Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cobaltstrike.dll

Overview

General Information

Sample name:cobaltstrike.dll
(renamed file extension from exe to dll)
Original sample name:cobaltstrike.exe
Analysis ID:1555135
MD5:943afff642b01160380eaae87a33da07
SHA1:67f575725d10dae057a35aa15691278a2245e158
SHA256:6e5887670a74b010bff1c5bc11e936b392a12ed48a6afd796bd712c2594d423b
Tags:cobaltstrikeexeuser-JAMESWT_MHT
Infos:

Detection

CobaltStrike
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Injects code into the Windows Explorer (explorer.exe)
Query firmware table information (likely to detect VMs)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Explorer NOUACCHECK Flag
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Dropped file seen in connection with other malware
Drops PE files
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 4832 cmdline: loaddll64.exe "C:\Users\user\Desktop\cobaltstrike.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 6776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4064 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 6088 cmdline: rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
        • sihost.exe (PID: 1340 cmdline: C:\Windows\System32\sihost.exe MD5: A21E7719D73D0322E2E7D61802CB8F80)
          • WerFault.exe (PID: 4412 cmdline: C:\Windows\system32\WerFault.exe -u -p 1340 -s 544 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 616 cmdline: rundll32.exe C:\Users\user\Desktop\cobaltstrike.dll,CloseThreadWaitChainSession MD5: EF3179D498793BF4234F708D3BE28633)
      • Advanced_IP_Scanner.exe (PID: 6516 cmdline: C:\Users\Public\Downloads\Advanced_IP_Scanner.exe MD5: 5537C708EDB9A2C21F88E34E8A0F1744)
        • Advanced_IP_Scanner.tmp (PID: 2020 cmdline: "C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmp" /SL5="$20408,20439558,139776,C:\Users\Public\Downloads\Advanced_IP_Scanner.exe" MD5: B87639F9A6CF5BA8C9E1F297C5745A67)
      • sihost.exe (PID: 3908 cmdline: C:\Windows\System32\sihost.exe MD5: A21E7719D73D0322E2E7D61802CB8F80)
        • explorer.exe (PID: 1080 cmdline: explorer.exe /LOADSAVEDWINDOWS MD5: 662F4F92FDE3557E86D110526BB578D5)
    • rundll32.exe (PID: 6600 cmdline: rundll32.exe C:\Users\user\Desktop\cobaltstrike.dll,GetThreadWaitChain MD5: EF3179D498793BF4234F708D3BE28633)
      • Advanced_IP_Scanner.exe (PID: 5712 cmdline: C:\Users\Public\Downloads\Advanced_IP_Scanner.exe MD5: 5537C708EDB9A2C21F88E34E8A0F1744)
        • Advanced_IP_Scanner.tmp (PID: 2100 cmdline: "C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmp" /SL5="$30412,20439558,139776,C:\Users\Public\Downloads\Advanced_IP_Scanner.exe" MD5: B87639F9A6CF5BA8C9E1F297C5745A67)
      • sihost.exe (PID: 516 cmdline: C:\Windows\System32\sihost.exe MD5: A21E7719D73D0322E2E7D61802CB8F80)
        • explorer.exe (PID: 3992 cmdline: explorer.exe /LOADSAVEDWINDOWS MD5: 662F4F92FDE3557E86D110526BB578D5)
    • rundll32.exe (PID: 4040 cmdline: rundll32.exe C:\Users\user\Desktop\cobaltstrike.dll,OpenThreadWaitChainSession MD5: EF3179D498793BF4234F708D3BE28633)
      • Advanced_IP_Scanner.exe (PID: 2432 cmdline: C:\Users\Public\Downloads\Advanced_IP_Scanner.exe MD5: 5537C708EDB9A2C21F88E34E8A0F1744)
        • Advanced_IP_Scanner.tmp (PID: 5704 cmdline: "C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmp" /SL5="$10454,20439558,139776,C:\Users\Public\Downloads\Advanced_IP_Scanner.exe" MD5: B87639F9A6CF5BA8C9E1F297C5745A67)
      • sihost.exe (PID: 3180 cmdline: C:\Windows\System32\sihost.exe MD5: A21E7719D73D0322E2E7D61802CB8F80)
        • explorer.exe (PID: 5564 cmdline: explorer.exe /LOADSAVEDWINDOWS MD5: 662F4F92FDE3557E86D110526BB578D5)
    • Advanced_IP_Scanner.exe (PID: 6084 cmdline: C:\Users\Public\Downloads\Advanced_IP_Scanner.exe MD5: 5537C708EDB9A2C21F88E34E8A0F1744)
      • Advanced_IP_Scanner.tmp (PID: 1364 cmdline: "C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmp" /SL5="$60218,20439558,139776,C:\Users\Public\Downloads\Advanced_IP_Scanner.exe" MD5: B87639F9A6CF5BA8C9E1F297C5745A67)
    • sihost.exe (PID: 7164 cmdline: C:\Windows\System32\sihost.exe MD5: A21E7719D73D0322E2E7D61802CB8F80)
      • explorer.exe (PID: 6940 cmdline: explorer.exe /LOADSAVEDWINDOWS MD5: 662F4F92FDE3557E86D110526BB578D5)
    • rundll32.exe (PID: 4416 cmdline: rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",CloseThreadWaitChainSession MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 1912 cmdline: rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",GetThreadWaitChain MD5: EF3179D498793BF4234F708D3BE28633)
      • Advanced_IP_Scanner.exe (PID: 776 cmdline: C:\Users\Public\Downloads\Advanced_IP_Scanner.exe MD5: 5537C708EDB9A2C21F88E34E8A0F1744)
    • rundll32.exe (PID: 2096 cmdline: rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",OpenThreadWaitChainSession MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 2936 cmdline: rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",WerpWalkGatherBlocks MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 5932 cmdline: rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",WerpValidateReportKey MD5: EF3179D498793BF4234F708D3BE28633)
  • explorer.exe (PID: 6204 cmdline: C:\Windows\explorer.exe /NoUACCheck MD5: 662F4F92FDE3557E86D110526BB578D5)
  • rundll32.exe (PID: 2352 cmdline: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cobalt Strike, CobaltStrikeCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • Earth Baxia
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTPS"], "Port": 10443, "SleepTime": 15500, "MaxGetSize": 13982519, "Jitter": 15, "C2Server": "91.92.250.70,/broadcast", "HttpPostUri": "/1/events/com.amazon.csm.csa.prod", "Malleable_C2_Instructions": ["Remove 1308 bytes from the end", "Remove 1 bytes from the end", "Remove 194 bytes from the beginning", "Base64 decode"], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe", "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 1158277545, "bStageCleanup": "True", "bCFGCaution": "True", "KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 8092, "ProcInject_PrependAppend_x86": ["ZofJREVmh9KH20lITEAPHwBDQofSR2aQDx8EAGYPHwQAQEFmh9uHyZBGDx8ADx8A", "Empty"], "ProcInject_PrependAppend_x64": ["ZofJREVmh9KH20lITEAPHwBDQofSR2aQDx8EAGYPHwQAQEFmh9uHyZBGDx8ADx8A", "Empty"], "ProcInject_Execute": ["ntdll.dll:RtlUserThreadStart", "NtQueueApcThread-s", "SetThreadContext", "CreateRemoteThread", "kernel32.dll:LoadLibraryA", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "False", "HostHeader": ""}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.2908078030.00007FFD44420000.00000020.00000001.00020000.00000000.sdmpJoeSecurity_CobaltStrike_2Yara detected CobaltStrikeJoe Security
    00000012.00000002.2908078030.00007FFD44420000.00000020.00000001.00020000.00000000.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
      00000012.00000002.2908078030.00007FFD44420000.00000020.00000001.00020000.00000000.sdmpWindows_Trojan_CobaltStrike_f0b627fcRule for beacon reflective loaderunknown
      • 0x189d8:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
      • 0x19d09:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
      00000014.00000003.2947314162.00007FFD44420000.00000020.00000001.00020000.00000000.sdmpJoeSecurity_CobaltStrike_2Yara detected CobaltStrikeJoe Security
        00000014.00000003.2947314162.00007FFD44420000.00000020.00000001.00020000.00000000.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
          Click to see the 7 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Execution from Suspicious Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Downloads\Advanced_IP_Scanner.exe, CommandLine: C:\Users\Public\Downloads\Advanced_IP_Scanner.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Downloads\Advanced_IP_Scanner.exe, NewProcessName: C:\Users\Public\Downloads\Advanced_IP_Scanner.exe, OriginalFileName: C:\Users\Public\Downloads\Advanced_IP_Scanner.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\cobaltstrike.dll,CloseThreadWaitChainSession, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 616, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\Users\Public\Downloads\Advanced_IP_Scanner.exe, ProcessId: 6516, ProcessName: Advanced_IP_Scanner.exe
          Sigma detected: Explorer NOUACCHECK Flag
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\explorer.exe /NoUACCheck, CommandLine: C:\Windows\explorer.exe /NoUACCheck, CommandLine|base64offset|contains: y, Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\Windows\explorer.exe /NoUACCheck, ProcessId: 6204, ProcessName: explorer.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-13T14:23:50.611079+010020229301A Network Trojan was detected20.12.23.50443192.168.2.649790TCP
          2024-11-13T14:24:38.680407+010020229301A Network Trojan was detected20.12.23.50443192.168.2.649959TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-13T14:24:45.043364+010020287653Unknown Traffic192.168.2.64995091.92.250.7010443TCP
          2024-11-13T14:25:06.750419+010020287653Unknown Traffic192.168.2.64998891.92.250.7010443TCP
          2024-11-13T14:25:27.013214+010020287653Unknown Traffic192.168.2.64999891.92.250.7010443TCP
          2024-11-13T14:25:49.671140+010020287653Unknown Traffic192.168.2.65000291.92.250.7010443TCP
          2024-11-13T14:26:11.276689+010020287653Unknown Traffic192.168.2.65000591.92.250.7010443TCP
          2024-11-13T14:26:31.304319+010020287653Unknown Traffic192.168.2.65000891.92.250.7010443TCP
          2024-11-13T14:26:43.935481+010020287653Unknown Traffic192.168.2.65001091.92.250.7010443TCP
          2024-11-13T14:26:52.846728+010020287653Unknown Traffic192.168.2.65001291.92.250.7010443TCP
          2024-11-13T14:27:04.902481+010020287653Unknown Traffic192.168.2.65001691.92.250.7010443TCP
          2024-11-13T14:27:12.814187+010020287653Unknown Traffic192.168.2.65001891.92.250.7010443TCP
          2024-11-13T14:27:24.862958+010020287653Unknown Traffic192.168.2.65002291.92.250.7010443TCP
          2024-11-13T14:27:33.605371+010020287653Unknown Traffic192.168.2.65002591.92.250.7010443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: cobaltstrike.dllAvira: detected
          Found malware configuration
          Source: 00000012.00000002.2908078030.00007FFD44420000.00000020.00000001.00020000.00000000.sdmpMalware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 10443, "SleepTime": 15500, "MaxGetSize": 13982519, "Jitter": 15, "C2Server": "91.92.250.70,/broadcast", "HttpPostUri": "/1/events/com.amazon.csm.csa.prod", "Malleable_C2_Instructions": ["Remove 1308 bytes from the end", "Remove 1 bytes from the end", "Remove 194 bytes from the beginning", "Base64 decode"], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe", "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 1158277545, "bStageCleanup": "True", "bCFGCaution": "True", "KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 8092, "ProcInject_PrependAppend_x86": ["ZofJREVmh9KH20lITEAPHwBDQofSR2aQDx8EAGYPHwQAQEFmh9uHyZBGDx8ADx8A", "Empty"], "ProcInject_PrependAppend_x64": ["ZofJREVmh9KH20lITEAPHwBDQofSR2aQDx8EAGYPHwQAQEFmh9uHyZBGDx8ADx8A", "Empty"], "ProcInject_Execute": ["ntdll.dll:RtlUserThreadStart", "NtQueueApcThread-s", "SetThreadContext", "CreateRemoteThread", "kernel32.dll:LoadLibraryA", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "False", "HostHeader": ""}
          Multi AV Scanner detection for submitted file
          Source: cobaltstrike.dllReversingLabs: Detection: 47%
          Source: cobaltstrike.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: Z:\out\Release\NetUtils\x86\aips_is_install_dll.pdb source: aips_is_install_dll.dll.13.dr, aips_is_install_dll.dll.10.dr
          Source: Binary string: Z:\out\Release\NetUtils\x86\aips_wix_install_dll.pdb source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.dr

