Malware Analysis Report

2025-08-06 02:06

Sample ID 241027-hgxcdswckn
Target 2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike
SHA256 ff8a3cab3207bce30673ea12d6285400f464979b433e2902ec56beb20d140645
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ff8a3cab3207bce30673ea12d6285400f464979b433e2902ec56beb20d140645

Threat Level: Known bad

The file 2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

xmrig

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

Xmrig family

XMRig Miner payload

Loads dropped DLL

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Drops autorun.inf file

UPX packed file

Drops file in Program Files directory

Unsigned PE

Modifies Internet Explorer start page

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 06:43

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 06:43

Reported

2024-10-27 06:45

Platform

win7-20241010-en

Max time kernel

55s

Max time network

65s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\ConfirmJoin.mpeg3 C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz.txt C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wake C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\bn.txt C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pl.txt C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkWatson.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\wab32.dll C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Eurosti.TTF C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask_PAL.wmv C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Internet Explorer\networkinspection.dll C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-3 C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CET C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-iio.dll C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfxrt.jar C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.access C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novosibirsk C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\7-Zip\7-zip32.dll C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ga.txt C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cuiaba C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\MANIFEST.MF C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sl.pak C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Galapagos C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\es.txt C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\DumontDUrville C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Pipeline.dll C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\1047x576black.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\fontmanager.dll C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\co.txt C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.sfx C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Internet Explorer\ie9props.propdesc C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tarawa C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\et.txt C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\DVD Maker\WMM2CLIP.dll C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyrun.jar C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.oynEJFGuIa.com" C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.YDuJrUPwKH.com" C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 enmfwpb224ioj.x.pipedream.net udp
US 52.87.53.160:443 enmfwpb224ioj.x.pipedream.net tcp
US 52.87.53.160:443 enmfwpb224ioj.x.pipedream.net tcp
US 52.87.53.160:443 enmfwpb224ioj.x.pipedream.net tcp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 GN.tGFDzylahtIgNlUpnNtU.readme.io udp
US 104.16.242.118:443 GN.tGFDzylahtIgNlUpnNtU.readme.io tcp
US 8.8.8.8:53 mvwkDIHfUHX.bdbxZAlWIxHDQjHkQrhb.readme.io udp
US 104.16.241.118:443 mvwkDIHfUHX.bdbxZAlWIxHDQjHkQrhb.readme.io tcp
US 8.8.8.8:53 TZhWjwo.gepvdkcNvMtTzBSDslVM.readme.io udp
US 104.16.242.118:443 TZhWjwo.gepvdkcNvMtTzBSDslVM.readme.io tcp
US 8.8.8.8:53 oZYp.YTfGSZUiPYcQftezDLOc.readme.io udp
US 104.16.241.118:443 oZYp.YTfGSZUiPYcQftezDLOc.readme.io tcp
US 8.8.8.8:53 MIFaDLdICIDqV.EpjeysXNynraKPhMDIZb.readme.io udp
US 104.16.242.118:443 MIFaDLdICIDqV.EpjeysXNynraKPhMDIZb.readme.io tcp
US 8.8.8.8:53 SONOOHx.mWzcQkKBvYrmqFnTASWO.readme.io udp
US 104.16.242.118:443 SONOOHx.mWzcQkKBvYrmqFnTASWO.readme.io tcp
US 8.8.8.8:53 ZuMxYw.mozyXsEmzfjRpouRuADy.readme.io udp
US 104.16.241.118:443 ZuMxYw.mozyXsEmzfjRpouRuADy.readme.io tcp
US 8.8.8.8:53 XZXzVXzUqnVl.tVDQGpRqdiXfXgysJTuy.readme.io udp
US 104.16.242.118:443 XZXzVXzUqnVl.tVDQGpRqdiXfXgysJTuy.readme.io tcp
US 8.8.8.8:53 zARdijkkRugh.YCYbGQPAVDdAuyKyWUrL.readme.io udp
US 104.16.242.118:443 zARdijkkRugh.YCYbGQPAVDdAuyKyWUrL.readme.io tcp
US 8.8.8.8:53 LFb.hJETdfxeOVrXtxUGFNSx.readme.io udp
US 104.16.242.118:443 LFb.hJETdfxeOVrXtxUGFNSx.readme.io tcp
US 8.8.8.8:53 www.dropbox.com udp
GB 162.125.64.18:443 www.dropbox.com tcp
US 8.8.8.8:53 mega.nz udp
LU 31.216.145.5:443 mega.nz tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
LU 31.216.145.5:443 mega.nz tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 kampower.com udp
US 75.98.175.121:443 kampower.com tcp
US 8.8.8.8:53 codeload.github.com udp
GB 20.26.156.216:443 codeload.github.com tcp
US 8.8.8.8:53 fx.UyvxjswzSajKcEsErfrB.readme.io udp
US 104.16.242.118:443 fx.UyvxjswzSajKcEsErfrB.readme.io tcp
US 8.8.8.8:53 TvhmFs.zDibmcRohigBAINPIfbv.readme.io udp
US 104.16.241.118:443 TvhmFs.zDibmcRohigBAINPIfbv.readme.io tcp
US 8.8.8.8:53 fpGRlEOiwpF.TKiTrxkhDCVIMbYukePN.readme.io udp

