbCocnDKhBbRpVB.readme.io udp
US 104.16.241.118:443 HPklz.tHrGCnbCocnDKhBbRpVB.readme.io tcp
US 8.8.8.8:53 yu.pLfvjqmXMaRklioaAunT.readme.io udp
US 104.16.242.118:443 yu.pLfvjqmXMaRklioaAunT.readme.io tcp
US 8.8.8.8:53 fJcYeNKqk.AorZAQUCTeULzPKygGvH.readme.io udp
US 104.16.241.118:443 fJcYeNKqk.AorZAQUCTeULzPKygGvH.readme.io tcp
US 8.8.8.8:53 evOg.qYxQViFxyzvFRNcOVfjM.readme.io udp
US 104.16.242.118:443 evOg.qYxQViFxyzvFRNcOVfjM.readme.io tcp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.238:443 drive.google.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 98.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/3056-0-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/3056-1-0x00000000001E0000-0x00000000001F0000-memory.dmp

C:\Program Files\7-Zip\7-zip32.dll

MD5 84a6b8406e0fe388a08c37880cd21480
SHA1 2fd23341e4770de7a4116f8c74297af665f0f3a5
SHA256 39aba7c9a6c4734cb8c4b374eae295bc6a409e0cd53ed261b154a33ca998dba9
SHA512 d1070f2777cd1114f4696eeca24a3d71cad68185cbcf2b17705753706b0df27d14d2fb1a05a0b87748d762ca55da55cbe924e3ba2ba17a18076101906e814feb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 50af2b4524b56c8a817ec9f48b6532b1
SHA1 a37d5f39f22ac2700311a1f2cf39890ddaa6e7ba
SHA256 916b6f305317f440381da1995f7a122d6602e67690e4495c957df0fc2d95ffbb
SHA512 c2eae433c0094b06878c3876c8341e9cb74a90281d82da9844337c27acaffb453b0bc17806d5615096a67ff1e1ef42751ffeb7aab0a51550c85f0aaa27560a4f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

memory/3056-808-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/3056-2019-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/3056-2645-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/3056-3194-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/3056-4313-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/3056-5061-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/3056-5064-0x0000000000060000-0x0000000000062000-memory.dmp

memory/3056-5068-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/3056-5069-0x0000000000401000-0x00000000010B5000-memory.dmp

memory/3056-5070-0x0000000005500000-0x0000000005501000-memory.dmp

memory/3056-5071-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/3056-5074-0x0000000000401000-0x00000000010B5000-memory.dmp