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: 91.92.250.70
          Source: global trafficTCP traffic: 192.168.2.6:49950 -> 91.92.250.70:10443
          Source: Joe Sandbox ViewASN Name: THEZONEBG THEZONEBG
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49950 -> 91.92.250.70:10443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50008 -> 91.92.250.70:10443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50012 -> 91.92.250.70:10443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50002 -> 91.92.250.70:10443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50022 -> 91.92.250.70:10443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50025 -> 91.92.250.70:10443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50005 -> 91.92.250.70:10443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50018 -> 91.92.250.70:10443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50010 -> 91.92.250.70:10443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50016 -> 91.92.250.70:10443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49998 -> 91.92.250.70:10443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49988 -> 91.92.250.70:10443
          Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.6:49790
          Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.6:49959
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: unknownTCP traffic detected without corresponding DNS query: 91.92.250.70
          Source: global trafficDNS traffic detected: DNS query: api.msn.com
          Source: Advanced_IP_Scanner.tmp, 0000000A.00000002.4924239494.000000000018F000.00000004.00000010.00020000.00000000.sdmp, cobaltstrike.dll, Advanced_IP_Scanner.exe.4.dr, aips_is_install_dll.dll.13.dr, aips_is_install_dll.dll.10.drString found in binary or memory: http://s.symcb.com/pca3-g5.crl0
          Source: Advanced_IP_Scanner.tmp, 0000000A.00000002.4924239494.000000000018F000.00000004.00000010.00020000.00000000.sdmp, cobaltstrike.dll, Advanced_IP_Scanner.exe.4.dr, aips_is_install_dll.dll.13.dr, aips_is_install_dll.dll.10.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
          Source: Advanced_IP_Scanner.tmp, 0000000A.00000002.4924239494.000000000018F000.00000004.00000010.00020000.00000000.sdmp, cobaltstrike.dll, Advanced_IP_Scanner.exe.4.dr, aips_is_install_dll.dll.13.dr, aips_is_install_dll.dll.10.drString found in binary or memory: http://s.symcd.com06
          Source: Advanced_IP_Scanner.tmp, 0000000A.00000002.4924239494.000000000018F000.00000004.00000010.00020000.00000000.sdmp, cobaltstrike.dll, Advanced_IP_Scanner.exe.4.dr, aips_is_install_dll.dll.13.dr, aips_is_install_dll.dll.10.drString found in binary or memory: http://s.symcd.com0_
          Source: explorer.exe, 0000001C.00000003.2850336534.00000000091C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
          Source: Advanced_IP_Scanner.tmp, 0000000A.00000003.2286560487.00000000031A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://support.radmin.com
          Source: Advanced_IP_Scanner.tmp, 0000000A.00000003.2286560487.00000000031A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://support.radmin.com.
          Source: Advanced_IP_Scanner.tmp, 0000000A.00000003.2286560487.00000000031A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://support.radmin.com.#
          Source: Advanced_IP_Scanner.tmp, 0000000A.00000003.2286560487.00000000031A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://support.radmin.com.#:Finished_MsiErrorFromResource
          Source: Advanced_IP_Scanner.tmp, 0000000A.00000003.2286560487.00000000031A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://support.radmin.comk0T0#
          Source: Advanced_IP_Scanner.tmp, 0000000A.00000002.4924239494.000000000018F000.00000004.00000010.00020000.00000000.sdmp, cobaltstrike.dll, Advanced_IP_Scanner.exe.4.dr, aips_is_install_dll.dll.13.dr, aips_is_install_dll.dll.10.drString found in binary or memory: http://sw.symcb.com/sw.crl0
          Source: Advanced_IP_Scanner.tmp, 0000000A.00000002.4924239494.000000000018F000.00000004.00000010.00020000.00000000.sdmp, cobaltstrike.dll, Advanced_IP_Scanner.exe.4.dr, aips_is_install_dll.dll.13.dr, aips_is_install_dll.dll.10.drString found in binary or memory: http://sw.symcd.com0
          Source: Advanced_IP_Scanner.tmp, 0000000A.00000002.4924239494.000000000018F000.00000004.00000010.00020000.00000000.sdmp, cobaltstrike.dll, Advanced_IP_Scanner.exe.4.dr, aips_is_install_dll.dll.13.dr, aips_is_install_dll.dll.10.drString found in binary or memory: http://sw1.symcb.com/sw.crt0
          Source: Advanced_IP_Scanner.tmp, 0000000A.00000002.4924239494.000000000018F000.00000004.00000010.00020000.00000000.sdmp, cobaltstrike.dll, Advanced_IP_Scanner.exe.4.dr, aips_is_install_dll.dll.13.dr, aips_is_install_dll.dll.10.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
          Source: Advanced_IP_Scanner.tmp, 0000000A.00000002.4924239494.000000000018F000.00000004.00000010.00020000.00000000.sdmp, cobaltstrike.dll, Advanced_IP_Scanner.exe.4.dr, aips_is_install_dll.dll.13.dr, aips_is_install_dll.dll.10.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
          Source: Advanced_IP_Scanner.tmp, 0000000A.00000002.4924239494.000000000018F000.00000004.00000010.00020000.00000000.sdmp, cobaltstrike.dll, Advanced_IP_Scanner.exe.4.dr, aips_is_install_dll.dll.13.dr, aips_is_install_dll.dll.10.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
          Source: Amcache.hve.30.drString found in binary or memory: http://upx.sf.net
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=bg&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=br&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=cn&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=cz&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=da&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=de&ver=2-5-4594&beta=n&page=helpProductCode
          Source: Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=en&ver=2-5-4594&beta=n&page=helpREINSTALLMODEamusINS
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=es&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=et&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=fi&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=fr&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=gr&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=he&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=hr&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=hu&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=id&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=ir&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=it&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=jp&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=kr&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=lt&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=lv&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=nb&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=nl&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=pl&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=ro&1
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=ro&1042
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=ru&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=sa&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=se&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=sk&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=sl&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=sr&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=th&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=tr&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=tw&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=uk&ver=2-5-4594&beta=n&page=helpProductCode
          Source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.advanced-ip-scanner.com/link.php?lng=vn&ver=2-5-4594&beta=n&page=helpProductCode
          Source: Advanced_IP_Scanner.tmp, 0000000A.00000002.4924239494.000000000018F000.00000004.00000010.00020000.00000000.sdmp, cobaltstrike.dll, Advanced_IP_Scanner.exe.4.dr, aips_is_install_dll.dll.13.dr, aips_is_install_dll.dll.10.drString found in binary or memory: http://www.advanced-ip-scanner.com0
          Source: Advanced_IP_Scanner.exe, 00000006.00000003.2249692168.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner.exe, 00000006.00000003.2257922336.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner.tmp, 0000000A.00000000.2277316777.0000000000415000.00000020.00000001.01000000.00000006.sdmp, Advanced_IP_Scanner.tmp.40.dr, Advanced_IP_Scanner.tmp.6.drString found in binary or memory: http://www.innosetup.com/
          Source: Advanced_IP_Scanner.exe, 00000006.00000000.2234411898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
          Source: Advanced_IP_Scanner.tmp, 0000000D.00000003.2550554167.0000000003A94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org
          Source: Advanced_IP_Scanner.tmp, 0000000A.00000003.2286560487.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner.tmp, 0000000D.00000003.2550554167.0000000003A94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/
          Source: Advanced_IP_Scanner.tmp, 0000000D.00000003.2550554167.0000000003A64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/)
          Source: Advanced_IP_Scanner.exe, 00000008.00000003.2261826650.00000000022C6000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner.tmp, 00000009.00000003.2287543092.000000000338D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.palkornel.hu/innosetup%1
          Source: Advanced_IP_Scanner.tmp, 0000000A.00000003.2286560487.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner.tmp, 0000000D.00000003.2550554167.0000000003A64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.qt.io/licensing/
          Source: Advanced_IP_Scanner.tmp, 0000000A.00000003.2286560487.00000000031A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.radmin.com/about/legal/pp.php
          Source: Advanced_IP_Scanner.tmp, 0000000D.00000003.2550554167.0000000003A64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.radmin.com/about/legal/pp.php).
          Source: Advanced_IP_Scanner.exe, 00000006.00000003.2237175552.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner.exe, 00000008.00000003.2261826650.00000000022C6000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner.tmp, 00000009.00000003.2287543092.000000000338D000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner.tmp, 0000000A.00000003.2286560487.00000000031A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.radmin.com/support/feedba
          Source: Advanced_IP_Scanner.tmp, 0000000A.00000003.2286560487.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner.tmp, 0000000D.00000003.2548775849.0000000000878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.radmin.com/support/feedback/php
          Source: Advanced_IP_Scanner.tmp, 0000000D.00000003.2550554167.0000000003A64000.00000004.00000020.00020000.00000000.sdmp, Advanced_IP_Scanner.tmp, 0000000D.00000003.2548775849.0000000000878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.radmin.com/support/feedback/php.
          Source: Advanced_IP_Scanner.exe, 00000006.00000003.2249692168.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner.exe, 00000006.00000003.2257922336.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner.tmp, 0000000A.00000000.2277316777.0000000000415000.00000020.00000001.01000000.00000006.sdmp, Advanced_IP_Scanner.tmp.40.dr, Advanced_IP_Scanner.tmp.6.drString found in binary or memory: http://www.remobjects.com/ps
          Source: sihost.exe, 00000014.00000003.4343208696.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3803856721.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4543176264.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3711474066.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3576433373.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4219916450.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4127862749.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3927157672.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3376744458.0000014316084000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3281533543.0000014316033000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4019404037.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435523241.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435239207.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3812370712.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3484621861.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4635863611.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4019548626.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4220116820.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3376909861.0000014316086000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3281435880.0000014316084000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3576779331.0000014316088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.92.250.70/
          Source: sihost.exe, 00000014.00000003.4343208696.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3927157672.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4019404037.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3576661158.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4635660696.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4219916450.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3803856721.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3165602891.0000014316063000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4127862749.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3576433373.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3711474066.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3484621861.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4543176264.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3281435880.0000014316063000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3376909861.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3376744458.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435239207.0000014316066000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.92.250.70/.Q
          Source: sihost.exe, 00000015.00000003.4355324832.00000208217CB000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4555511112.00000208217BD000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4463495917.00000208217BA000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4663130336.00000208217BD000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4555696679.00000208217BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.92.250.70/i
          Source: sihost.exe, 00000014.00000003.4343208696.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4543176264.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435523241.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435239207.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4635863611.0000014316088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.92.250.70/n
          Source: sihost.exe, 00000014.00000003.3281533543.0000014316033000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.92.250.70/ows
          Source: sihost.exe, 00000014.00000003.3281533543.0000014316053000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.92.250.70/ptography
          Source: sihost.exe, 00000014.00000003.4343208696.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3927157672.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4019404037.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3576661158.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4635660696.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4219916450.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3803856721.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3165602891.0000014316063000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4127862749.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3576433373.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3711474066.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3484621861.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4543176264.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3281435880.0000014316063000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3376909861.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3376744458.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435239207.0000014316066000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.92.250.70/zQ
          Source: sihost.exe, 00000014.00000003.4220116820.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3281435880.0000014316084000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3576779331.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4463603936.00000208217F0000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4663130336.00000208217F0000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4555511112.00000208217F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.92.250.70:10443/
          Source: sihost.exe, 00000014.00000003.4343208696.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3803856721.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4543176264.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3711474066.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4219916450.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4127862749.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3927157672.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4019404037.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435523241.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435239207.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3812370712.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4635863611.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4019548626.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4220116820.0000014316088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.92.250.70:10443/&
          Source: sihost.exe, 00000014.00000003.4343208696.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4543176264.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4219916450.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4127862749.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435523241.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435239207.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4220116820.0000014316088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.92.250.70:10443/b
          Source: sihost.exe, 00000015.00000003.4555696679.00000208217BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.92.250.70:10443/broadcast
          Source: sihost.exe, 00000014.00000003.4343208696.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4219916450.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4127862749.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435523241.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435239207.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4220116820.0000014316088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.92.250.70:10443/broadcast&
          Source: sihost.exe, 00000014.00000003.3576433373.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4219916450.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4127862749.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3376744458.0000014316084000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3484621861.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4220116820.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3376909861.0000014316086000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3281435880.0000014316084000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3576779331.0000014316088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.92.250.70:10443/broadcast(
          Source: sihost.exe, 00000014.00000003.3803856721.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3711474066.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3812370712.0000014316088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.92.250.70:10443/broadcast-
          Source: sihost.exe, 00000015.00000003.4355457234.00000208217BA000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4555511112.00000208217BD000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4463495917.00000208217BA000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4663130336.00000208217BD000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4555696679.00000208217BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.92.250.70:10443/broadcast3
          Source: sihost.exe, 00000014.00000003.4343208696.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3803856721.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4543176264.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3711474066.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4219916450.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4127862749.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3927157672.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4019404037.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435523241.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435239207.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3812370712.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4635863611.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4019548626.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4220116820.0000014316088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.92.250.70:10443/broadcast32
          Source: sihost.exe, 00000014.00000003.4543176264.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3927157672.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3376744458.0000014316084000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4019404037.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4635863611.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4019548626.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3376909861.0000014316086000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3281435880.0000014316084000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.92.250.70:10443/broadcastC
          Source: sihost.exe, 00000015.00000003.4663130336.00000208217E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.92.250.70:10443/broadcastCryptography
          Source: sihost.exe, 00000014.00000003.4343208696.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4543176264.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435523241.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435239207.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4635863611.0000014316088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.92.250.70:10443/broadcastCryptography%
          Source: sihost.exe, 00000014.00000003.4219916450.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4127862749.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4220116820.0000014316088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.92.250.70:10443/broadcastE
          Source: sihost.exe, 00000015.00000003.4355457234.00000208217BA000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4555511112.00000208217BD000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4463495917.00000208217BA000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4663130336.00000208217BD000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4555696679.00000208217BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.92.250.70:10443/broadcastM
          Source: sihost.exe, 00000014.00000003.4543176264.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4635863611.0000014316088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.92.250.70:10443/broadcastT
          Source: sihost.exe, 00000014.00000003.3281533543.0000014316053000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.92.250.70:10443/broadcastVj
          Source: sihost.exe, 00000014.00000003.3281533543.0000014316053000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.92.250.70:10443/broadcastfj
          Source: sihost.exe, 00000014.00000003.4343208696.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4543176264.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435523241.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435239207.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4635863611.0000014316088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.92.250.70:10443/~
          Source: explorer.exe, 0000001C.00000003.2945807124.000000000C7E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com?c
          Source: Advanced_IP_Scanner.tmp, 0000000A.00000002.4924239494.000000000018F000.00000004.00000010.00020000.00000000.sdmp, cobaltstrike.dll, Advanced_IP_Scanner.exe.4.dr, aips_is_install_dll.dll.13.dr, aips_is_install_dll.dll.10.drString found in binary or memory: https://d.symcb.com/cps0%
          Source: aips_is_install_dll.dll.10.drString found in binary or memory: https://d.symcb.com/rpa0
          Source: Advanced_IP_Scanner.tmp, 0000000A.00000002.4924239494.000000000018F000.00000004.00000010.00020000.00000000.sdmp, cobaltstrike.dll, Advanced_IP_Scanner.exe.4.dr, aips_is_install_dll.dll.13.dr, aips_is_install_dll.dll.10.drString found in binary or memory: https://d.symcb.com/rpa0)
          Source: Advanced_IP_Scanner.tmp, 0000000A.00000002.4924239494.000000000018F000.00000004.00000010.00020000.00000000.sdmp, cobaltstrike.dll, Advanced_IP_Scanner.exe.4.dr, aips_is_install_dll.dll.13.dr, aips_is_install_dll.dll.10.drString found in binary or memory: https://d.symcb.com/rpa0.
          Source: sihost.exe, 00000015.00000003.4463495917.00000208217D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com
          Source: sihost.exe, 00000015.00000003.4355457234.00000208217BA000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4463495917.00000208217BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.comm