Files

memory/2904-0-0x00000000003E0000-0x00000000003F0000-memory.dmp

memory/2904-1-0x0000000000400000-0x00000000010B6000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.exe

MD5 4de4cb1bc0a3e7dca79e33efff057793
SHA1 cc18fadd30c465fb974298a979e60e26104709fb
SHA256 bcdf0a598f06fae6404f66bf1f724560fc3a35b690ddade9f90beef84bd747bd
SHA512 0dff53abed9f38e91d17f7a20cc63c8287ae8a0de49eb026187bb705cb1d8ded6c3c1bdf365cb4c424fce9f16aa6b4a8a33c5b89da0a85b928b71b9ad2eb0e52

C:\Users\Admin\AppData\Local\Temp\TarFA1D.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\CabFA1C.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35b914d93dcb8e24ec792025f4ffe0b8
SHA1 f8ec06d9609394be023ab23b408c295cd61a2fc7
SHA256 4dce57247656bdf98cfef74ca48d080274c50b4d2ad310611dd39508c3756faf
SHA512 e327fed40610dc7892d3bab278a1b3f8cff1a3bb3bb2078da966b6dbbb55c346f7e62740295468f8eaad09a56feec6fe852db89f038e803e485d64c73c096e11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e2f312ba372a307d8a20e856a7bfa2fe
SHA1 c9465929e9776092d06902753a4749abd7c9296e
SHA256 7b636d687860bd933498edf8dc3e0ff811a69844cbad85ec1ef792c40d4a8a2d
SHA512 cb7686f25864a4f141987861018459e4ae08328d09c34dfcd5832fbe36386881982702dff95b59282d6e631693e9c9a1d219934f44171ea906fcb6a50c9f55fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 751263f88ed0bbbaac357ad4225e788a
SHA1 b84e31ed01ab3efa9f210c53c933ed75d74666a0
SHA256 00bf01d65bc7e0e6851314d8fa291adb5ec2a20f8e15d9070d7f56dfa8d37fc1
SHA512 d8ac413637a01bf42a87e7985ba5b521fb519267216417d3b4b6912cf0e71dd1800f2c15f0f7bd9f0256538f6c48bedfffdc2350fbf95d53f9acfec9c8dd8a53

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 54bbaeefb6c7f5f023341ea7c07514e8
SHA1 db950b40e21de9a0be4cbfc68a3ae4ea825a8b2a
SHA256 498e8d74c33d3b58bec35614f22e534b54f1258dff38369b3e820d997ccaf383
SHA512 f7ea0e968bc0f1269eb83ae2650fd02e75bcf197806e249f288ecb0049a8daa955eab723daf1ee4f75956b3c77f2aa3e7ee942cf894fc9c9c70b20ad63b07243

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a4a12f5bfff0d67cb9b7268d4f11916
SHA1 33f6d73df821b5deb3dd1d980a30af887a3b2e0e
SHA256 223707644f54891d939dd47424c2bd76485c51a57213bfcf2bf9e086c2cfcec6
SHA512 b922475a408bb7b2a0355bfff0d07b5d04381ff6c2beee4ab18fc072f4d2ccc746c4b8541affba204a3d62a2f810665132bd52ca50bf022816eaa30dc1176297

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74e7632f1c868a2e9904483ee263a9dd
SHA1 a2c2f3627648c012e0cff88167d7a2ffe9d4abb2
SHA256 c2fe6037f631c8f59408f7e49057bb68091505470eceef54130d7ed7685d6abd
SHA512 d637bfe1ba2ac299ee28af597605c95cf018b36086ba8495de2939939847845dfcf2d1c7799a4ae38a5fd846d7fc16793c7bc2fa7cd39f6805ef720d22c0d55c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22c3260a2b62e24065bcf738e5ae76b5
SHA1 e486ae064f16fd86367ef9119478c4bdaa920a58
SHA256 6f90e5661e81cd1e2a699642c0d5988160000d9ada58e2a9763b9b81262032d3
SHA512 34b00bcd03419951b75e16a1fcfed8a7adc9c1ddde0a6204168a906ed621ed5456aff99aaa992edddfab30ae962826043e9dad466646312747eda511aa96e35c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f339b208a892c43295ed39fa5524e5b0
SHA1 c252e89902ae28cc64b6dd614b27e42591a39d65
SHA256 7ad4a4b4a4ff9405f1dd440efb95615e2ce8399a062cf154ee99c74dde5982aa
SHA512 005ae7a6da47b40e130c40f739beaf89ed72c0561ffea1c3de6e3cd6f89a2b8622228b3407c5f7961efb01f6ce53bfa95b37fa004d0ca00b20b3acddf1dc0c73