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 00000012.00000002.2908078030.00007FFD44420000.00000020.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
          Source: 00000014.00000003.2947314162.00007FFD44420000.00000020.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
          Source: 00000029.00000002.4999809185.000001BA34866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
          Source: Joe Sandbox ViewDropped File: C:\Users\Public\Downloads\Advanced_IP_Scanner.exe 26D5748FFE6BD95E3FEE6CE184D388A1A681006DC23A0F08D53C083C593C193B
          Source: C:\Windows\System32\sihost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1340 -s 544
          Source: cobaltstrike.dllStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
          Source: Advanced_IP_Scanner.tmp.6.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
          Source: Advanced_IP_Scanner.tmp.6.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
          Source: Advanced_IP_Scanner.tmp.8.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
          Source: Advanced_IP_Scanner.tmp.8.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
          Source: Advanced_IP_Scanner.tmp.12.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
          Source: Advanced_IP_Scanner.tmp.12.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
          Source: Advanced_IP_Scanner.tmp.14.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
          Source: Advanced_IP_Scanner.tmp.14.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
          Source: Advanced_IP_Scanner.tmp.40.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
          Source: Advanced_IP_Scanner.tmp.40.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
          Source: cobaltstrike.dllStatic PE information: Number of sections : 12 > 10
          Source: cobaltstrike.dllBinary or memory string: OriginalFilenameaips_wix_install_dll.dllH vs cobaltstrike.dll
          Source: 00000012.00000002.2908078030.00007FFD44420000.00000020.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
          Source: 00000014.00000003.2947314162.00007FFD44420000.00000020.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
          Source: 00000029.00000002.4999809185.000001BA34866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
          Source: explorer.exe, 0000001C.00000003.2946050514.000000000C892000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2950866569.000000000C892000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /;.VBP
          Source: classification engineClassification label: mal100.troj.evad.winDLL@94/22@1/1
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03
          Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1340
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpMutant created: \Sessions\1\BaseNamedObjects\Advanced IP Scanner
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeFile created: C:\Users\user\AppData\Local\Temp\is-1QM08.tmpJump to behavior
          Source: C:\Windows\System32\sihost.exeProcess created: C:\Windows\explorer.exe
          Source: C:\Windows\System32\sihost.exeProcess created: C:\Windows\explorer.exe
          Source: C:\Windows\System32\sihost.exeProcess created: C:\Windows\explorer.exe
          Source: C:\Windows\System32\sihost.exeProcess created: C:\Windows\explorer.exe
          Source: unknownProcess created: C:\Windows\explorer.exe
          Source: C:\Windows\System32\sihost.exeProcess created: C:\Windows\explorer.exeJump to behavior
          Source: C:\Windows\System32\sihost.exeProcess created: C:\Windows\explorer.exeJump to behavior
          Source: C:\Windows\System32\sihost.exeProcess created: C:\Windows\explorer.exeJump to behavior
          Source: C:\Windows\System32\sihost.exeProcess created: C:\Windows\explorer.exeJump to behavior
          Source: cobaltstrike.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Windows\explorer.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\cobaltstrike.dll,CloseThreadWaitChainSession
          Source: cobaltstrike.dllReversingLabs: Detection: 47%
          Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\cobaltstrike.dll"
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",#1
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\cobaltstrike.dll,CloseThreadWaitChainSession
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",#1
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\Downloads\Advanced_IP_Scanner.exe C:\Users\Public\Downloads\Advanced_IP_Scanner.exe
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\cobaltstrike.dll,GetThreadWaitChain
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\Downloads\Advanced_IP_Scanner.exe C:\Users\Public\Downloads\Advanced_IP_Scanner.exe
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeProcess created: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmp "C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmp" /SL5="$20408,20439558,139776,C:\Users\Public\Downloads\Advanced_IP_Scanner.exe"
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeProcess created: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmp "C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmp" /SL5="$30412,20439558,139776,C:\Users\Public\Downloads\Advanced_IP_Scanner.exe"
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\cobaltstrike.dll,OpenThreadWaitChainSession
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\Downloads\Advanced_IP_Scanner.exe C:\Users\Public\Downloads\Advanced_IP_Scanner.exe
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeProcess created: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmp "C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmp" /SL5="$10454,20439558,139776,C:\Users\Public\Downloads\Advanced_IP_Scanner.exe"
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Users\Public\Downloads\Advanced_IP_Scanner.exe C:\Users\Public\Downloads\Advanced_IP_Scanner.exe
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeProcess created: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmp "C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmp" /SL5="$60218,20439558,139776,C:\Users\Public\Downloads\Advanced_IP_Scanner.exe"
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\sihost.exe C:\Windows\System32\sihost.exe
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\sihost.exe C:\Windows\System32\sihost.exe
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\sihost.exe C:\Windows\System32\sihost.exe
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\sihost.exe C:\Windows\System32\sihost.exe
          Source: C:\Windows\System32\sihost.exeProcess created: C:\Windows\explorer.exe explorer.exe /LOADSAVEDWINDOWS
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\sihost.exe C:\Windows\System32\sihost.exe
          Source: C:\Windows\System32\sihost.exeProcess created: C:\Windows\explorer.exe explorer.exe /LOADSAVEDWINDOWS
          Source: C:\Windows\System32\sihost.exeProcess created: C:\Windows\explorer.exe explorer.exe /LOADSAVEDWINDOWS
          Source: C:\Windows\System32\sihost.exeProcess created: C:\Windows\explorer.exe explorer.exe /LOADSAVEDWINDOWS
          Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /NoUACCheck
          Source: C:\Windows\System32\sihost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1340 -s 544
          Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",CloseThreadWaitChainSession
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",GetThreadWaitChain
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",OpenThreadWaitChainSession
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",WerpWalkGatherBlocks
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\Downloads\Advanced_IP_Scanner.exe C:\Users\Public\Downloads\Advanced_IP_Scanner.exe
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",WerpValidateReportKey
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",#1Jump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\cobaltstrike.dll,CloseThreadWaitChainSessionJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\cobaltstrike.dll,GetThreadWaitChainJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\cobaltstrike.dll,OpenThreadWaitChainSessionJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Users\Public\Downloads\Advanced_IP_Scanner.exe C:\Users\Public\Downloads\Advanced_IP_Scanner.exeJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\sihost.exe C:\Windows\System32\sihost.exeJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",CloseThreadWaitChainSessionJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",GetThreadWaitChainJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",OpenThreadWaitChainSessionJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",WerpWalkGatherBlocksJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",WerpValidateReportKeyJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",#1Jump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\Downloads\Advanced_IP_Scanner.exe C:\Users\Public\Downloads\Advanced_IP_Scanner.exeJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\sihost.exe C:\Windows\System32\sihost.exeJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\sihost.exe C:\Windows\System32\sihost.exeJump to behavior
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeProcess created: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmp "C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmp" /SL5="$20408,20439558,139776,C:\Users\Public\Downloads\Advanced_IP_Scanner.exe" Jump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\Downloads\Advanced_IP_Scanner.exe C:\Users\Public\Downloads\Advanced_IP_Scanner.exeJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\sihost.exe C:\Windows\System32\sihost.exeJump to behavior
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeProcess created: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmp "C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmp" /SL5="$30412,20439558,139776,C:\Users\Public\Downloads\Advanced_IP_Scanner.exe" Jump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\Downloads\Advanced_IP_Scanner.exe C:\Users\Public\Downloads\Advanced_IP_Scanner.exeJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\sihost.exe C:\Windows\System32\sihost.exeJump to behavior
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeProcess created: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmp "C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmp" /SL5="$10454,20439558,139776,C:\Users\Public\Downloads\Advanced_IP_Scanner.exe" Jump to behavior
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeProcess created: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmp "C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmp" /SL5="$60218,20439558,139776,C:\Users\Public\Downloads\Advanced_IP_Scanner.exe" Jump to behavior
          Source: C:\Windows\System32\sihost.exeProcess created: C:\Windows\explorer.exe explorer.exe /LOADSAVEDWINDOWSJump to behavior
          Source: C:\Windows\System32\sihost.exeProcess created: C:\Windows\explorer.exe explorer.exe /LOADSAVEDWINDOWSJump to behavior
          Source: C:\Windows\System32\sihost.exeProcess created: C:\Windows\explorer.exe explorer.exe /LOADSAVEDWINDOWSJump to behavior
          Source: C:\Windows\System32\sihost.exeProcess created: C:\Windows\explorer.exe explorer.exe /LOADSAVEDWINDOWSJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknown
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\Downloads\Advanced_IP_Scanner.exe C:\Users\Public\Downloads\Advanced_IP_Scanner.exe
          Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknown
          Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknown
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeProcess created: unknown unknown
          Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknown
          Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\loaddll64.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpSection loaded: msimg32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpSection loaded: rstrtmgr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpSection loaded: msi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpSection loaded: cabinet.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpSection loaded: msimg32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpSection loaded: rstrtmgr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpSection loaded: msi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpSection loaded: cabinet.dllJump to behavior
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: msimg32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: rstrtmgr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: msi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: cabinet.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: msftedit.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: windows.globalization.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: bcp47mrm.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpSection loaded: globinputhost.dllJump to behavior
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmpSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmpSection loaded: msimg32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmpSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmpSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmpSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmpSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmpSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmpSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmpSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmpSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmpSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmpSection loaded: dwmapi.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: desktopshellext.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: winsta.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: desktopshellext.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: winsta.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: desktopshellext.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: winsta.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: wwanmm.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: desktopshellext.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: winsta.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: wwanmm.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: desktopshellext.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: winsta.dllJump to behavior
          Source: C:\Windows\System32\sihost.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: starttiledata.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cscui.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: structuredquery.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: icu.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mswb7.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.search.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: starttiledata.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: idstore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wlidprov.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.applicationmodel.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: appxdeploymentclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: winsta.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mmdevapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: devobj.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: oleacc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.ui.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windowmanagementapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: inputhost.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dcomp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: d3d11.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: d3d10warp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dxcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: d2d1.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cldapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: fltlib.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dataexchange.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: tiledatarepository.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: staterepository.core.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.staterepository.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wincorlib.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cdp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dsreg.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.immersiveshell.serviceprovider.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorycore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mrmcorer.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: languageoverlayutil.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: thumbcache.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: appextension.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: photometadatahandler.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinui.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinui.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: pdh.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: applicationframe.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ntshrui.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cscapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: linkinfo.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ehstorshell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cscui.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dui70.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: duser.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.ui.fileexplorer.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: provsvc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: uiribbon.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: atlthunk.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: networkexplorer.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: structuredquery.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: holographicextensions.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: virtualmonitormanager.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.ui.immersive.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: abovelockapphost.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: npsm.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.shell.bluelightreduction.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.web.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mscms.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: coloradapterclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.internal.signals.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: tdh.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorybroker.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mfplat.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: rtworkq.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: taskflowdatauser.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.security.authentication.web.core.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.data.activities.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.system.launcher.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.internal.ui.shell.windowtabmanager.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: notificationcontrollerps.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.devices.enumeration.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: icu.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mswb7.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: devdispitemprovider.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.networking.connectivity.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.ui.core.textinput.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: uianimation.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windowsudk.shellcommon.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dictationmanager.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: stobject.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wmiclnt.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: workfoldersshell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: npmproxy.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.ui.xaml.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windowsinternal.composableshell.desktophosting.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: uiamanager.dllJump to behavior
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeSection loaded: uxtheme.dll
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeSection loaded: apphelp.dll
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpWindow found: window name: TSelectLanguageFormJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpAutomated click: OK
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpAutomated click: OK
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpAutomated click: OK
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpAutomated click: OK
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpAutomated click: OK
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: cobaltstrike.dllStatic PE information: More than 144 > 100 exports found
          Source: cobaltstrike.dllStatic PE information: Image base 0x2c1a60000 > 0x60000000
          Source: cobaltstrike.dllStatic file information: File size 22275072 > 1048576
          Source: cobaltstrike.dllStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x145f800
          Source: cobaltstrike.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: Z:\out\Release\NetUtils\x86\aips_is_install_dll.pdb source: aips_is_install_dll.dll.13.dr, aips_is_install_dll.dll.10.dr
          Source: Binary string: Z:\out\Release\NetUtils\x86\aips_wix_install_dll.pdb source: cobaltstrike.dll, Advanced_IP_Scanner.exe.4.dr
          Source: cobaltstrike.dllStatic PE information: section name: .xdata
          Source: C:\Windows\System32\sihost.exeCode function: 18_2_00007FFD4442487D push ebx; iretd 18_2_00007FFD44424885
          Source: C:\Windows\System32\sihost.exeCode function: 18_2_00007FFD444248F0 push ebx; iretd 18_2_00007FFD444248F1
          Source: C:\Windows\System32\sihost.exeCode function: 18_2_00007FFD444211B2 push ebp; ret 18_2_00007FFD444211D1
          Source: C:\Windows\System32\sihost.exeCode function: 18_2_00007FFD44422FAA push ebx; retf 18_2_00007FFD44422FD5
          Source: C:\Windows\System32\sihost.exeCode function: 18_2_00007FFD44423960 push ebp; retf 18_2_00007FFD44423975
          Source: C:\Windows\System32\sihost.exeCode function: 18_2_00007FFD4442123F push ebp; ret 18_2_00007FFD444211D1
          Source: C:\Windows\System32\sihost.exeCode function: 18_2_00007FFD44422FF8 push edx; retf 18_2_00007FFD44422FF9
          Source: C:\Windows\System32\sihost.exeCode function: 18_2_00007FFD44423012 push eax; retf 18_2_00007FFD44423019
          Source: C:\Windows\System32\sihost.exeCode function: 18_2_00007FFD44423004 push edx; retf 18_2_00007FFD44423005
          Source: C:\Windows\System32\sihost.exeCode function: 20_3_00007FFD4442487D push ebx; iretd 20_3_00007FFD44424885
          Source: C:\Windows\System32\sihost.exeCode function: 20_3_00007FFD444248F0 push ebx; iretd 20_3_00007FFD444248F1
          Source: C:\Windows\System32\sihost.exeCode function: 20_3_00007FFD444211B2 push ebp; ret 20_3_00007FFD444211D1
          Source: C:\Windows\System32\sihost.exeCode function: 20_3_00007FFD44422FAA push ebx; retf 20_3_00007FFD44422FD5
          Source: C:\Windows\System32\sihost.exeCode function: 20_3_00007FFD44423960 push ebp; retf 20_3_00007FFD44423975
          Source: C:\Windows\System32\sihost.exeCode function: 20_3_00007FFD4442123F push ebp; ret 20_3_00007FFD444211D1
          Source: C:\Windows\System32\sihost.exeCode function: 20_3_00007FFD44422FF8 push edx; retf 20_3_00007FFD44422FF9
          Source: C:\Windows\System32\sihost.exeCode function: 20_3_00007FFD44423012 push eax; retf 20_3_00007FFD44423019
          Source: C:\Windows\System32\sihost.exeCode function: 20_3_00007FFD44423004 push edx; retf 20_3_00007FFD44423005
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2FLEP.tmp\aips_is_install_dll.dllJump to dropped file
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeFile created: C:\Users\user\AppData\Local\Temp\is-FDD04.tmp\Advanced_IP_Scanner.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2FLEP.tmp\_isetup\_setup64.tmpJump to dropped file
          Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeJump to dropped file
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeFile created: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpFile created: C:\Users\user\AppData\Local\Temp\is-STV6O.tmp\aips_is_install_dll.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2FLEP.tmp\_isetup\_shfoldr.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpFile created: C:\Users\user\AppData\Local\Temp\is-BT8N1.tmp\_isetup\_setup64.tmpJump to dropped file
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeFile created: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpFile created: C:\Users\user\AppData\Local\Temp\is-STV6O.tmp\_isetup\_shfoldr.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpFile created: C:\Users\user\AppData\Local\Temp\is-BT8N1.tmp\aips_is_install_dll.dllJump to dropped file
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeFile created: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpJump to dropped file
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeFile created: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpFile created: C:\Users\user\AppData\Local\Temp\is-BT8N1.tmp\_isetup\_shfoldr.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpFile created: C:\Users\user\AppData\Local\Temp\is-STV6O.tmp\_isetup\_setup64.tmpJump to dropped file
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\sihost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\sihost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\sihost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\sihost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Users\Public\Downloads\Advanced_IP_Scanner.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Query firmware table information (likely to detect VMs)
          Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2FLEP.tmp\aips_is_install_dll.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2FLEP.tmp\_isetup\_setup64.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-STV6O.tmp\aips_is_install_dll.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2FLEP.tmp\_isetup\_shfoldr.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BT8N1.tmp\_isetup\_setup64.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-STV6O.tmp\_isetup\_shfoldr.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BT8N1.tmp\aips_is_install_dll.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BT8N1.tmp\_isetup\_shfoldr.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-STV6O.tmp\_isetup\_setup64.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\sihost.exeLast function: Thread delayed
          Source: C:\Windows\System32\sihost.exeLast function: Thread delayed
          Source: explorer.exe, 0000001C.00000003.2857128914.0000000009355000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8PS5\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}""
          Source: explorer.exe, 0000001C.00000003.2857066340.00000000093D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:/q
          Source: Amcache.hve.30.drBinary or memory string: VMware
          Source: Amcache.hve.30.drBinary or memory string: VMware Virtual USB Mouse
          Source: Amcache.hve.30.drBinary or memory string: vmci.syshbin
          Source: Amcache.hve.30.drBinary or memory string: VMware, Inc.
          Source: explorer.exe, 0000001C.00000003.2950866569.000000000C892000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: Amcache.hve.30.drBinary or memory string: VMware20,1hbin@
          Source: Amcache.hve.30.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
          Source: Amcache.hve.30.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.30.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.30.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
          Source: sihost.exe, 00000014.00000003.3576661158.0000014316077000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3927157672.0000014316077000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4219916450.0000014316077000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3281435880.0000014316077000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4127862749.0000014316077000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435239207.0000014316077000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3484621861.0000014316077000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4343208696.0000014316077000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3165602891.0000014316077000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3711474066.0000014316077000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3803856721.0000014316077000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: Amcache.hve.30.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: explorer.exe, 0000001C.00000003.2946050514.000000000C892000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2950866569.000000000C892000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wgencounter.infgencounter.devicedescMicrosoft Hyper-V Generation Counterwgencounter.infIiXR
          Source: explorer.exe, 0000001C.00000003.2946625515.000000000C909000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: Amcache.hve.30.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
          Source: sihost.exe, 00000014.00000003.3281533543.0000014316033000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
          Source: Amcache.hve.30.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.30.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: explorer.exe, 0000001C.00000003.2857776942.0000000009309000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
          Source: explorer.exe, 0000001C.00000003.2857776942.0000000009309000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\[
          Source: Amcache.hve.30.drBinary or memory string: vmci.sys
          Source: Amcache.hve.30.drBinary or memory string: vmci.syshbin`
          Source: explorer.exe, 0000001C.00000003.2946625515.000000000C909000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\
          Source: Amcache.hve.30.drBinary or memory string: \driver\vmci,\driver\pci
          Source: explorer.exe, 0000001C.00000003.2950866569.000000000C892000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4NECVMWar VMware SATA CD00
          Source: Amcache.hve.30.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.30.drBinary or memory string: VMware20,1
          Source: Amcache.hve.30.drBinary or memory string: Microsoft Hyper-V Generation Counter
          Source: Amcache.hve.30.drBinary or memory string: NECVMWar VMware SATA CD00
          Source: Amcache.hve.30.drBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: Amcache.hve.30.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
          Source: Amcache.hve.30.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
          Source: Amcache.hve.30.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
          Source: Amcache.hve.30.drBinary or memory string: VMware PCI VMCI Bus Device
          Source: Amcache.hve.30.drBinary or memory string: VMware VMCI Bus Device
          Source: Amcache.hve.30.drBinary or memory string: VMware Virtual RAM
          Source: Amcache.hve.30.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
          Source: Amcache.hve.30.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
          Source: C:\Windows\System32\sihost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\System32\sihost.exeProcess queried: DebugPortJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Windows\System32\loaddll64.exeNtCreateUserProcess: Indirect: 0x7FFD91C5B500Jump to behavior
          Source: C:\Windows\System32\loaddll64.exeNtAllocateVirtualMemory: Indirect: 0x7FFD91C67ED5Jump to behavior
          Source: C:\Windows\System32\loaddll64.exeNtProtectVirtualMemory: Indirect: 0x7FFD91C68FC8Jump to behavior
          Source: C:\Windows\System32\loaddll64.exeNtCreateUserProcess: Indirect: 0x7FFD91C6FAFFJump to behavior
          Source: C:\Windows\System32\loaddll64.exeNtProtectVirtualMemory: Indirect: 0x7FFD91C69C89Jump to behavior
          Source: C:\Windows\System32\loaddll64.exeNtWriteVirtualMemory: Indirect: 0x7FFD91C6A0DBJump to behavior
          Source: C:\Windows\System32\loaddll64.exeNtWriteVirtualMemory: Indirect: 0x7FFD91C69132Jump to behavior
          Source: C:\Windows\System32\loaddll64.exeNtWriteVirtualMemory: Indirect: 0x7FFD91C69F18Jump to behavior
          Source: C:\Windows\System32\loaddll64.exeNtProtectVirtualMemory: Indirect: 0x7FFD91C6A299Jump to behavior
          Injects code into the Windows Explorer (explorer.exe)
          Source: C:\Windows\System32\sihost.exeMemory written: PID: 1080 base: F0000 value: 00Jump to behavior
          Source: C:\Windows\System32\sihost.exeMemory written: PID: 1080 base: 2582D8 value: 00Jump to behavior
          Source: C:\Windows\System32\sihost.exeMemory written: PID: 3992 base: 780000 value: 00Jump to behavior
          Source: C:\Windows\System32\sihost.exeMemory written: PID: 3992 base: 9992D8 value: 00Jump to behavior
          Source: C:\Windows\System32\sihost.exeMemory written: PID: 5564 base: DF0000 value: 00Jump to behavior
          Source: C:\Windows\System32\sihost.exeMemory written: PID: 5564 base: F0A2D8 value: 00Jump to behavior
          Source: C:\Windows\System32\sihost.exeMemory written: PID: 6940 base: 800000 value: 00Jump to behavior
          Source: C:\Windows\System32\sihost.exeMemory written: PID: 6940 base: 68B2D8 value: 00Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",#1Jump to behavior
          Source: C:\Windows\System32\sihost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: Amcache.hve.30.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
          Source: Amcache.hve.30.drBinary or memory string: msmpeng.exe
          Source: Amcache.hve.30.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
          Source: Amcache.hve.30.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
          Source: Amcache.hve.30.drBinary or memory string: MsMpEng.exe

          Remote Access Functionality

          barindex
          Yara detected CobaltStrike
          Source: Yara matchFile source: 00000012.00000002.2908078030.00007FFD44420000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000003.2947314162.00007FFD44420000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000029.00000002.4999809185.000001BA34866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: sihost.exe PID: 1340, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: sihost.exe PID: 516, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5932, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading          		111
          Process Injection          		1
          Masquerading          		OS Credential Dumping121
          Security Software Discovery          		Remote ServicesData from Local System1
          Non-Standard Port          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          Abuse Elevation Control Mechanism          		11
          Virtualization/Sandbox Evasion          		LSASS Memory11
          Virtualization/Sandbox Evasion          		Remote Desktop ProtocolData from Removable Media1
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          DLL Side-Loading          		111
          Process Injection          		Security Account Manager2
          System Owner/User Discovery          		SMB/Windows Admin SharesData from Network Shared Drive11
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Abuse Elevation Control Mechanism          		NTDS1
          File and Directory Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Obfuscated Files or Information          		LSA Secrets12
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Rundll32          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          DLL Side-Loading          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1555135 Sample: cobaltstrike.exe Startdate: 13/11/2024 Architecture: WINDOWS Score: 100 95 api.msn.com 2->95 99 Found malware configuration 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 Antivirus / Scanner detection for submitted sample 2->103 105 5 other signatures 2->105 10 loaddll64.exe 1 2->10         started        13 explorer.exe 11 126 2->13         started        15 rundll32.exe 2->15         started        signatures3 process4 signatures5 109 Found direct / indirect Syscall (likely to bypass EDR) 10->109 17 rundll32.exe 10->17         started        19 rundll32.exe 1 10->19         started        22 rundll32.exe 10->22         started        24 9 other processes 10->24 111 Query firmware table information (likely to detect VMs) 13->111 process6 file7 27 sihost.exe 6 17->27         started        31 Advanced_IP_Scanner.exe 2 17->31         started        83 C:\Users\Public\...\Advanced_IP_Scanner.exe, PE32 19->83 dropped 34 sihost.exe 19->34         started        36 Advanced_IP_Scanner.exe 2 19->36         started        38 sihost.exe 6 22->38         started        40 Advanced_IP_Scanner.exe 2 22->40         started        85 C:\Users\user\...\Advanced_IP_Scanner.tmp, PE32 24->85 dropped 107 Injects code into the Windows Explorer (explorer.exe) 24->107 42 rundll32.exe 24->42         started        44 Advanced_IP_Scanner.exe 24->44         started        46 2 other processes 24->46 signatures8 process9 dnsIp10 97 91.92.250.70, 10443, 49950, 49980 THEZONEBG Bulgaria 27->97 113 Injects code into the Windows Explorer (explorer.exe) 27->113 48 explorer.exe 5 4 27->48         started        87 C:\Users\user\...\Advanced_IP_Scanner.tmp, PE32 31->87 dropped 50 Advanced_IP_Scanner.tmp 3 12 31->50         started        53 explorer.exe 34->53         started        89 C:\Users\user\...\Advanced_IP_Scanner.tmp, PE32 36->89 dropped 55 Advanced_IP_Scanner.tmp 3 12 36->55         started        57 explorer.exe 38->57         started        91 C:\Users\user\...\Advanced_IP_Scanner.tmp, PE32 40->91 dropped 59 Advanced_IP_Scanner.tmp 3 12 40->59         started        61 sihost.exe 42->61         started        93 C:\Users\user\...\Advanced_IP_Scanner.tmp, PE32 44->93 dropped file11 signatures12 process13 file14 65 C:\Users\user\...\aips_is_install_dll.dll, PE32 50->65 dropped 67 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 50->67 dropped 69 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 50->69 dropped 71 C:\Users\user\...\aips_is_install_dll.dll, PE32 55->71 dropped 73 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 55->73 dropped 75 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->75 dropped 77 C:\Users\user\...\aips_is_install_dll.dll, PE32 59->77 dropped 79 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 59->79 dropped 81 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 59->81 dropped 63 WerFault.exe 61->63         started        process15

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          cobaltstrike.dll47%ReversingLabsWin64.Trojan.HavokizMarte
          cobaltstrike.dll100%AviraTR/FileCoder.hlwyn

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\Public\Downloads\Advanced_IP_Scanner.exe3%ReversingLabs
          C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmp3%ReversingLabs
          C:\Users\user\AppData\Local\Temp\is-2FLEP.tmp\_isetup\_setup64.tmp0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\is-2FLEP.tmp\_isetup\_shfoldr.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\is-2FLEP.tmp\aips_is_install_dll.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\is-BT8N1.tmp\_isetup\_setup64.tmp0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\is-BT8N1.tmp\_isetup\_shfoldr.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\is-BT8N1.tmp\aips_is_install_dll.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmp3%ReversingLabs
          C:\Users\user\AppData\Local\Temp\is-FDD04.tmp\Advanced_IP_Scanner.tmp3%ReversingLabs
          C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmp3%ReversingLabs
          C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmp3%ReversingLabs
          C:\Users\user\AppData\Local\Temp\is-STV6O.tmp\_isetup\_setup64.tmp0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\is-STV6O.tmp\_isetup\_shfoldr.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\is-STV6O.tmp\aips_is_install_dll.dll0%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://91.92.250.70:10443/b0%Avira URL Cloudsafe
          https://91.92.250.70:10443/broadcastM0%Avira URL Cloudsafe
          https://www.amazon.comm0%Avira URL Cloudsafe
          https://91.92.250.70:10443/broadcastE0%Avira URL Cloudsafe
          https://91.92.250.70/zQ0%Avira URL Cloudsafe
          https://91.92.250.70:10443/broadcast320%Avira URL Cloudsafe
          http://www.radmin.com/about/legal/pp.php).0%Avira URL Cloudsafe
          https://91.92.250.70:10443/broadcastC0%Avira URL Cloudsafe
          https://91.92.250.70:10443/broadcastCryptography0%Avira URL Cloudsafe
          http://www.radmin.com/support/feedback/php.0%Avira URL Cloudsafe
          https://91.92.250.70/i0%Avira URL Cloudsafe
          https://91.92.250.70:10443/broadcastVj0%Avira URL Cloudsafe
          https://91.92.250.70:10443/broadcastCryptography%0%Avira URL Cloudsafe
          http://www.radmin.com/about/legal/pp.php0%Avira URL Cloudsafe
          https://91.92.250.70/n0%Avira URL Cloudsafe
          https://91.92.250.70/.Q0%Avira URL Cloudsafe
          https://91.92.250.70:10443/~0%Avira URL Cloudsafe
          http://support.radmin.com0%Avira URL Cloudsafe
          https://91.92.250.70:10443/broadcastT0%Avira URL Cloudsafe
          http://support.radmin.com.#0%Avira URL Cloudsafe
          91.92.250.700%Avira URL Cloudsafe
          http://support.radmin.comk0T0#0%Avira URL Cloudsafe
          https://91.92.250.70/0%Avira URL Cloudsafe
          http://www.radmin.com/support/feedback/php0%Avira URL Cloudsafe
          https://91.92.250.70:10443/&0%Avira URL Cloudsafe
          https://91.92.250.70:10443/0%Avira URL Cloudsafe
          http://www.advanced-ip-scanner.com00%Avira URL Cloudsafe
          http://support.radmin.com.0%Avira URL Cloudsafe
          http://support.radmin.com.#:Finished_MsiErrorFromResource0%Avira URL Cloudsafe
          https://91.92.250.70:10443/broadcast-0%Avira URL Cloudsafe
          https://91.92.250.70:10443/broadcast30%Avira URL Cloudsafe
          https://91.92.250.70/ows0%Avira URL Cloudsafe
          https://91.92.250.70/ptography0%Avira URL Cloudsafe
          https://91.92.250.70:10443/broadcast&0%Avira URL Cloudsafe
          https://91.92.250.70:10443/broadcastfj0%Avira URL Cloudsafe
          https://91.92.250.70:10443/broadcast0%Avira URL Cloudsafe
          http://www.radmin.com/support/feedba0%Avira URL Cloudsafe
          https://91.92.250.70:10443/broadcast(0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          api.msn.com
          		unknown
          		unknownfalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            91.92.250.70true
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://91.92.250.70:10443/bsihost.exe, 00000014.00000003.4343208696.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4543176264.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4219916450.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4127862749.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435523241.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435239207.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4220116820.0000014316088000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://91.92.250.70:10443/broadcastMsihost.exe, 00000015.00000003.4355457234.00000208217BA000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4555511112.00000208217BD000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4463495917.00000208217BA000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4663130336.00000208217BD000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4555696679.00000208217BD000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.qt.io/licensing/Advanced_IP_Scanner.tmp, 0000000A.00000003.2286560487.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner.tmp, 0000000D.00000003.2550554167.0000000003A64000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://www.radmin.com/about/legal/pp.php).Advanced_IP_Scanner.tmp, 0000000D.00000003.2550554167.0000000003A64000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://91.92.250.70:10443/broadcast32sihost.exe, 00000014.00000003.4343208696.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3803856721.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4543176264.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3711474066.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4219916450.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4127862749.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3927157672.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4019404037.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435523241.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435239207.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3812370712.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4635863611.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4019548626.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4220116820.0000014316088000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://91.92.250.70:10443/broadcastEsihost.exe, 00000014.00000003.4219916450.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4127862749.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4220116820.0000014316088000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://www.amazon.comsihost.exe, 00000015.00000003.4463495917.00000208217D7000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://91.92.250.70:10443/broadcastCryptographysihost.exe, 00000015.00000003.4663130336.00000208217E4000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUAdvanced_IP_Scanner.exe, 00000006.00000000.2234411898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                  		high
                  https://91.92.250.70/zQsihost.exe, 00000014.00000003.4343208696.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3927157672.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4019404037.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3576661158.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4635660696.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4219916450.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3803856721.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3165602891.0000014316063000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4127862749.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3576433373.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3711474066.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3484621861.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4543176264.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3281435880.0000014316063000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3376909861.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3376744458.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435239207.0000014316066000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.advanced-ip-scanner.com/link.php?lng=ro&1cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                    		high
                    https://www.amazon.commsihost.exe, 00000015.00000003.4355457234.00000208217BA000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4463495917.00000208217BA000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.radmin.com/support/feedback/php.Advanced_IP_Scanner.tmp, 0000000D.00000003.2550554167.0000000003A64000.00000004.00000020.00020000.00000000.sdmp, Advanced_IP_Scanner.tmp, 0000000D.00000003.2548775849.0000000000878000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.advanced-ip-scanner.com/link.php?lng=cz&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                      		high
                      https://91.92.250.70:10443/broadcastCsihost.exe, 00000014.00000003.4543176264.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3927157672.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3376744458.0000014316084000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4019404037.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4635863611.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4019548626.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3376909861.0000014316086000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3281435880.0000014316084000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.advanced-ip-scanner.com/link.php?lng=ro&1042cobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                        		high
                        https://91.92.250.70:10443/broadcastVjsihost.exe, 00000014.00000003.3281533543.0000014316053000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://91.92.250.70/isihost.exe, 00000015.00000003.4355324832.00000208217CB000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4555511112.00000208217BD000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4463495917.00000208217BA000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4663130336.00000208217BD000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4555696679.00000208217BD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://91.92.250.70:10443/broadcastCryptography%sihost.exe, 00000014.00000003.4343208696.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4543176264.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435523241.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435239207.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4635863611.0000014316088000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://91.92.250.70/nsihost.exe, 00000014.00000003.4343208696.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4543176264.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435523241.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435239207.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4635863611.0000014316088000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.advanced-ip-scanner.com/link.php?lng=nl&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                          		high
                          http://www.advanced-ip-scanner.com/link.php?lng=sk&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                            		high
                            http://www.advanced-ip-scanner.com/link.php?lng=sl&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                              		high
                              https://91.92.250.70:10443/~sihost.exe, 00000014.00000003.4343208696.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4543176264.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435523241.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435239207.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4635863611.0000014316088000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://support.radmin.com.#Advanced_IP_Scanner.tmp, 0000000A.00000003.2286560487.00000000031A0000.00000004.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.advanced-ip-scanner.com/link.php?lng=uk&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                		high
                                http://www.radmin.com/about/legal/pp.phpAdvanced_IP_Scanner.tmp, 0000000A.00000003.2286560487.00000000031A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.advanced-ip-scanner.com/link.php?lng=hu&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                  		high
                                  http://www.advanced-ip-scanner.com/link.php?lng=it&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                    		high
                                    http://www.advanced-ip-scanner.com/link.php?lng=et&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                      		high
                                      http://www.openssl.org/Advanced_IP_Scanner.tmp, 0000000A.00000003.2286560487.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner.tmp, 0000000D.00000003.2550554167.0000000003A94000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.advanced-ip-scanner.com/link.php?lng=th&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                          		high
                                          http://www.palkornel.hu/innosetup%1Advanced_IP_Scanner.exe, 00000008.00000003.2261826650.00000000022C6000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner.tmp, 00000009.00000003.2287543092.000000000338D000.00000004.00001000.00020000.00000000.sdmpfalse
                                            		high
                                            https://91.92.250.70/.Qsihost.exe, 00000014.00000003.4343208696.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3927157672.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4019404037.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3576661158.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4635660696.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4219916450.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3803856721.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3165602891.0000014316063000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4127862749.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3576433373.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3711474066.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3484621861.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4543176264.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3281435880.0000014316063000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3376909861.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3376744458.0000014316066000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435239207.0000014316066000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.advanced-ip-scanner.com/link.php?lng=jp&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                              		high
                                              https://91.92.250.70:10443/broadcastTsihost.exe, 00000014.00000003.4543176264.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4635863611.0000014316088000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.advanced-ip-scanner.com/link.php?lng=es&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                                		high
                                                http://support.radmin.comAdvanced_IP_Scanner.tmp, 0000000A.00000003.2286560487.00000000031A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.advanced-ip-scanner.com/link.php?lng=fr&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                                  		high
                                                  http://www.advanced-ip-scanner.com/link.php?lng=gr&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                                    		high
                                                    http://www.advanced-ip-scanner.com/link.php?lng=pl&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                                      		high
                                                      http://www.innosetup.com/Advanced_IP_Scanner.exe, 00000006.00000003.2249692168.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner.exe, 00000006.00000003.2257922336.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner.tmp, 0000000A.00000000.2277316777.0000000000415000.00000020.00000001.01000000.00000006.sdmp, Advanced_IP_Scanner.tmp.40.dr, Advanced_IP_Scanner.tmp.6.drfalse
                                                        		high
                                                        http://www.advanced-ip-scanner.com/link.php?lng=hr&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                                          		high
                                                          http://www.advanced-ip-scanner.com/link.php?lng=bg&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                                            		high
                                                            http://www.advanced-ip-scanner.com/link.php?lng=br&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                                              		high
                                                              http://www.advanced-ip-scanner.com/link.php?lng=en&ver=2-5-4594&beta=n&page=helpREINSTALLMODEamusINSAdvanced_IP_Scanner.exe.4.drfalse
                                                                		high
                                                                http://www.advanced-ip-scanner.com/link.php?lng=ir&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                                                  		high
                                                                  http://www.advanced-ip-scanner.com/link.php?lng=se&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                                                    		high
                                                                    http://www.advanced-ip-scanner.com/link.php?lng=kr&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                                                      		high
                                                                      http://www.advanced-ip-scanner.com/link.php?lng=he&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                                                        		high
                                                                        https://91.92.250.70:10443/&sihost.exe, 00000014.00000003.4343208696.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3803856721.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4543176264.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3711474066.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4219916450.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4127862749.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3927157672.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4019404037.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435523241.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435239207.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3812370712.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4635863611.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4019548626.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4220116820.0000014316088000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://support.radmin.comk0T0#Advanced_IP_Scanner.tmp, 0000000A.00000003.2286560487.00000000031A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://upx.sf.netAmcache.hve.30.drfalse
                                                                          		high
                                                                          http://www.advanced-ip-scanner.com/link.php?lng=fi&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                                                            		high
                                                                            http://www.radmin.com/support/feedback/phpAdvanced_IP_Scanner.tmp, 0000000A.00000003.2286560487.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner.tmp, 0000000D.00000003.2548775849.0000000000878000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.advanced-ip-scanner.com/link.php?lng=cn&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                                                              		high
                                                                              http://www.advanced-ip-scanner.com/link.php?lng=vn&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                                                                		high
                                                                                https://91.92.250.70/sihost.exe, 00000014.00000003.4343208696.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3803856721.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4543176264.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3711474066.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3576433373.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4219916450.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4127862749.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3927157672.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3376744458.0000014316084000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3281533543.0000014316033000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4019404037.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435523241.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435239207.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3812370712.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3484621861.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4635863611.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4019548626.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4220116820.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3376909861.0000014316086000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3281435880.0000014316084000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3576779331.0000014316088000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.advanced-ip-scanner.com/link.php?lng=lt&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                                                                  		high
                                                                                  http://schemas.micrexplorer.exe, 0000001C.00000003.2850336534.00000000091C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://support.radmin.com.Advanced_IP_Scanner.tmp, 0000000A.00000003.2286560487.00000000031A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.advanced-ip-scanner.com/link.php?lng=tr&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                                                                      		high
                                                                                      http://www.advanced-ip-scanner.com/link.php?lng=sr&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                                                                        		high
                                                                                        http://www.advanced-ip-scanner.com/link.php?lng=lv&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                                                                          		high
                                                                                          http://www.advanced-ip-scanner.com/link.php?lng=sa&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                                                                            		high
                                                                                            https://91.92.250.70:10443/sihost.exe, 00000014.00000003.4220116820.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3281435880.0000014316084000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3576779331.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4463603936.00000208217F0000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4663130336.00000208217F0000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4555511112.00000208217F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://91.92.250.70:10443/broadcast-sihost.exe, 00000014.00000003.3803856721.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3711474066.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3812370712.0000014316088000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://www.advanced-ip-scanner.com0Advanced_IP_Scanner.tmp, 0000000A.00000002.4924239494.000000000018F000.00000004.00000010.00020000.00000000.sdmp, cobaltstrike.dll, Advanced_IP_Scanner.exe.4.dr, aips_is_install_dll.dll.13.dr, aips_is_install_dll.dll.10.drfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://support.radmin.com.#:Finished_MsiErrorFromResourceAdvanced_IP_Scanner.tmp, 0000000A.00000003.2286560487.00000000031A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://www.advanced-ip-scanner.com/link.php?lng=ru&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                                                                              		high
                                                                                              https://91.92.250.70/owssihost.exe, 00000014.00000003.3281533543.0000014316033000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://91.92.250.70/ptographysihost.exe, 00000014.00000003.3281533543.0000014316053000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://91.92.250.70:10443/broadcast3sihost.exe, 00000015.00000003.4355457234.00000208217BA000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4555511112.00000208217BD000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4463495917.00000208217BA000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4663130336.00000208217BD000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000015.00000003.4555696679.00000208217BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://91.92.250.70:10443/broadcastfjsihost.exe, 00000014.00000003.3281533543.0000014316053000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://www.advanced-ip-scanner.com/link.php?lng=da&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                                                                                		high
                                                                                                https://91.92.250.70:10443/broadcast&sihost.exe, 00000014.00000003.4343208696.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4219916450.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4127862749.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435523241.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4435239207.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4220116820.0000014316088000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://www.advanced-ip-scanner.com/link.php?lng=nb&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                                                                                  		high
                                                                                                  https://91.92.250.70:10443/broadcast(sihost.exe, 00000014.00000003.3576433373.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4219916450.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4127862749.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3376744458.0000014316084000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3484621861.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.4220116820.0000014316088000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3376909861.0000014316086000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3281435880.0000014316084000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000014.00000003.3576779331.0000014316088000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://91.92.250.70:10443/broadcastsihost.exe, 00000015.00000003.4555696679.00000208217BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.advanced-ip-scanner.com/link.php?lng=de&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                                                                                    		high
                                                                                                    http://www.advanced-ip-scanner.com/link.php?lng=id&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                                                                                      		high
                                                                                                      http://www.openssl.org/)Advanced_IP_Scanner.tmp, 0000000D.00000003.2550554167.0000000003A64000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.remobjects.com/psAdvanced_IP_Scanner.exe, 00000006.00000003.2249692168.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner.exe, 00000006.00000003.2257922336.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner.tmp, 0000000A.00000000.2277316777.0000000000415000.00000020.00000001.01000000.00000006.sdmp, Advanced_IP_Scanner.tmp.40.dr, Advanced_IP_Scanner.tmp.6.drfalse
                                                                                                          		high
                                                                                                          http://www.advanced-ip-scanner.com/link.php?lng=tw&ver=2-5-4594&beta=n&page=helpProductCodecobaltstrike.dll, Advanced_IP_Scanner.exe.4.drfalse
                                                                                                            		high
                                                                                                            http://www.radmin.com/support/feedbaAdvanced_IP_Scanner.exe, 00000006.00000003.2237175552.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner.exe, 00000008.00000003.2261826650.00000000022C6000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner.tmp, 00000009.00000003.2287543092.000000000338D000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner.tmp, 0000000A.00000003.2286560487.00000000031A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://www.openssl.orgAdvanced_IP_Scanner.tmp, 0000000D.00000003.2550554167.0000000003A94000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high

                                                                                                              World Map of Contacted IPs

                                                                                                              • No. of IPs < 25%
                                                                                                              • 25% < No. of IPs < 50%
                                                                                                              • 50% < No. of IPs < 75%
                                                                                                              • 75% < No. of IPs

                                                                                                              Public IPs

                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                              91.92.250.70
                                                                                                              		unknownBulgaria
                                                                                                              		34368THEZONEBGtrue

                                                                                                              General Information

                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                              Analysis ID:1555135
                                                                                                              Start date and time:2024-11-13 14:22:16 +01:00
                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                              Overall analysis duration:0h 10m 0s
                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                              Report type:full
                                                                                                              Cookbook file name:default.jbs
                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                              Number of analysed new started processes analysed:42
                                                                                                              Number of new started drivers analysed:0
                                                                                                              Number of existing processes analysed:0
                                                                                                              Number of existing drivers analysed:0
                                                                                                              Number of injected processes analysed:0
                                                                                                              Technologies:
                                                                                                              • HCA enabled
                                                                                                              • EGA enabled
                                                                                                              • AMSI enabled
                                                                                                              Analysis Mode:default
                                                                                                              Sample name:cobaltstrike.dll
                                                                                                              (renamed file extension from exe to dll)
                                                                                                              Original Sample Name:cobaltstrike.exe
                                                                                                              Detection:MAL
                                                                                                              Classification:mal100.troj.evad.winDLL@94/22@1/1
                                                                                                              EGA Information:Failed
                                                                                                              HCA Information:Failed
                                                                                                              Cookbook Comments:
                                                                                                              • Override analysis time to 240s for rundll32

                                                                                                              Warnings

                                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe, SearchApp.exe
                                                                                                              • Excluded IPs from analysis (whitelisted): 52.182.143.212, 204.79.197.203
                                                                                                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, a-0003.a-msedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, api-msn-com.a-0003.a-msedge.net
                                                                                                              • Execution Graph export aborted for target Advanced_IP_Scanner.tmp, PID 2100 because there are no executed function
                                                                                                              • Execution Graph export aborted for target sihost.exe, PID 1340 because there are no executed function
                                                                                                              • Execution Graph export aborted for target sihost.exe, PID 516 because there are no executed function
                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                                                              • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                              • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                                                                              • Report size getting too big, too many NtOpenKey calls found.
                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                              • VT rate limit hit for: cobaltstrike.dll

                                                                                                              Simulations

                                                                                                              Behavior and APIs

                                                                                                              TimeTypeDescription
                                                                                                              08:24:12API Interceptor14x Sleep call for process: explorer.exe modified
                                                                                                              08:24:28API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                              08:24:54API Interceptor7x Sleep call for process: sihost.exe modified
                                                                                                              14:24:12Task SchedulerRun new task: CreateExplorerShellUnelevatedTask path: C:\Windows\explorer.exe s>/NoUACCheck