memory/2904-534-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2904-535-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2904-576-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2904-984-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2904-1310-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2904-1621-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2904-1640-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2904-1644-0x00000000002C0000-0x00000000003C0000-memory.dmp

memory/2904-1647-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2904-1649-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2904-1653-0x00000000003F0000-0x0000000000400000-memory.dmp

memory/2904-1656-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2904-1660-0x0000000000401000-0x00000000010B5000-memory.dmp

memory/2904-1661-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2904-1662-0x0000000000401000-0x00000000010B5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 06:43

Reported

2024-10-27 06:45

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\msitss55.dll C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Web.Entity.Resources.dll C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\7.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_pt-BR.json C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\Office.UI.Xaml.Uci.dll C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-72_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-synch-l1-2-0.dll C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Net.Resources.dll C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\FreeCell.Large.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Square44x44Logo.scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\onenote_whatsnew.xml C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dll C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libhds_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_mmx_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\SmallTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_hu.json C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sa.txt C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-48_altform-unplated_contrast-white_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSB.TTF C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-125_contrast-high.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\bootstrap.js C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libskiptags_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookMedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Microsoft.People.NativeComponents.winmd C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-utility-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-400.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\REFEDIT.DLL C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Media Player\Media Renderer\connectionmanager_dmr.xml C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-16_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\ado\msado28.tlb C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONENGINE.DLL C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXEV.DLL C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\wmlaunch.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\TriPeaks.Wide.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\rtscom.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.LqWWfumjDt.com" C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.DakvLKwrFB.com" C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.rGJQsqJIun.com" C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.uKnTlLqSgO.com" C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.LwIoAtdssy.com" C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 enmfwpb224ioj.x.pipedream.net udp
US 8.8.8.8:53 abrakadabra.host udp
US 107.20.215.158:443 enmfwpb224ioj.x.pipedream.net tcp
US 107.20.215.158:443 enmfwpb224ioj.x.pipedream.net tcp
US 107.20.215.158:443 enmfwpb224ioj.x.pipedream.net tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 158.215.20.107.in-addr.arpa udp
US 8.8.8.8:53 113.39.65.18.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 XobmuuC.wlzDqlMxVcUubPrGmUqR.readme.io udp
US 104.16.242.118:443 XobmuuC.wlzDqlMxVcUubPrGmUqR.readme.io tcp
US 8.8.8.8:53 sDg.ritCWCXzTNdSyQXqhMdq.readme.io udp
US 104.16.242.118:443 sDg.ritCWCXzTNdSyQXqhMdq.readme.io tcp
US 8.8.8.8:53 D.VtnYkUKdTnQItXLfCumb.readme.io udp
US 104.16.242.118:443 D.VtnYkUKdTnQItXLfCumb.readme.io tcp
US 8.8.8.8:53 xrSFAlsRzQhF.PdZwTtcFDtDhMbaRHQHo.readme.io udp
US 104.16.242.118:443 xrSFAlsRzQhF.PdZwTtcFDtDhMbaRHQHo.readme.io tcp
US 8.8.8.8:53 eqET.IJWlpkhLoohGKBsHqQKe.readme.io udp
US 104.16.241.118:443 eqET.IJWlpkhLoohGKBsHqQKe.readme.io tcp
US 8.8.8.8:53 118.242.16.104.in-addr.arpa udp
US 8.8.8.8:53 xwchn.net udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 118.241.16.104.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 codeload.github.com udp
GB 20.26.156.216:443 codeload.github.com tcp
US 8.8.8.8:53 kampower.com udp
US 75.98.175.121:443 kampower.com tcp
US 8.8.8.8:53 216.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 121.175.98.75.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 BW.bitbucket.com udp
IE 185.166.142.21:443 BW.bitbucket.com tcp
US 8.8.8.8:53 21.142.166.185.in-addr.arpa udp
US 8.8.8.8:53 bitbucket.org udp
IE 185.166.142.21:443 bitbucket.org tcp
US 8.8.8.8:53 gBtjeZMRKUXG.bitbucket.com udp
IE 185.166.142.23:443 gBtjeZMRKUXG.bitbucket.com tcp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 nhKl.bitbucket.com udp
IE 185.166.142.22:443 nhKl.bitbucket.com tcp
US 8.8.8.8:53 23.142.166.185.in-addr.arpa udp
US 8.8.8.8:53 22.142.166.185.in-addr.arpa udp
US 8.8.8.8:53 mega.nz udp
LU 31.216.145.5:443 mega.nz tcp
US 8.8.8.8:53 xwchn.net udp
US 8.8.8.8:53 5.145.216.31.in-addr.arpa udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 idcomercial.com.br udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 xwchn.net udp
LU 31.216.145.5:443 mega.nz tcp
US 8.8.8.8:53 www.jmxyc.com udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 www.dropbox.com udp
GB 162.125.64.18:443 www.dropbox.com tcp
US 8.8.8.8:53 18.64.125.162.in-addr.arpa udp
US 8.8.8.8:53 xwchn.net udp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 PYXmgpmCjUfVDD.bitbucket.com udp
IE 185.166.142.23:443 PYXmgpmCjUfVDD.bitbucket.com tcp
US 8.8.8.8:53 d.bitbucket.com udp
IE 185.166.142.22:443 d.bitbucket.com tcp
US 8.8.8.8:53 abrakadabra.host udp
US 8.8.8.8:53 xwchn.net udp
US 8.8.8.8:53 jmbvmwp.mxp4037.com udp
US 8.8.8.8:53 o.tUDQIEFJhmSPAoiFVdds.readme.io udp
US 104.16.241.118:443 o.tUDQIEFJhmSPAoiFVdds.readme.io tcp
US 8.8.8.8:53 uJrnWcWR.FjGiqxBjpIiWPxJZlvLo.readme.io udp
US 104.16.242.118:443 uJrnWcWR.FjGiqxBjpIiWPxJZlvLo.readme.io tcp
US 8.8.8.8:53 bmt.vPnBNKGBViKNaKKlBnIB.readme.io udp
US 104.16.241.118:443 bmt.vPnBNKGBViKNaKKlBnIB.readme.io tcp
US 8.8.8.8:53 QHyypH.UjpxswwqwmpjCUKsXlgg.readme.io udp
US 104.16.241.118:443 QHyypH.UjpxswwqwmpjCUKsXlgg.readme.io tcp
US 8.8.8.8:53 hMMrrNi.ySXccNDYlUnrEUdOVhDQ.readme.io udp
US 104.16.241.118:443 hMMrrNi.ySXccNDYlUnrEUdOVhDQ.readme.io tcp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/2448-0-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2448-1-0x00000000001F0000-0x0000000000200000-memory.dmp