                                                                                                              Joe Sandbox View / Context

                                                                                                              IPs

                                                                                                              No context

                                                                                                              Domains

                                                                                                              No context

                                                                                                              ASNs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              THEZONEBGsample.binGet hashmaliciousOkiruBrowse
                                                                                                              • 91.92.246.113
                                                                                                              mirai.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                              • 85.217.215.190
                                                                                                              SecuriteInfo.com.Win32.BotX-gen.7614.10551.exeGet hashmaliciousUnknownBrowse
                                                                                                              • 91.92.242.236
                                                                                                              Scan_Revised-SOP_MCA_pdf.jsGet hashmaliciousWSHRATBrowse
                                                                                                              • 91.92.243.39
                                                                                                              na.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                              • 85.217.208.78
                                                                                                              m7DmyQOKD7.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                              • 91.92.255.109
                                                                                                              mipsel.nn.elfGet hashmaliciousOkiruBrowse
                                                                                                              • 91.92.246.113
                                                                                                              arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                              • 91.92.246.113
                                                                                                              x86_32.nn.elfGet hashmaliciousOkiruBrowse
                                                                                                              • 91.92.246.113
                                                                                                              x86_64.nn.elfGet hashmaliciousOkiruBrowse
                                                                                                              • 91.92.246.113

                                                                                                              JA3 Fingerprints

                                                                                                              No context

                                                                                                              Dropped Files

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              C:\Users\Public\Downloads\Advanced_IP_Scanner.exehttps://download.advanced-ip-scanner.com/download/files/Advanced_IP_Scanner_2.5.4594.1.exeGet hashmaliciousUnknownBrowse
                                                                                                                Advanced_IP_Scanner_2.5.4594.1 (1).exeGet hashmaliciousUnknownBrowse
                                                                                                                  ipscan.msiGet hashmaliciousDarkgateBrowse
                                                                                                                    Advanced_IP_Scanner.exeGet hashmaliciousDanaBotBrowse
                                                                                                                      Advanced_IP_Scanner.exeGet hashmaliciousDanaBotBrowse
                                                                                                                        IPAVSCAN_win_version_1.1.3.msiGet hashmaliciousUnknownBrowse
                                                                                                                          Advanced_IP_Scanner_2.5.4594.1_net.exeGet hashmaliciousUnknownBrowse
                                                                                                                            Advanced_IP_Scanner_2.5.4594.1_net.exeGet hashmaliciousUnknownBrowse

                                                                                                                              Created / dropped Files

                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sihost.exe_4f573731dbe296f8a4bb927c82d7ce365249268_b82a91b5_74dbb513-3e1b-4626-8bb4-28c5093fd0a2\Report.wer

                                                                                                                              Download File
                                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):65536
                                                                                                                              Entropy (8bit):0.8069608834375795
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:96:KOFH7TkXsf43o67JfWQXIDcQ9c6Q+cE2cw3/kd+HbHgrZJJORXkomHBhsv5oOy9h:dF7TkXn0z8+Mbj7YzuiFdZ24lO8A
                                                                                                                              MD5:D4FD5A46A9B50FA1AF87DD1F77192EDA
                                                                                                                              SHA1:C84AF403F188A09541871CABE96A2603AF6F8831
                                                                                                                              SHA-256:163A08509A944C0CA8A81B6E9ECEB932BCAFAF76FE57F25BFDEE21872BD56377
                                                                                                                              SHA-512:C5550EEFCFDF855E90FAA25F3C2B4EAE105FCAA2FBC84DF64BC5C8E4CD61DABDA0E5F6E8C2F0BFB241F2CB405E0B1737C5780A60CAC96FC8886870AD16917335
                                                                                                                              Malicious:false
                                                                                                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.9.7.7.8.5.2.2.6.6.5.1.4.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.5.9.7.7.8.5.5.9.5.4.0.3.6.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.d.b.b.5.1.3.-.3.e.1.b.-.4.6.2.6.-.8.b.b.4.-.2.8.c.5.0.9.3.f.d.0.a.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.6.0.a.c.6.7.4.-.a.2.7.1.-.4.8.9.d.-.a.b.d.0.-.2.0.6.8.7.6.c.a.8.5.e.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.s.i.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.s.i.h.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.3.c.-.0.0.0.1.-.0.0.1.5.-.9.a.f.1.-.9.7.4.8.c.f.3.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.5.3.1.0.b.a.1.4.a.0.5.2.5.6.e.4.d.9.3.e.0.b.0.4.3.3.8.f.5.3.b.4.e.1.d.6.8.0.c.b.!.s.i.h.o.s.t...e.x.e.....T.a.r.g.

                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERE815.tmp.dmp

                                                                                                                              Download File
                                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                                              File Type:Mini DuMP crash report, 14 streams, Wed Nov 13 13:24:12 2024, 0x1205a4 type
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):108356
                                                                                                                              Entropy (8bit):1.6415575688666364
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:384:0qEsocxvOfl5MEeY44SHtG5Ixla+uSePU2daL55hB:8socxWyrrwo1B
                                                                                                                              MD5:8908A46AD58B4712E7A18AB7F5503B85
                                                                                                                              SHA1:A825DE910FF2597A565F0DD3BD11C31CA798C612
                                                                                                                              SHA-256:99A0D90CD0D2D023AF897E4D12AB3304CBC795558670360BF1E8DF75CC823DCE
                                                                                                                              SHA-512:79AC7E977CDB7EAD72A05DF0ACE11776E87E22681D522D00714B453F01AFDD8E1EA1DC617E0ADD01C0CB31CEEC424D13E6D5EB1FEC789B4AC187268B8449B6B5
                                                                                                                              Malicious:false
                                                                                                                              Preview:MDMP..a..... .......|.4g............$...............,............;..........T.......8...........T.......................................................................................................................eJ..............Lw......................T.......<...h.4g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERE9BC.tmp.WERInternalMetadata.xml

                                                                                                                              Download File
                                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):8578
                                                                                                                              Entropy (8bit):3.698100009074635
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:192:R6l7wVeJtAqL6YLN3IgmfdIw9S6pDRN89b7j+f7Jm:R6lXJqQ6YhYgmfd/c8q7af4
                                                                                                                              MD5:34E5862987A26BF76A3F34137F4680DE
                                                                                                                              SHA1:1B0F6C5FB55C9B1AC275D063E48F77A9062B3968
                                                                                                                              SHA-256:8034C46BA0D405E40057AFCE4EE9DFE2088D29CD7665588175FBE0E2CC17BA5E
                                                                                                                              SHA-512:F6EEC9E14C09E46AD84A84DBD62828F223BF18F37F194DE097D4072A04B88971ED6043E464FD4D6393B8B2355A591FAD79A70E3D050D6EF21DCE1B66CF279ECE
                                                                                                                              Malicious:false
                                                                                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.3.4.0.<./.P.i.

                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA1B.tmp.xml

                                                                                                                              Download File
                                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):4740
                                                                                                                              Entropy (8bit):4.48120556226066
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:48:cvIwWl8zseJg771I9P0WpW8VYyYm8M4JdXOKFj1tyq85lxOd1nas2d:uIjfUI78t7VqJlnbQA1n92d
                                                                                                                              MD5:397CCFB3B4EA562407F483ECE7C86FD4
                                                                                                                              SHA1:102466FEBFD18453250E80F3B77EA470489F287B
                                                                                                                              SHA-256:9FD6A4BE63F124E3CCBFB65765FFC47702F69639A6031DA609956B3E76ACA684
                                                                                                                              SHA-512:70CF376DA06EFACA50A395E0C3AD27D04FE5860EF6462087E91DF344D2F433890A686341E7E3CC5AEC596B797BF8F13D4DA375969FADA1CCF5B4F6AA5399621B
                                                                                                                              Malicious:false
                                                                                                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="586346" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                              C:\Users\Public\Downloads\Advanced_IP_Scanner.exe

                                                                                                                              Download File
                                                                                                                              Process:C:\Windows\System32\rundll32.exe
                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):21050672
                                                                                                                              Entropy (8bit):7.991846277981261
                                                                                                                              Encrypted:true
                                                                                                                              SSDEEP:393216:Plu7Txs0NDmNh9D4HaSYz2Kj0Cz1gEVmWdQOjM/y3tFfs5IRRViGmMQZ+Bw5i:A7Th9mT97S7CzNwWCJK05IRTX+Fi
                                                                                                                              MD5:5537C708EDB9A2C21F88E34E8A0F1744
                                                                                                                              SHA1:86233A285363C2A6863BF642DEAB7E20F062B8EB
                                                                                                                              SHA-256:26D5748FFE6BD95E3FEE6CE184D388A1A681006DC23A0F08D53C083C593C193B
                                                                                                                              SHA-512:35F44C0DF4635A1020F52743D7CF3E4346D1BDF9010161326E572250AC93E0285B202532A07D2DB8DBC67F6F0CED864083769E904BD5D82611244339CA8D31A1
                                                                                                                              Malicious:true
                                                                                                                              Antivirus:
                                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                              Joe Sandbox View:
                                                                                                                              • Filename: , Detection: malicious, Browse
                                                                                                                              • Filename: Advanced_IP_Scanner_2.5.4594.1 (1).exe, Detection: malicious, Browse
                                                                                                                              • Filename: ipscan.msi, Detection: malicious, Browse
                                                                                                                              • Filename: Advanced_IP_Scanner.exe, Detection: malicious, Browse
                                                                                                                              • Filename: Advanced_IP_Scanner.exe, Detection: malicious, Browse
                                                                                                                              • Filename: IPAVSCAN_win_version_1.1.3.msi, Detection: malicious, Browse
                                                                                                                              • Filename: Advanced_IP_Scanner_2.5.4594.1_net.exe, Detection: malicious, Browse
                                                                                                                              • Filename: Advanced_IP_Scanner_2.5.4594.1_net.exe, Detection: malicious, Browse
                                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....,.Q..................... ............... ....@..................................9A..........@....................................................A.(............................................................................................text...,........................... ..`.itext..D........................... ..`.data........ ......................@....bss.....V...0...........................idata..............................@....tls.....................................rdata..............................@..@.rsrc................ ..............@..@.............p......................@..@........................................................................................................................................

                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001d.db

                                                                                                                              Download File
                                                                                                                              Process:C:\Windows\explorer.exe
                                                                                                                              File Type:data
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):107504
                                                                                                                              Entropy (8bit):3.99886998801198
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:768:cY18vKkRGbgCMzjk0Yc/ImXkrgQNKLlFRjwHGpPhYDR1vI3XQ1/mOypZr3E5UhyD:cHKk2gB/ImXkEqLUh2i4GGndrFkEKtJ8
                                                                                                                              MD5:AA5AF62540E19BB6B59DD7C9AAA52EC9
                                                                                                                              SHA1:7BE4CFB705EEC4418504782DF7E9BA70DE953B8C
                                                                                                                              SHA-256:E743A9726991FDF4108EAEAFE8B2CD30CB4AF54D22203652708ED5E6F88D40A1
                                                                                                                              SHA-512:FA12F4F0CDE2AFCB23BB70B7A3EE09D696D2904E8BE499E75FA6C04105F4A0EDF8ED41B242CB5631B49E34FF58272E656B9A992B488CDD97BF08436710C0D4E7
                                                                                                                              Malicious:false
                                                                                                                              Preview:....h... ..............P...............X.......]...P..................V.......e.n.-.C.H.;.e.n.-.G.B...............p..............P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....Z.1...........user..B............................................e.n.g.i.n.e.e.r.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u................(..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....Z.1...........user..B.........................................

                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\Windows[2].json

                                                                                                                              Download File
                                                                                                                              Process:C:\Windows\explorer.exe
                                                                                                                              File Type:JSON data
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):800
                                                                                                                              Entropy (8bit):5.142156644904079
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:12:YWgc2Wi4H+uibfy22KmwhbfH+2yrZMAdrKC8K/y8kEhq1HLxycXNNZ/TCB8Qxc3Z:Yzc2WfHRt2hDHt0drc6hE10g
                                                                                                                              MD5:F1102100129EFA4A08486602CDB2CF20
                                                                                                                              SHA1:F18E844B09DF38B4873DFC38434CCC4385637839
                                                                                                                              SHA-256:D03D6651D6988162013EA0B83D37393CAE1F85DFC44A3B6CA3F84EC30AC71B23
                                                                                                                              SHA-512:D88ACF84CD09DF9D6E6F203641ED4F6971D2D9E31DD90FFB9E507216B7BAB4BCA99C4BFF7044400B09D21504F4C79121164964720B7B16752B2136128DAD04CD
                                                                                                                              Malicious:false
                                                                                                                              Preview:{"serviceContext":{"serviceActivityId":"e3047d3b-ddec-4932-a678-56546160ad2d","responseCreationDateTime":"0001-01-01T00:00:00","debugId":"e3047d3b-ddec-4932-a678-56546160ad2d|2024-11-13T13:24:38.2294730Z|fabric_msn|EUS2-A|News_870","tier":"\u0000"},"expirationDateTime":"0001-01-01T00:00:00","showBadge":false,"settings":{"refreshIntervalMinutes":0,"feedEnabled":true,"evolvedNotificationLifecycleEnabled":false,"showBadgeOnRotationsForEvolvedNotificationLifecycle":false,"webView2Enabled":false,"webView2EnabledV1":false,"windowsSuppressClientRace":false,"flyoutV2EndpointEnabled":false,"showAnimation":false,"useTallerFlyoutSize":false,"useDynamicHeight":false,"useWiderFlyoutSize":false,"reclaimEnabled":false,"isPreviewDurationsEnabled":false,"1SlockscreenContentEnabled":true},"isPartial":false}

                                                                                                                              C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmp

                                                                                                                              Download File
                                                                                                                              Process:C:\Users\Public\Downloads\Advanced_IP_Scanner.exe
                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1190912
                                                                                                                              Entropy (8bit):6.396170525244629
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:24576:Z4VN4kkKF3hDXq8xeidJLvkU99kkkkJE58dlX3IiAtp3Nq3E/HoQYx96BxYx9v1:iT90guMXEdqwHkUBK3
                                                                                                                              MD5:B87639F9A6CF5BA8C9E1F297C5745A67
                                                                                                                              SHA1:CE4758849B53AF582D2D8A1BC0DB20683E139FCC
                                                                                                                              SHA-256:EC8252A333F68865160E26DC95607F2C49AF00F78C657F7F8417AB9D86E90BF7
                                                                                                                              SHA-512:9626FC4AA4604EEE7EDEDA62B9DC78A3F6FE388EAF1FA6C916A3715B0DFF65C417EEDE156D82398C2400977A36457122565E15E0ED0E435B28CB9F796005C1C0
                                                                                                                              Malicious:false
                                                                                                                              Antivirus:
                                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....,.Q.....................P....................@..............................................@...............................7......|...........................................................................t................................text...t........................... ..`.itext.. ........................... ..`.data...00.......2..................@....bss.....a...@...........................idata...7.......8..................@....tls....<............F...................rdata...............F..............@..@.rsrc...|............H..............@..@....................................@..@........................................................................................................................................

                                                                                                                              C:\Users\user\AppData\Local\Temp\is-2FLEP.tmp\_isetup\_setup64.tmp

                                                                                                                              Download File
                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmp
                                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):6144
                                                                                                                              Entropy (8bit):4.289297026665552
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:48:Sv1LfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2pGSS4k+bkg6j0KHc:wfkcXegaJ/ZAYNzcld1xaX12pfSKvkc
                                                                                                                              MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
                                                                                                                              SHA1:D0EACD5322C036554D509C7566F0BCC7607209BD
                                                                                                                              SHA-256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
                                                                                                                              SHA-512:2735BB610060F749E26ACD86F2DF2B8A05F2BDD3DCCF3E4B2946EBB21BA0805FB492C474B1EEB2C5B8BF1A421F7C1B8728245F649C644F4A9ECC5BD8770A16F6
                                                                                                                              Malicious:false
                                                                                                                              Antivirus:
                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....HP..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                              C:\Users\user\AppData\Local\Temp\is-2FLEP.tmp\_isetup\_shfoldr.dll

                                                                                                                              Download File
                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmp
                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):23312
                                                                                                                              Entropy (8bit):4.596242908851566
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                                                              MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                                                              SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                                                              SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                                                              SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                                                              Malicious:false
                                                                                                                              Antivirus:
                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                              C:\Users\user\AppData\Local\Temp\is-2FLEP.tmp\aips_is_install_dll.dll

                                                                                                                              Download File
                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmp
                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):152616
                                                                                                                              Entropy (8bit):6.538512364495765
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3072:RMmLlzH5vVOS6vHZM+70gxvlou/xq+1f2auYpLAbPTxTTtFBImEQ3F65D:dZ/OSO7gK5q+N2ahjOF65D
                                                                                                                              MD5:57E73855FAD786A59893D6581E9FB5B9
                                                                                                                              SHA1:630E52B9E88A05ADD68401BD62790ED8E2C3282A
                                                                                                                              SHA-256:3A7A8AA906C65124C4EE82AACB81D723CE69864CCAF041F631B8131DE59E4A88
                                                                                                                              SHA-512:BE0CF0925535DD667488175F2EAC660D1EBF8429CE6725252C59FB70B00FC2F21B1E0B7CE632EAA53337AE25E44C641E13A3DF0B415724498D30DAF00B296F4D
                                                                                                                              Malicious:false
                                                                                                                              Antivirus:
                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W..j9..j9..j9...:..j9...<.^j9...=..j9...=..j9...:..j9...8..j9..j8._j9...<..j9.j.:..j9.j.<..j9.j.9..j9.j...j9.j.;..j9.Rich.j9.........PE..L....gb.........."!................OD.......................................p......fk....@..........................................@...............8..(....P......L...T...............................@............................................text............................... ..`.rdata.............................@..@.data........ ......................@....rsrc........@......................@..@.reloc.......P......."..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                              C:\Users\user\AppData\Local\Temp\is-BT8N1.tmp\_isetup\_setup64.tmp

                                                                                                                              Download File
                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmp
                                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):6144
                                                                                                                              Entropy (8bit):4.289297026665552
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:48:Sv1LfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2pGSS4k+bkg6j0KHc:wfkcXegaJ/ZAYNzcld1xaX12pfSKvkc
                                                                                                                              MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
                                                                                                                              SHA1:D0EACD5322C036554D509C7566F0BCC7607209BD
                                                                                                                              SHA-256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
                                                                                                                              SHA-512:2735BB610060F749E26ACD86F2DF2B8A05F2BDD3DCCF3E4B2946EBB21BA0805FB492C474B1EEB2C5B8BF1A421F7C1B8728245F649C644F4A9ECC5BD8770A16F6
                                                                                                                              Malicious:false
                                                                                                                              Antivirus:
                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....HP..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                              C:\Users\user\AppData\Local\Temp\is-BT8N1.tmp\_isetup\_shfoldr.dll

                                                                                                                              Download File
                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmp
                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):23312
                                                                                                                              Entropy (8bit):4.596242908851566
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                                                              MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                                                              SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                                                              SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                                                              SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                                                              Malicious:false
                                                                                                                              Antivirus:
                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                              C:\Users\user\AppData\Local\Temp\is-BT8N1.tmp\aips_is_install_dll.dll

                                                                                                                              Download File
                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmp
                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):152616
                                                                                                                              Entropy (8bit):6.538512364495765
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3072:RMmLlzH5vVOS6vHZM+70gxvlou/xq+1f2auYpLAbPTxTTtFBImEQ3F65D:dZ/OSO7gK5q+N2ahjOF65D
                                                                                                                              MD5:57E73855FAD786A59893D6581E9FB5B9
                                                                                                                              SHA1:630E52B9E88A05ADD68401BD62790ED8E2C3282A
                                                                                                                              SHA-256:3A7A8AA906C65124C4EE82AACB81D723CE69864CCAF041F631B8131DE59E4A88
                                                                                                                              SHA-512:BE0CF0925535DD667488175F2EAC660D1EBF8429CE6725252C59FB70B00FC2F21B1E0B7CE632EAA53337AE25E44C641E13A3DF0B415724498D30DAF00B296F4D
                                                                                                                              Malicious:false
                                                                                                                              Antivirus:
                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W..j9..j9..j9...:..j9...<.^j9...=..j9...=..j9...:..j9...8..j9..j8._j9...<..j9.j.:..j9.j.<..j9.j.9..j9.j...j9.j.;..j9.Rich.j9.........PE..L....gb.........."!................OD.......................................p......fk....@..........................................@...............8..(....P......L...T...............................@............................................text............................... ..`.rdata.............................@..@.data........ ......................@....rsrc........@......................@..@.reloc.......P......."..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                              C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmp

                                                                                                                              Download File
                                                                                                                              Process:C:\Users\Public\Downloads\Advanced_IP_Scanner.exe
                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1190912
                                                                                                                              Entropy (8bit):6.396170525244629
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:24576:Z4VN4kkKF3hDXq8xeidJLvkU99kkkkJE58dlX3IiAtp3Nq3E/HoQYx96BxYx9v1:iT90guMXEdqwHkUBK3
                                                                                                                              MD5:B87639F9A6CF5BA8C9E1F297C5745A67
                                                                                                                              SHA1:CE4758849B53AF582D2D8A1BC0DB20683E139FCC
                                                                                                                              SHA-256:EC8252A333F68865160E26DC95607F2C49AF00F78C657F7F8417AB9D86E90BF7
                                                                                                                              SHA-512:9626FC4AA4604EEE7EDEDA62B9DC78A3F6FE388EAF1FA6C916A3715B0DFF65C417EEDE156D82398C2400977A36457122565E15E0ED0E435B28CB9F796005C1C0
                                                                                                                              Malicious:false
                                                                                                                              Antivirus:
                                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....,.Q.....................P....................@..............................................@...............................7......|...........................................................................t................................text...t........................... ..`.itext.. ........................... ..`.data...00.......2..................@....bss.....a...@...........................idata...7.......8..................@....tls....<............F...................rdata...............F..............@..@.rsrc...|............H..............@..@....................................@..@........................................................................................................................................

                                                                                                                              C:\Users\user\AppData\Local\Temp\is-FDD04.tmp\Advanced_IP_Scanner.tmp

                                                                                                                              Download File
                                                                                                                              Process:C:\Users\Public\Downloads\Advanced_IP_Scanner.exe
                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1190912
                                                                                                                              Entropy (8bit):6.396170525244629
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:24576:Z4VN4kkKF3hDXq8xeidJLvkU99kkkkJE58dlX3IiAtp3Nq3E/HoQYx96BxYx9v1:iT90guMXEdqwHkUBK3
                                                                                                                              MD5:B87639F9A6CF5BA8C9E1F297C5745A67
                                                                                                                              SHA1:CE4758849B53AF582D2D8A1BC0DB20683E139FCC
                                                                                                                              SHA-256:EC8252A333F68865160E26DC95607F2C49AF00F78C657F7F8417AB9D86E90BF7
                                                                                                                              SHA-512:9626FC4AA4604EEE7EDEDA62B9DC78A3F6FE388EAF1FA6C916A3715B0DFF65C417EEDE156D82398C2400977A36457122565E15E0ED0E435B28CB9F796005C1C0
                                                                                                                              Malicious:false
                                                                                                                              Antivirus:
                                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....,.Q.....................P....................@..............................................@...............................7......|...........................................................................t................................text...t........................... ..`.itext.. ........................... ..`.data...00.......2..................@....bss.....a...@...........................idata...7.......8..................@....tls....<............F...................rdata...............F..............@..@.rsrc...|............H..............@..@....................................@..@........................................................................................................................................

                                                                                                                              C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmp

                                                                                                                              Download File
                                                                                                                              Process:C:\Users\Public\Downloads\Advanced_IP_Scanner.exe
                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1190912
                                                                                                                              Entropy (8bit):6.396170525244629
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:24576:Z4VN4kkKF3hDXq8xeidJLvkU99kkkkJE58dlX3IiAtp3Nq3E/HoQYx96BxYx9v1:iT90guMXEdqwHkUBK3
                                                                                                                              MD5:B87639F9A6CF5BA8C9E1F297C5745A67
                                                                                                                              SHA1:CE4758849B53AF582D2D8A1BC0DB20683E139FCC
                                                                                                                              SHA-256:EC8252A333F68865160E26DC95607F2C49AF00F78C657F7F8417AB9D86E90BF7
                                                                                                                              SHA-512:9626FC4AA4604EEE7EDEDA62B9DC78A3F6FE388EAF1FA6C916A3715B0DFF65C417EEDE156D82398C2400977A36457122565E15E0ED0E435B28CB9F796005C1C0
                                                                                                                              Malicious:false
                                                                                                                              Antivirus:
                                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....,.Q.....................P....................@..............................................@...............................7......|...........................................................................t................................text...t........................... ..`.itext.. ........................... ..`.data...00.......2..................@....bss.....a...@...........................idata...7.......8..................@....tls....<............F...................rdata...............F..............@..@.rsrc...|............H..............@..@....................................@..@........................................................................................................................................

                                                                                                                              C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmp

                                                                                                                              Download File
                                                                                                                              Process:C:\Users\Public\Downloads\Advanced_IP_Scanner.exe
                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1190912
                                                                                                                              Entropy (8bit):6.396170525244629
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:24576:Z4VN4kkKF3hDXq8xeidJLvkU99kkkkJE58dlX3IiAtp3Nq3E/HoQYx96BxYx9v1:iT90guMXEdqwHkUBK3
                                                                                                                              MD5:B87639F9A6CF5BA8C9E1F297C5745A67
                                                                                                                              SHA1:CE4758849B53AF582D2D8A1BC0DB20683E139FCC
                                                                                                                              SHA-256:EC8252A333F68865160E26DC95607F2C49AF00F78C657F7F8417AB9D86E90BF7
                                                                                                                              SHA-512:9626FC4AA4604EEE7EDEDA62B9DC78A3F6FE388EAF1FA6C916A3715B0DFF65C417EEDE156D82398C2400977A36457122565E15E0ED0E435B28CB9F796005C1C0
                                                                                                                              Malicious:false
                                                                                                                              Antivirus:
                                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....,.Q.....................P....................@..............................................@...............................7......|...........................................................................t................................text...t........................... ..`.itext.. ........................... ..`.data...00.......2..................@....bss.....a...@...........................idata...7.......8..................@....tls....<............F...................rdata...............F..............@..@.rsrc...|............H..............@..@....................................@..@........................................................................................................................................

                                                                                                                              C:\Users\user\AppData\Local\Temp\is-STV6O.tmp\_isetup\_setup64.tmp

                                                                                                                              Download File
                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmp
                                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):6144
                                                                                                                              Entropy (8bit):4.289297026665552
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:48:Sv1LfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2pGSS4k+bkg6j0KHc:wfkcXegaJ/ZAYNzcld1xaX12pfSKvkc
                                                                                                                              MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
                                                                                                                              SHA1:D0EACD5322C036554D509C7566F0BCC7607209BD
                                                                                                                              SHA-256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
                                                                                                                              SHA-512:2735BB610060F749E26ACD86F2DF2B8A05F2BDD3DCCF3E4B2946EBB21BA0805FB492C474B1EEB2C5B8BF1A421F7C1B8728245F649C644F4A9ECC5BD8770A16F6
                                                                                                                              Malicious:false
                                                                                                                              Antivirus:
                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....HP..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                              C:\Users\user\AppData\Local\Temp\is-STV6O.tmp\_isetup\_shfoldr.dll

                                                                                                                              Download File
                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmp
                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):23312
                                                                                                                              Entropy (8bit):4.596242908851566
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                                                              MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                                                              SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                                                              SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                                                              SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                                                              Malicious:false
                                                                                                                              Antivirus:
                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                              C:\Users\user\AppData\Local\Temp\is-STV6O.tmp\aips_is_install_dll.dll

                                                                                                                              Download File
                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmp
                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):152616
                                                                                                                              Entropy (8bit):6.538512364495765
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3072:RMmLlzH5vVOS6vHZM+70gxvlou/xq+1f2auYpLAbPTxTTtFBImEQ3F65D:dZ/OSO7gK5q+N2ahjOF65D
                                                                                                                              MD5:57E73855FAD786A59893D6581E9FB5B9
                                                                                                                              SHA1:630E52B9E88A05ADD68401BD62790ED8E2C3282A
                                                                                                                              SHA-256:3A7A8AA906C65124C4EE82AACB81D723CE69864CCAF041F631B8131DE59E4A88
                                                                                                                              SHA-512:BE0CF0925535DD667488175F2EAC660D1EBF8429CE6725252C59FB70B00FC2F21B1E0B7CE632EAA53337AE25E44C641E13A3DF0B415724498D30DAF00B296F4D
                                                                                                                              Malicious:false
                                                                                                                              Antivirus:
                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W..j9..j9..j9...:..j9...<.^j9...=..j9...=..j9...:..j9...8..j9..j8._j9...<..j9.j.:..j9.j.<..j9.j.9..j9.j...j9.j.;..j9.Rich.j9.........PE..L....gb.........."!................OD.......................................p......fk....@..........................................@...............8..(....P......L...T...............................@............................................text............................... ..`.rdata.............................@..@.data........ ......................@....rsrc........@......................@..@.reloc.......P......."..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                              C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                              Download File
                                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                                              File Type:MS Windows registry file, NT/2000 or above
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1835008
                                                                                                                              Entropy (8bit):4.469461825898498
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:6144:4zZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuN+jDH5S:uZHtYZWOKnMM6bFpQj4
                                                                                                                              MD5:CA44EBCBFD7169517D5E91E2E29BAA62
                                                                                                                              SHA1:0D34C46072F2B6001B3C457AA08426D49FF08E24
                                                                                                                              SHA-256:26C1B9ED01107723C9AA798CC518A165989252517ABEE56E9C7428E101A628C0
                                                                                                                              SHA-512:816E8B8F20794CFD29E8C543FAFE60E8982671A5E4084CF2EA2D249B5770F9552739158340D845077FCC461A2E21F22D964A1FB425F0D325D8CAFDA220B158A2
                                                                                                                              Malicious:false
                                                                                                                              Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.f.S.5..............................................................................................................................................................................................................................................................................................................................................g9.g........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                              Static File Info

                                                                                                                              General

                                                                                                                              File type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                              Entropy (8bit):7.9758659344398435
                                                                                                                              TrID:
                                                                                                                              • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                                                                                                                              • Win64 Executable (generic) (12005/4) 10.17%
                                                                                                                              • Generic Win/DOS Executable (2004/3) 1.70%
                                                                                                                              • DOS Executable Generic (2002/1) 1.70%
                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                                                                                                              File name:cobaltstrike.dll
                                                                                                                              File size:22'275'072 bytes
                                                                                                                              MD5:943afff642b01160380eaae87a33da07
                                                                                                                              SHA1:67f575725d10dae057a35aa15691278a2245e158
                                                                                                                              SHA256:6e5887670a74b010bff1c5bc11e936b392a12ed48a6afd796bd712c2594d423b
                                                                                                                              SHA512:aca40924bc686dbad3d7a517db2672d79ea6b8cbe596c3b68456f392da0ef2d79a9741943cd8560174d56786e08549389474e1084440208fb19c9114498020c8
                                                                                                                              SSDEEP:393216:2lu7Txs0NDmNh9D4HaSYz2Kj0Cz1gEVmWdQOjM/y3tFfs5IRRViGmMQZ+Bw5X:17Th9mT97S7CzNwWCJK05IRTX+F
                                                                                                                              TLSH:A8272357E3A745B8E92FC03885A253736D30FC186164A91BAEA4F73D5F31E608B7A710
                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Mf..........."...'.x....S..4.. .........................................T......sT...`... ............................

                                                                                                                              File Icon

                                                                                                                              Icon Hash:0f00cc0ce41c020f

                                                                                                                              Static PE Info

                                                                                                                              General

                                                                                                                              Entrypoint:0x2c1a61320
                                                                                                                              Entrypoint Section:.text
                                                                                                                              Digitally signed:false
                                                                                                                              Imagebase:0x2c1a60000
                                                                                                                              Subsystem:windows cui
                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, DLL
                                                                                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                                                                                                                              Time Stamp:0x664DDFBF [Wed May 22 12:06:23 2024 UTC]
                                                                                                                              TLS Callbacks:0xc1a8dcb0, 0x2, 0xc1a8dc80, 0x2
                                                                                                                              CLR (.Net) Version:
                                                                                                                              OS Version Major:4
                                                                                                                              OS Version Minor:0
                                                                                                                              File Version Major:4
                                                                                                                              File Version Minor:0
                                                                                                                              Subsystem Version Major:4
                                                                                                                              Subsystem Version Minor:0
                                                                                                                              Import Hash:66f165513bf4c762ca78ccbfc28d421c

                                                                                                                              Entrypoint Preview

                                                                                                                              Instruction
                                                                                                                              dec eax
                                                                                                                              mov eax, dword ptr [000BF399h]
                                                                                                                              mov dword ptr [eax], 00000000h
                                                                                                                              jmp 00007F6AAD128903h
                                                                                                                              nop word ptr [eax+eax+00000000h]
                                                                                                                              nop dword ptr [eax]
                                                                                                                              dec eax
                                                                                                                              mov edx, ecx
                                                                                                                              dec eax
                                                                                                                              lea ecx, dword ptr [000DACB6h]
                                                                                                                              jmp 00007F6AAD161ED6h
                                                                                                                              nop
                                                                                                                              dec eax
                                                                                                                              lea ecx, dword ptr [00000009h]
                                                                                                                              jmp 00007F6AAD128A49h
                                                                                                                              nop dword ptr [eax+00h]
                                                                                                                              ret
                                                                                                                              nop
                                                                                                                              nop
                                                                                                                              nop
                                                                                                                              nop
                                                                                                                              nop
                                                                                                                              nop
                                                                                                                              nop
                                                                                                                              nop
                                                                                                                              nop
                                                                                                                              nop
                                                                                                                              nop
                                                                                                                              nop
                                                                                                                              nop
                                                                                                                              nop
                                                                                                                              nop
                                                                                                                              push ebp
                                                                                                                              push edi
                                                                                                                              push esi
                                                                                                                              push ebx
                                                                                                                              dec eax
                                                                                                                              sub esp, 00000088h
                                                                                                                              movzx edi, word ptr [000B9C7Eh]
                                                                                                                              dec eax
                                                                                                                              mov eax, dword ptr [00000030h]
                                                                                                                              dec eax
                                                                                                                              mov eax, dword ptr [eax+60h]
                                                                                                                              dec eax
                                                                                                                              mov eax, dword ptr [eax+18h]
                                                                                                                              dec eax
                                                                                                                              mov ebx, ecx
                                                                                                                              dec eax
                                                                                                                              mov esi, edx
                                                                                                                              inc ebp
                                                                                                                              mov eax, eax
                                                                                                                              mov dword ptr [esp+5Ch], 00000000h
                                                                                                                              dec eax
                                                                                                                              mov eax, dword ptr [eax+20h]
                                                                                                                              dec eax
                                                                                                                              mov ebp, dword ptr [eax]
                                                                                                                              dec esp
                                                                                                                              mov ebx, dword ptr [ebp-10h]
                                                                                                                              dec esp
                                                                                                                              lea edx, dword ptr [ebp-10h]
                                                                                                                              dec esp
                                                                                                                              cmp ebp, ebx
                                                                                                                              je 00007F6AAD128AAEh
                                                                                                                              nop dword ptr [eax+eax+00000000h]
                                                                                                                              dec ecx
                                                                                                                              mov eax, dword ptr [edx+60h]
                                                                                                                              dec eax
                                                                                                                              lea ecx, dword ptr [eax+02h]
                                                                                                                              movzx eax, word ptr [eax]
                                                                                                                              test ax, ax
                                                                                                                              je 00007F6AAD128A8Bh
                                                                                                                              mov edx, 00000E0Eh
                                                                                                                              nop dword ptr [eax]
                                                                                                                              inc ecx
                                                                                                                              mov ecx, edx
                                                                                                                              dec eax
                                                                                                                              add ecx, 02h
                                                                                                                              inc ecx
                                                                                                                              shl ecx, 06h
                                                                                                                              inc esp
                                                                                                                              add edx, ecx
                                                                                                                              add edx, eax

                                                                                                                              Data Directories

                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0xe00000x22ad.edata
                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xe30000xf40.idata
                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xe60000x145f7a8.rsrc
                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0xc80000x8958.pdata
                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x15460000x1274.reloc
                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0xbf1e00x28.rdata
                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0xe33cc0x368.idata
                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                              Sections

                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                              .text0x10000xb77200xb780058b35ef998cfa90c0fc766fba23e10c7False0.3363845367847411data6.166712974184871IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                              .data0xb90000x1f600x2000edcc12984c895929f14198bd93258019False0.0328369140625data0.39802277592091506IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                              .rdata0xbb0000xcd100xce0086fc2251be884b66ac3b3ac9ab852123False0.23627123786407767dBase III DBT, version number 0, next free block index 9215, 1st item "\272x%.\034\246\264\306\350\335t\037K\275\213\212p>\265fH\003\366\016a5W\271\206\301\035\236\341\370\230\021i\331\216\224\233\036\207\351\316U(\337\214\241\211"4.791271478015345IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                              .pdata0xc80000x89580x8a0022661c30895210e432d20abf8e0d7937False0.5189934329710145data5.921771719594413IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                              .xdata0xd10000xabdc0xac00ac243aef7bb33763b81c90762a3649c7False0.18863553779069767data4.888397067705152IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                              .bss0xdc0000x32200x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                              .edata0xe00000x22ad0x2400486a32d81290177a2d98353142b6337aFalse0.2888454861111111data5.138852363642815IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                              .idata0xe30000xf400x10003dd14e1cd944d97179c8ebd57340db3eFalse0.31884765625data4.347738486161096IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                              .CRT0xe40000x580x20068205043bda4f8d3836b7d93f0c36457False0.05859375data0.2586118414565796IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                              .tls0xe50000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                              .rsrc0xe60000x145f7a80x145f800690b43e2f3fcab8ec3c85371e261936dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                              .reloc0x15460000x12740x1400946e8ce15271dcd569f538b1e6fe8ef7False0.3908203125data5.321623513003073IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                              Resources