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 c3858f97825b8353e8bd0b82a6c67317
SHA1 e5c539aed96b5fb575a71760ee6ed906480e0d1b
SHA256 e513580015bfb7f8a754e8ed6274c78d2dca9ee51178d2b18e7e7dee2cb0c6a0
SHA512 ca177f1203b0bb986a037e43fc0c4025494b4ab8e019005f9fd54d750b15f8780055cf46899f4c6be60f3595082284846abb2317ee5b7fb89b5917dc626b185c

memory/2448-820-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2448-818-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2448-1986-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2448-3098-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2448-4185-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2448-4510-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2448-4513-0x0000000000060000-0x0000000000062000-memory.dmp

memory/2448-4516-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2448-4517-0x0000000000401000-0x00000000010B5000-memory.dmp

memory/2448-4518-0x0000000000400000-0x00000000010B6000-memory.dmp

memory/2448-4519-0x0000000000401000-0x00000000010B5000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 3cf18c66ed9d0f59b658ffbd6eed0068
SHA1 b62e6e8b255ccffd92139033007cae8ca6cd158d
SHA256 c07ab468f1ad2080fafd85c66574902b7a3920098a8479d79df63c7ce0118ab6
SHA512 d9728733de6cf0bb40b43d3b25907ec38105395201d40ae18ec182bdfdd7f5f967400bf56243c5fdeeb59db4f4963a159006a93ca8a2f8283515523b7fae99fc

C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

MD5 743fa443fcc65bfed39cdf92fa298a29
SHA1 0ddfcd8dae8884460c89dca38ca27f7a1c66f58e
SHA256 4fe64de34e806b3d54139d1c630cc116b57b464d7622ea750b60830a973a1eb9
SHA512 4df1d60776e7495ae351b22b73ba0df503c0d1a6caf05b01cf958a8f2a493e6c7e931be4a3642dfd867439bb73569797f38ebb5c8130ffbaf6f9b0dd6086ccfa