                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                              RT_ICON0xe61600x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/mEnglishUnited States0.1894934333958724
                                                                                                                              RT_RCDATA0xe72080x1413530PE32 executable (GUI) Intel 80386, for MS WindowsEnglishUnited States0.9022197723388672
                                                                                                                              RT_RCDATA0x14fa7380x17ASCII text, with no line terminatorsEnglishUnited States1.3478260869565217
                                                                                                                              RT_RCDATA0x14fa7500x4b040dataEnglishUnited States1.0003287075609248
                                                                                                                              RT_GROUP_ICON0x15457900x14dataEnglishUnited States1.1

                                                                                                                              Imports

                                                                                                                              DLLImport
                                                                                                                              KERNEL32.dllCloseHandle, CreateFileA, DeleteCriticalSection, EnterCriticalSection, FindResourceA, FreeResource, GetCommandLineA, GetLastError, GetModuleHandleW, GetProcAddress, GetProcessHeap, GetSystemTimeAsFileTime, GetThreadId, HeapAlloc, HeapFree, InitializeConditionVariable, InitializeCriticalSection, IsDBCSLeadByteEx, K32EnumProcessModules, K32GetModuleFileNameExA, LeaveCriticalSection, LoadLibraryW, LoadResource, LockResource, MultiByteToWideChar, RaiseException, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetLastError, SizeofResource, Sleep, SleepConditionVariableCS, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteFile
                                                                                                                              msvcrt.dll___lc_codepage_func, ___mb_cur_max_func, __iob_func, _amsg_exit, _errno, _initterm, _lock, _read, _strnicmp, _unlock, _wcsicmp, abort, calloc, fputc, fputs, fputwc, free, fwprintf, fwrite, getenv, iswctype, localeconv, malloc, mbstowcs, memchr, memcmp, memcpy, memmove, memset, rand, realloc, setlocale, strchr, strcmp, strcoll, strcpy, strerror, strftime, strlen, strncat, strncmp, strncpy, strtoul, strxfrm, towlower, towupper, vfprintf, wcscat, wcscoll, wcsftime, wcslen, wcsxfrm
                                                                                                                              ntdll.dllRtlAllocateHeap, RtlCreateProcessParametersEx, RtlDestroyProcessParameters, RtlFreeHeap, RtlInitUnicodeString
                                                                                                                              SHELL32.dllCommandLineToArgvW

                                                                                                                              Exports

                                                                                                                              NameOrdinalAddress
                                                                                                                              CloseThreadWaitChainSession940x2c1b405ee
                                                                                                                              GetThreadWaitChain950x2c1b4062b
                                                                                                                              OpenThreadWaitChainSession960x2c1b40656
                                                                                                                              RegisterWaitChainCOMCallback970x2c1b40691
                                                                                                                              WerAddExcludedApplication980x2c1b406d0
                                                                                                                              WerFreeString990x2c1b40709
                                                                                                                              WerRemoveExcludedApplication1000x2c1b4072a
                                                                                                                              WerReportAddDump1010x2c1b40769
                                                                                                                              WerReportAddFile1020x2c1b40790
                                                                                                                              WerReportCloseHandle1030x2c1b407b7
                                                                                                                              WerReportCreate1040x2c1b407e6
                                                                                                                              WerReportSetParameter1050x2c1b4080b
                                                                                                                              WerReportSetUIOption1060x2c1b4083c
                                                                                                                              WerReportSubmit1070x2c1b4086b
                                                                                                                              WerStoreClose1080x2c1b40890
                                                                                                                              WerStoreGetFirstReportKey1090x2c1b408b1
                                                                                                                              WerStoreGetNextReportKey1100x2c1b408ea
                                                                                                                              WerStoreGetReportCount1110x2c1b40921
                                                                                                                              WerStoreGetSizeOnDisk1120x2c1b40954
                                                                                                                              WerStoreOpen1130x2c1b40985
                                                                                                                              WerStorePurge1140x2c1b409a4
                                                                                                                              WerStoreQueryReportMetadataV11150x2c1b409c5
                                                                                                                              WerStoreQueryReportMetadataV21160x2c1b40a06
                                                                                                                              WerStoreQueryReportMetadataV31170x2c1b40a47
                                                                                                                              WerStoreUploadReport1180x2c1b40a88
                                                                                                                              WerSysprepCleanup10x2c1b40ab7
                                                                                                                              WerSysprepGeneralize20x2c1b40ae0
                                                                                                                              WerUnattendedSetup30x2c1b40b0f
                                                                                                                              WerpAddAppCompatData40x2c1b40b3a
                                                                                                                              WerpAddFile1190x2c1b40b69
                                                                                                                              WerpAddFileBuffer1200x2c1b40b86
                                                                                                                              WerpAddFileCallback1210x2c1b40baf
                                                                                                                              WerpAddIfRegisteredForAppLocalDump50x2c1b40bdc
                                                                                                                              WerpAddMemoryBlock60x2c1b40c27
                                                                                                                              WerpAddRegisteredDataToReport70x2c1b40c52
                                                                                                                              WerpAddRegisteredDumpsToReport80x2c1b40c93
                                                                                                                              WerpAddRegisteredMetadataToReport90x2c1b40cd6
                                                                                                                              WerpAddTerminationReason1220x2c1b40d1f
                                                                                                                              WerpArchiveReport100x2c1b40d56
                                                                                                                              WerpAuxmdDumpProcessImages1230x2c1b40d7f
                                                                                                                              WerpAuxmdDumpRegisteredBlocks1240x2c1b40dba
                                                                                                                              WerpAuxmdFree1250x2c1b40dfb
                                                                                                                              WerpAuxmdFreeCopyBuffer1260x2c1b40e1c
                                                                                                                              WerpAuxmdHashVaRanges1270x2c1b40e51
                                                                                                                              WerpAuxmdInitialize1280x2c1b40e82
                                                                                                                              WerpAuxmdMapFile1290x2c1b40eaf
                                                                                                                              WerpCancelUpload110x2c1b40ed6
                                                                                                                              WerpCleanWer120x2c1b40efd
                                                                                                                              WerpCloseStore130x2c1b40f1c
                                                                                                                              WerpCreateIntegratorReportId1300x2c1b40f3f
                                                                                                                              WerpCreateMachineStore140x2c1b40f7e
                                                                                                                              WerpDeleteReport150x2c1b40fb1
                                                                                                                              WerpDestroyWerString160x2c1b40fd8
                                                                                                                              WerpEnumerateStoreNext170x2c1b41007
                                                                                                                              WerpEnumerateStoreStart180x2c1b4103a
                                                                                                                              WerpExtractReportFiles1310x2c1b4106f
                                                                                                                              WerpFlushImageCache190x2c1b410a2
                                                                                                                              WerpForceDeferredCollection200x2c1b410cf
                                                                                                                              WerpFreeString1320x2c1b4110c
                                                                                                                              WerpFreeUnmappedVaRanges210x2c1b4112f
                                                                                                                              WerpGetBucketId220x2c1b41166
                                                                                                                              WerpGetDynamicParameter230x2c1b4118b
                                                                                                                              WerpGetEventType240x2c1b411c0
                                                                                                                              WerpGetExtendedDiagData250x2c1b411e7
                                                                                                                              WerpGetFileByIndex260x2c1b4121c
                                                                                                                              WerpGetFilePathByIndex270x2c1b41247
                                                                                                                              WerpGetIntegratorReportId1330x2c1b4127a
                                                                                                                              WerpGetLegacyBucketId280x2c1b412b3
                                                                                                                              WerpGetLoadedModuleByIndex290x2c1b412e4
                                                                                                                              WerpGetNumFiles300x2c1b4131f
                                                                                                                              WerpGetNumLoadedModules310x2c1b41344
                                                                                                                              WerpGetNumSigParams320x2c1b41379
                                                                                                                              WerpGetPathOfWERTempDirectory330x2c1b413a6
                                                                                                                              WerpGetReportConsent1340x2c1b413e7
                                                                                                                              WerpGetReportCount340x2c1b41416
                                                                                                                              WerpGetReportFinalConsent350x2c1b41441
                                                                                                                              WerpGetReportFlags360x2c1b4147a
                                                                                                                              WerpGetReportId370x2c1b414a5
                                                                                                                              WerpGetReportInformation380x2c1b414ca
                                                                                                                              WerpGetReportSettings390x2c1b41501
                                                                                                                              WerpGetReportTime400x2c1b41532
                                                                                                                              WerpGetReportType410x2c1b4155b
                                                                                                                              WerpGetResponseId420x2c1b41584
                                                                                                                              WerpGetSigParamByIndex430x2c1b415ad
                                                                                                                              WerpGetStoreLocation1350x2c1b415e0
                                                                                                                              WerpGetStorePath440x2c1b4160f
                                                                                                                              WerpGetStoreType450x2c1b41636
                                                                                                                              WerpGetTextFromReport460x2c1b4165d
                                                                                                                              WerpGetUIParamByIndex470x2c1b4168e
                                                                                                                              WerpGetUploadTime480x2c1b416bf
                                                                                                                              WerpGetWerStringData490x2c1b416e8
                                                                                                                              WerpGetWow64Process500x2c1b41717
                                                                                                                              WerpHashApplicationParameters510x2c1b41744
                                                                                                                              WerpInitializeImageCache520x2c1b41785
                                                                                                                              WerpIsDisabled1360x2c1b417bc
                                                                                                                              WerpIsOnBattery530x2c1b417df
                                                                                                                              WerpIsTransportAvailable540x2c1b41804
                                                                                                                              WerpLoadReport1370x2c1b4183b
                                                                                                                              WerpLoadReportFromBuffer550x2c1b4185e
                                                                                                                              WerpOpenMachineArchive560x2c1b41895
                                                                                                                              WerpOpenMachineQueue570x2c1b418c8
                                                                                                                              WerpPromptUser580x2c1b418f7
                                                                                                                              WerpPruneStore590x2c1b4191a
                                                                                                                              WerpReportCancel600x2c1b4193d
                                                                                                                              WerpReportSetMaxProcessHoldMilliseconds610x2c1b41964
                                                                                                                              WerpReportSprintfParameter620x2c1b419b9
                                                                                                                              WerpReserveMachineQueueReportDir630x2c1b419f4
                                                                                                                              WerpResetTransientImageCacheStatistics640x2c1b41a3b
                                                                                                                              WerpRestartApplication650x2c1b41a8e
                                                                                                                              WerpSetAuxiliaryArchivePath1380x2c1b41ac1
                                                                                                                              WerpSetCallBack1390x2c1b41afe
                                                                                                                              WerpSetDefaultUserConsent1400x2c1b41b23
                                                                                                                              WerpSetDynamicParameter660x2c1b41b5c
                                                                                                                              WerpSetEventName670x2c1b41b91
                                                                                                                              WerpSetExitListeners1410x2c1b41bb8
                                                                                                                              WerpSetIntegratorReportId1420x2c1b41be7
                                                                                                                              WerpSetIptEnabled1430x2c1b41c20
                                                                                                                              WerpSetProcessTimelines680x2c1b41c49
                                                                                                                              WerpSetQuickDumpType690x2c1b41c7e
                                                                                                                              WerpSetReportApplicationIdentity700x2c1b41cad
                                                                                                                              WerpSetReportFlags710x2c1b41cf4
                                                                                                                              WerpSetReportInformation720x2c1b41d1f
                                                                                                                              WerpSetReportIsFatal730x2c1b41d56
                                                                                                                              WerpSetReportNamespaceParameter740x2c1b41d85
                                                                                                                              WerpSetReportOption1440x2c1b41dca
                                                                                                                              WerpSetReportTime750x2c1b41df7
                                                                                                                              WerpSetReportUploadContextToken760x2c1b41e20
                                                                                                                              WerpSetTelemetryAppParams770x2c1b41e65
                                                                                                                              WerpSetTelemetryKernelParams780x2c1b41e9e
                                                                                                                              WerpSetTelemetryServiceParams790x2c1b41edd
                                                                                                                              WerpSetTtdStatus1450x2c1b41f1e
                                                                                                                              WerpShowUpsellUI800x2c1b41f45
                                                                                                                              WerpStitchedMinidumpVmPostReadCallback810x2c1b41f6c
                                                                                                                              WerpStitchedMinidumpVmPreReadCallback820x2c1b41fbf
                                                                                                                              WerpStitchedMinidumpVmQueryCallback830x2c1b42010
                                                                                                                              WerpSubmitReportFromStore840x2c1b4205d
                                                                                                                              WerpTraceAuxMemDumpStatistics850x2c1b42096
                                                                                                                              WerpTraceDuration860x2c1b420d7
                                                                                                                              WerpTraceImageCacheStatistics870x2c1b42100
                                                                                                                              WerpTraceSnapshotStatistics880x2c1b42141
                                                                                                                              WerpTraceStitchedDumpWriterStatistics890x2c1b4217e
                                                                                                                              WerpTraceUnmappedVaRangesStatistics900x2c1b421cf
                                                                                                                              WerpUnmapProcessViews910x2c1b4221c
                                                                                                                              WerpValidateReportKey920x2c1b4224d
                                                                                                                              WerpWalkGatherBlocks930x2c1b4227e

                                                                                                                              Possible Origin

                                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                                              EnglishUnited States

                                                                                                                              Network Behavior

                                                                                                                              Suricata IDS Alerts

                                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                              2024-11-13T14:23:50.611079+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.649790TCP
                                                                                                                              2024-11-13T14:24:38.680407+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.649959TCP
                                                                                                                              2024-11-13T14:24:45.043364+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.64995091.92.250.7010443TCP
                                                                                                                              2024-11-13T14:25:06.750419+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.64998891.92.250.7010443TCP
                                                                                                                              2024-11-13T14:25:27.013214+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.64999891.92.250.7010443TCP
                                                                                                                              2024-11-13T14:25:49.671140+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.65000291.92.250.7010443TCP
                                                                                                                              2024-11-13T14:26:11.276689+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.65000591.92.250.7010443TCP
                                                                                                                              2024-11-13T14:26:31.304319+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.65000891.92.250.7010443TCP
                                                                                                                              2024-11-13T14:26:43.935481+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.65001091.92.250.7010443TCP
                                                                                                                              2024-11-13T14:26:52.846728+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.65001291.92.250.7010443TCP
                                                                                                                              2024-11-13T14:27:04.902481+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.65001691.92.250.7010443TCP
                                                                                                                              2024-11-13T14:27:12.814187+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.65001891.92.250.7010443TCP
                                                                                                                              2024-11-13T14:27:24.862958+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.65002291.92.250.7010443TCP
                                                                                                                              2024-11-13T14:27:33.605371+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.65002591.92.250.7010443TCP

                                                                                                                              Network Port Distribution

                                                                                                                              TCP Packets

                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                              Nov 13, 2024 14:24:36.562644958 CET4995010443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:24:36.568250895 CET104434995091.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:24:36.568340063 CET4995010443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:24:37.225522995 CET4995010443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:24:37.230488062 CET104434995091.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:24:45.043286085 CET104434995091.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:24:45.043364048 CET4995010443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:24:46.105468035 CET4995010443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:24:46.106098890 CET4998010443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:24:46.150160074 CET104434995091.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:24:46.150171995 CET104434998091.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:24:46.150252104 CET4998010443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:24:47.337716103 CET4998010443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:24:47.342717886 CET104434998091.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:24:54.632044077 CET104434998091.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:24:54.632183075 CET4998010443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:24:55.824023962 CET4998010443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:24:55.824635029 CET4998610443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:24:55.828857899 CET104434998091.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:24:55.831243038 CET104434998691.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:24:55.831334114 CET4998610443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:24:55.831460953 CET4998610443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:24:55.836607933 CET104434998691.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:24:55.836662054 CET4998610443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:24:57.575228930 CET4998810443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:24:58.271687031 CET104434998891.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:24:58.271832943 CET4998810443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:24:58.964837074 CET4998810443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:24:58.969685078 CET104434998891.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:06.750319004 CET104434998891.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:06.750418901 CET4998810443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:07.418133974 CET4998810443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:07.423154116 CET104434998891.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:07.432687044 CET4999510443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:07.437834024 CET104434999591.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:07.437933922 CET4999510443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:07.438297033 CET4999510443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:07.443160057 CET104434999591.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:16.256778955 CET104434999591.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:16.256887913 CET4999510443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:16.257673979 CET104434999591.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:16.257716894 CET4999510443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:16.949034929 CET4999510443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:16.955178976 CET104434999591.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:16.960292101 CET4999710443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:16.965471983 CET104434999791.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:16.965543985 CET4999710443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:16.965655088 CET4999710443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:16.970809937 CET104434999791.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:16.970859051 CET4999710443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:18.527609110 CET4999810443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:18.532684088 CET104434999891.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:18.532807112 CET4999810443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:19.230573893 CET4999810443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:19.235527992 CET104434999891.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:27.013122082 CET104434999891.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:27.013214111 CET4999810443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:27.730281115 CET4999810443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:27.735073090 CET104434999891.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:27.747612000 CET4999910443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:27.752614021 CET104434999991.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:27.752710104 CET4999910443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:27.753040075 CET4999910443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:27.758230925 CET104434999991.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:36.228668928 CET104434999991.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:36.228755951 CET4999910443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:36.917844057 CET4999910443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:36.922760963 CET104434999991.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:36.932204008 CET5000110443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:36.937011003 CET104435000191.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:36.937083960 CET5000110443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:36.937216043 CET5000110443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:36.942578077 CET104435000191.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:36.942641020 CET5000110443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:41.184421062 CET5000210443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:41.189687014 CET104435000291.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:41.189770937 CET5000210443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:42.363456964 CET5000210443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:42.368601084 CET104435000291.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:49.671047926 CET104435000291.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:49.671139956 CET5000210443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:50.421952009 CET5000210443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:50.430548906 CET104435000291.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:50.432288885 CET5000310443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:50.440715075 CET104435000391.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:50.440825939 CET5000310443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:50.441184998 CET5000310443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:50.449978113 CET104435000391.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:58.928970098 CET104435000391.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:58.929085016 CET5000310443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:59.660351992 CET5000310443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:59.670162916 CET5000410443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:25:59.795257092 CET104435000391.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:59.795300961 CET104435000491.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:25:59.795494080 CET5000410443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:00.511895895 CET5000410443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:00.517072916 CET104435000491.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:00.517153025 CET5000410443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:02.059407949 CET5000510443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:02.795201063 CET104435000591.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:02.795433998 CET5000510443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:03.480967999 CET5000510443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:03.486124039 CET104435000591.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:11.276515961 CET104435000591.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:11.276689053 CET5000510443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:11.990457058 CET5000510443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:11.995534897 CET104435000591.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:12.000498056 CET5000610443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:12.005459070 CET104435000691.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:12.005564928 CET5000610443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:12.005877018 CET5000610443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:12.010648966 CET104435000691.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:20.485073090 CET104435000691.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:20.485186100 CET5000610443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:21.215240955 CET5000610443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:21.220837116 CET104435000691.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:21.224400043 CET5000710443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:21.229474068 CET104435000791.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:21.229559898 CET5000710443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:21.229651928 CET5000710443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:21.235287905 CET104435000791.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:21.235301971 CET104435000791.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:21.235369921 CET5000710443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:22.810261011 CET5000810443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:22.815203905 CET104435000891.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:22.815335035 CET5000810443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:23.543329000 CET5000810443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:23.548152924 CET104435000891.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:31.304224014 CET104435000891.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:31.304318905 CET5000810443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:32.058705091 CET5000810443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:32.063574076 CET104435000891.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:32.070117950 CET5000910443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:32.074939966 CET104435000991.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:32.075030088 CET5000910443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:32.075355053 CET5000910443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:32.080135107 CET104435000991.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:35.226886988 CET5001010443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:35.231928110 CET104435001091.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:35.232057095 CET5001010443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:35.240648031 CET5001010443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:35.245615959 CET104435001091.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:40.553767920 CET104435000991.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:40.553878069 CET5000910443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:41.263978958 CET5000910443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:41.269741058 CET104435000991.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:41.278772116 CET5001110443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:41.283701897 CET104435001191.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:41.283802986 CET5001110443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:41.283967972 CET5001110443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:41.289287090 CET104435001191.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:41.289355993 CET5001110443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:43.935401917 CET104435001091.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:43.935481071 CET5001010443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:43.939219952 CET104435001091.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:43.939273119 CET5001010443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:44.359257936 CET5001210443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:44.364204884 CET104435001291.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:44.364285946 CET5001210443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:44.637017012 CET5001010443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:44.637788057 CET5001310443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:45.044996023 CET5001010443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:45.054639101 CET5001210443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:45.402440071 CET5001210443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:45.568721056 CET104435001091.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:45.568742990 CET104435001391.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:45.568778038 CET104435001091.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:45.568794012 CET104435001291.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:45.568824053 CET104435001291.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:45.568864107 CET5001310443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:45.570815086 CET5001010443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:46.768565893 CET5001310443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:46.773493052 CET104435001391.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:52.846529007 CET104435001291.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:52.846728086 CET5001210443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:53.593234062 CET5001210443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:53.598545074 CET104435001291.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:53.604476929 CET5001410443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:53.609313965 CET104435001491.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:53.609392881 CET5001410443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:53.609956026 CET5001410443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:53.614809990 CET104435001491.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:54.062205076 CET104435001391.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:54.062344074 CET5001310443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:54.793241024 CET5001310443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:54.798830986 CET104435001391.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:54.812277079 CET5001510443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:54.817640066 CET104435001591.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:54.817739010 CET5001510443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:54.817845106 CET5001510443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:54.823288918 CET104435001591.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:54.823354006 CET5001510443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:56.418678999 CET5001610443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:56.423568964 CET104435001691.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:26:56.423661947 CET5001610443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:57.168462038 CET5001610443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:26:57.173713923 CET104435001691.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:02.089346886 CET104435001491.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:02.091310024 CET5001410443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:02.794843912 CET5001410443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:02.800066948 CET104435001491.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:02.819360971 CET5001710443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:02.824516058 CET104435001791.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:02.824599981 CET5001710443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:02.824704885 CET5001710443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:02.830172062 CET104435001791.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:02.830288887 CET5001710443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:04.324897051 CET5001810443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:04.329992056 CET104435001891.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:04.330144882 CET5001810443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:04.902338982 CET104435001691.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:04.902481079 CET5001610443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:05.059248924 CET5001810443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:05.064363003 CET104435001891.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:05.624677896 CET5001610443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:05.630116940 CET104435001691.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:05.637748957 CET5001910443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:05.642762899 CET104435001991.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:05.642873049 CET5001910443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:05.643173933 CET5001910443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:05.648000002 CET104435001991.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:12.814039946 CET104435001891.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:12.814187050 CET5001810443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:13.590260983 CET5001810443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:13.596158028 CET104435001891.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:13.603393078 CET5002010443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:13.608316898 CET104435002091.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:13.608402014 CET5002010443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:13.608685017 CET5002010443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:13.613580942 CET104435002091.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:14.125586033 CET104435001991.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:14.125876904 CET5001910443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:14.825928926 CET5001910443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:14.830972910 CET104435001991.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:14.839587927 CET5002110443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:14.844508886 CET104435002191.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:14.844594955 CET5002110443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:14.844746113 CET5002110443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:14.849833012 CET104435002191.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:14.849888086 CET5002110443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:16.371767998 CET5002210443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:16.377372026 CET104435002291.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:16.377449989 CET5002210443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:17.121663094 CET5002210443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:17.126589060 CET104435002291.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:22.090384007 CET104435002091.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:22.090502024 CET5002010443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:22.838679075 CET5002010443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:22.843605042 CET104435002091.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:22.849653006 CET5002310443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:22.854563951 CET104435002391.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:22.854667902 CET5002310443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:22.858916044 CET5002310443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:22.863892078 CET104435002391.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:22.863948107 CET5002310443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:24.862818956 CET104435002291.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:24.862957954 CET5002210443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:25.107857943 CET5002510443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:25.112688065 CET104435002591.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:25.112768888 CET5002510443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:25.588129997 CET5002210443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:25.593450069 CET104435002291.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:25.608299971 CET5002610443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:25.613656998 CET104435002691.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:25.613746881 CET5002610443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:25.614120960 CET5002610443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:25.618956089 CET104435002691.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:25.871696949 CET5002510443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:25.876956940 CET104435002591.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:33.605178118 CET104435002591.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:33.605370998 CET5002510443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:34.097433090 CET104435002691.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:34.097605944 CET5002610443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:38.485662937 CET5002510443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:38.490468979 CET104435002591.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:38.857717991 CET5002610443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:38.858439922 CET5002810443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:38.862705946 CET104435002691.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:38.863343000 CET104435002891.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:38.863435984 CET5002810443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:38.863557100 CET5002810443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:38.868654966 CET104435002891.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:38.868721962 CET5002810443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:47.599520922 CET5002710443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:47.701051950 CET104435002791.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:47.701188087 CET5002710443192.168.2.691.92.250.70
                                                                                                                              Nov 13, 2024 14:27:56.182828903 CET104435002791.92.250.70192.168.2.6
                                                                                                                              Nov 13, 2024 14:27:56.182976961 CET5002710443192.168.2.691.92.250.70

                                                                                                                              UDP Packets

                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                              Nov 13, 2024 14:24:37.143131971 CET5910353192.168.2.61.1.1.1

                                                                                                                              DNS Queries

                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                              Nov 13, 2024 14:24:37.143131971 CET192.168.2.61.1.1.10x996eStandard query (0)api.msn.comA (IP address)IN (0x0001)false

                                                                                                                              DNS Answers

                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                              Nov 13, 2024 14:24:37.150125980 CET1.1.1.1192.168.2.60x996eNo error (0)api.msn.comapi-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)false

                                                                                                                              Statistics

                                                                                                                              CPU Usage

                                                                                                                              Click to jump to process

                                                                                                                              Memory Usage

                                                                                                                              Click to jump to process

                                                                                                                              High Level Behavior Distribution

                                                                                                                              Click to dive into process behavior distribution

                                                                                                                              Behavior

                                                                                                                              Click to jump to process

                                                                                                                              System Behavior

                                                                                                                              General

                                                                                                                              Target ID:1
                                                                                                                              Start time:08:23:19
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Windows\System32\loaddll64.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:loaddll64.exe "C:\Users\user\Desktop\cobaltstrike.dll"
                                                                                                                              Imagebase:0x7ff700360000
                                                                                                                              File size:165'888 bytes
                                                                                                                              MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:2
                                                                                                                              Start time:08:23:19
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                              Imagebase:0x7ff66e660000
                                                                                                                              File size:862'208 bytes
                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:3
                                                                                                                              Start time:08:23:20
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",#1
                                                                                                                              Imagebase:0x7ff7e1ca0000
                                                                                                                              File size:289'792 bytes
                                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:4
                                                                                                                              Start time:08:23:20
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:rundll32.exe C:\Users\user\Desktop\cobaltstrike.dll,CloseThreadWaitChainSession
                                                                                                                              Imagebase:0x7ff759960000
                                                                                                                              File size:71'680 bytes
                                                                                                                              MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:5
                                                                                                                              Start time:08:23:20
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",#1
                                                                                                                              Imagebase:0x7ff759960000
                                                                                                                              File size:71'680 bytes
                                                                                                                              MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:6
                                                                                                                              Start time:08:23:21
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Users\Public\Downloads\Advanced_IP_Scanner.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:C:\Users\Public\Downloads\Advanced_IP_Scanner.exe
                                                                                                                              Imagebase:0x400000
                                                                                                                              File size:21'050'672 bytes
                                                                                                                              MD5 hash:5537C708EDB9A2C21F88E34E8A0F1744
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:Borland Delphi
                                                                                                                              Antivirus matches:
                                                                                                                              • Detection: 3%, ReversingLabs
                                                                                                                              Reputation:moderate
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:7
                                                                                                                              Start time:08:23:23
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:rundll32.exe C:\Users\user\Desktop\cobaltstrike.dll,GetThreadWaitChain
                                                                                                                              Imagebase:0x7ff759960000
                                                                                                                              File size:71'680 bytes
                                                                                                                              MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:8
                                                                                                                              Start time:08:23:24
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Users\Public\Downloads\Advanced_IP_Scanner.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:C:\Users\Public\Downloads\Advanced_IP_Scanner.exe
                                                                                                                              Imagebase:0x400000
                                                                                                                              File size:21'050'672 bytes
                                                                                                                              MD5 hash:5537C708EDB9A2C21F88E34E8A0F1744
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:Borland Delphi
                                                                                                                              Reputation:moderate
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:9
                                                                                                                              Start time:08:23:25
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmp
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\is-1QM08.tmp\Advanced_IP_Scanner.tmp" /SL5="$20408,20439558,139776,C:\Users\Public\Downloads\Advanced_IP_Scanner.exe"
                                                                                                                              Imagebase:0x400000
                                                                                                                              File size:1'190'912 bytes
                                                                                                                              MD5 hash:B87639F9A6CF5BA8C9E1F297C5745A67
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:Borland Delphi
                                                                                                                              Antivirus matches:
                                                                                                                              • Detection: 3%, ReversingLabs
                                                                                                                              Reputation:moderate
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:10
                                                                                                                              Start time:08:23:25
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmp
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\is-QL302.tmp\Advanced_IP_Scanner.tmp" /SL5="$30412,20439558,139776,C:\Users\Public\Downloads\Advanced_IP_Scanner.exe"
                                                                                                                              Imagebase:0x400000
                                                                                                                              File size:1'190'912 bytes
                                                                                                                              MD5 hash:B87639F9A6CF5BA8C9E1F297C5745A67
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:Borland Delphi
                                                                                                                              Antivirus matches:
                                                                                                                              • Detection: 3%, ReversingLabs
                                                                                                                              Reputation:moderate
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:11
                                                                                                                              Start time:08:23:26
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:rundll32.exe C:\Users\user\Desktop\cobaltstrike.dll,OpenThreadWaitChainSession
                                                                                                                              Imagebase:0x7ff759960000
                                                                                                                              File size:71'680 bytes
                                                                                                                              MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:12
                                                                                                                              Start time:08:23:28
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Users\Public\Downloads\Advanced_IP_Scanner.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:C:\Users\Public\Downloads\Advanced_IP_Scanner.exe
                                                                                                                              Imagebase:0x400000
                                                                                                                              File size:21'050'672 bytes
                                                                                                                              MD5 hash:5537C708EDB9A2C21F88E34E8A0F1744
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:Borland Delphi
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:13
                                                                                                                              Start time:08:23:29
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmp
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\is-F1EO2.tmp\Advanced_IP_Scanner.tmp" /SL5="$10454,20439558,139776,C:\Users\Public\Downloads\Advanced_IP_Scanner.exe"
                                                                                                                              Imagebase:0x400000
                                                                                                                              File size:1'190'912 bytes
                                                                                                                              MD5 hash:B87639F9A6CF5BA8C9E1F297C5745A67
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:Borland Delphi
                                                                                                                              Antivirus matches:
                                                                                                                              • Detection: 3%, ReversingLabs
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:14
                                                                                                                              Start time:08:23:31
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Users\Public\Downloads\Advanced_IP_Scanner.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:C:\Users\Public\Downloads\Advanced_IP_Scanner.exe
                                                                                                                              Imagebase:0x400000
                                                                                                                              File size:21'050'672 bytes
                                                                                                                              MD5 hash:5537C708EDB9A2C21F88E34E8A0F1744
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:Borland Delphi
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:16
                                                                                                                              Start time:08:23:32
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmp
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\is-LM2G1.tmp\Advanced_IP_Scanner.tmp" /SL5="$60218,20439558,139776,C:\Users\Public\Downloads\Advanced_IP_Scanner.exe"
                                                                                                                              Imagebase:0x400000
                                                                                                                              File size:1'190'912 bytes
                                                                                                                              MD5 hash:B87639F9A6CF5BA8C9E1F297C5745A67
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:Borland Delphi
                                                                                                                              Antivirus matches:
                                                                                                                              • Detection: 3%, ReversingLabs
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:18
                                                                                                                              Start time:08:23:53
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Windows\System32\sihost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\System32\sihost.exe
                                                                                                                              Imagebase:0x7ff6440e0000
                                                                                                                              File size:111'616 bytes
                                                                                                                              MD5 hash:A21E7719D73D0322E2E7D61802CB8F80
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Yara matches:
                                                                                                                              • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000012.00000002.2908078030.00007FFD44420000.00000020.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                              • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000012.00000002.2908078030.00007FFD44420000.00000020.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                              • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000012.00000002.2908078030.00007FFD44420000.00000020.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:19
                                                                                                                              Start time:08:23:56
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Windows\System32\sihost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\System32\sihost.exe
                                                                                                                              Imagebase:0x7ff6440e0000
                                                                                                                              File size:111'616 bytes
                                                                                                                              MD5 hash:A21E7719D73D0322E2E7D61802CB8F80
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:20
                                                                                                                              Start time:08:24:00
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Windows\System32\sihost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\System32\sihost.exe
                                                                                                                              Imagebase:0x7ff799c70000
                                                                                                                              File size:111'616 bytes
                                                                                                                              MD5 hash:A21E7719D73D0322E2E7D61802CB8F80
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Yara matches:
                                                                                                                              • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000014.00000003.2947314162.00007FFD44420000.00000020.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                              • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000014.00000003.2947314162.00007FFD44420000.00000020.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                              • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000014.00000003.2947314162.00007FFD44420000.00000020.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:21
                                                                                                                              Start time:08:24:07
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Windows\System32\sihost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\System32\sihost.exe
                                                                                                                              Imagebase:0x7ff6440e0000
                                                                                                                              File size:111'616 bytes
                                                                                                                              MD5 hash:A21E7719D73D0322E2E7D61802CB8F80
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:22
                                                                                                                              Start time:08:24:08
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Windows\explorer.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:explorer.exe /LOADSAVEDWINDOWS
                                                                                                                              Imagebase:0x7ff609140000
                                                                                                                              File size:5'141'208 bytes
                                                                                                                              MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:23
                                                                                                                              Start time:08:24:08
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Windows\System32\sihost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\System32\sihost.exe
                                                                                                                              Imagebase:0x7ff6440e0000
                                                                                                                              File size:111'616 bytes
                                                                                                                              MD5 hash:A21E7719D73D0322E2E7D61802CB8F80
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:25
                                                                                                                              Start time:08:24:09
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Windows\explorer.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:explorer.exe /LOADSAVEDWINDOWS
                                                                                                                              Imagebase:0x7ff609140000
                                                                                                                              File size:5'141'208 bytes
                                                                                                                              MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:26
                                                                                                                              Start time:08:24:09
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Windows\explorer.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:explorer.exe /LOADSAVEDWINDOWS
                                                                                                                              Imagebase:0x7ff609140000
                                                                                                                              File size:5'141'208 bytes
                                                                                                                              MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:27
                                                                                                                              Start time:08:24:09
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Windows\explorer.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:explorer.exe /LOADSAVEDWINDOWS
                                                                                                                              Imagebase:0x7ff609140000
                                                                                                                              File size:5'141'208 bytes
                                                                                                                              MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:28
                                                                                                                              Start time:08:24:09
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Windows\explorer.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\explorer.exe /NoUACCheck
                                                                                                                              Imagebase:0x7ff609140000
                                                                                                                              File size:5'141'208 bytes
                                                                                                                              MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:30
                                                                                                                              Start time:08:24:11
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Windows\System32\WerFault.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\system32\WerFault.exe -u -p 1340 -s 544
                                                                                                                              Imagebase:0x7ff7df320000
                                                                                                                              File size:570'736 bytes
                                                                                                                              MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:32
                                                                                                                              Start time:08:24:20
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
                                                                                                                              Imagebase:0x7ff759960000
                                                                                                                              File size:71'680 bytes
                                                                                                                              MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:36
                                                                                                                              Start time:08:24:40
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",CloseThreadWaitChainSession
                                                                                                                              Imagebase:0x7ff759960000
                                                                                                                              File size:71'680 bytes
                                                                                                                              MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:37
                                                                                                                              Start time:08:24:40
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",GetThreadWaitChain
                                                                                                                              Imagebase:0x7ff759960000
                                                                                                                              File size:71'680 bytes
                                                                                                                              MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:38
                                                                                                                              Start time:08:24:40
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",OpenThreadWaitChainSession
                                                                                                                              Imagebase:0x7ff759960000
                                                                                                                              File size:71'680 bytes
                                                                                                                              MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:39
                                                                                                                              Start time:08:24:40
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",WerpWalkGatherBlocks
                                                                                                                              Imagebase:0x7ff759960000
                                                                                                                              File size:71'680 bytes
                                                                                                                              MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:40
                                                                                                                              Start time:08:24:40
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Users\Public\Downloads\Advanced_IP_Scanner.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:C:\Users\Public\Downloads\Advanced_IP_Scanner.exe
                                                                                                                              Imagebase:0x400000
                                                                                                                              File size:21'050'672 bytes
                                                                                                                              MD5 hash:5537C708EDB9A2C21F88E34E8A0F1744
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:Borland Delphi
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:41
                                                                                                                              Start time:08:24:40
                                                                                                                              Start date:13/11/2024
                                                                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:rundll32.exe "C:\Users\user\Desktop\cobaltstrike.dll",WerpValidateReportKey
                                                                                                                              Imagebase:0x7ff759960000
                                                                                                                              File size:71'680 bytes
                                                                                                                              MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Yara matches:
                                                                                                                              • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000029.00000002.4999809185.000001BA34866000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                              • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000029.00000002.4999809185.000001BA34866000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                              • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000029.00000002.4999809185.000001BA34866000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                              Has exited:false

                                                                                                                              Disassembly

                                                                                                                              No disassembly