Windows Analysis Report
A1E0xfcSNl.exe

Overview

General Information

Sample name: A1E0xfcSNl.exe
renamed because original name is a hash value
Original sample name: f05982b55c7a85b9e71a941fe2295848.exe
Analysis ID: 1532360
MD5: f05982b55c7a85b9e71a941fe2295848
SHA1: b0df24778218a422f7a88083c9fb591f0499c36f
SHA256: 5462b422de6d759e45cc0269d564acbf0805c4441aba38bd28133c98d1187888
Tags: 64exe
Infos:

Detection

CobaltStrike
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected CobaltStrike
Yara detected Powershell download and execute
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found API chain indicative of debugger detection
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Cobalt Strike, CobaltStrike Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • Earth Baxia
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
 https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: A1E0xfcSNl.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 7810, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "89.197.154.116,/en_US/all.js", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}
Multi AV Scanner detection for domain / URL
Source: https://89.197.154.116:7810/en_US/all.jsM9 Virustotal: Detection: 19% Perma Link
Source: https://89.197.154.116:7810/dll Virustotal: Detection: 19% Perma Link
Source: https://89.197.154.116:7810/en_US/all.jshic Virustotal: Detection: 20% Perma Link
Source: https://89.197.154.116:7810/en_US/all.jsZ0 Virustotal: Detection: 20% Perma Link
Source: https://89.197.154.116:7810/ Virustotal: Detection: 6% Perma Link
Source: https://89.197.154.116:7810/l Virustotal: Detection: 19% Perma Link
Source: https://89.197.154.116:7810/.net Virustotal: Detection: 20% Perma Link
Source: https://89.197.154.116:7810// Virustotal: Detection: 6% Perma Link
Source: https://89.197.154.116:7810/en_US/all.jsom Virustotal: Detection: 19% Perma Link
Source: https://89.197.154.116:7810/en_US/all.js Virustotal: Detection: 21% Perma Link
Source: https://89.197.154.116/ Virustotal: Detection: 20% Perma Link
Source: 89.197.154.116 Virustotal: Detection: 22% Perma Link
Multi AV Scanner detection for submitted file
Source: A1E0xfcSNl.exe ReversingLabs: Detection: 84%
Source: A1E0xfcSNl.exe Virustotal: Detection: 79% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: A1E0xfcSNl.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007B1184 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 0_2_007B1184
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007E2020 CryptGenRandom, 0_2_007E2020
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007C9220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose, 0_2_007C9220
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007C1C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose, 0_2_007C1C30
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 4x nop then sub rsp, 28h 0_2_00402314

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 89.197.154.116:7810 -> 192.168.2.4:49730
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 89.197.154.116
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 89.197.154.116:7810
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 89.197.154.116 89.197.154.116
Source: Joe Sandbox View IP Address: 89.197.154.116 89.197.154.116
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VIRTUAL1GB VIRTUAL1GB
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49738 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49730 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49737 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49736 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49739 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49741 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49734 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49744 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49735 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49732 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49754 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49733 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49747 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49753 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49749 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49765 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49760 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49756 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49766 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49771 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49757 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49762 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49763 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49758 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49740 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49775 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49777 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49769 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49776 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49761 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49770 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49755 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49752 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49773 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49764 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49768 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49759 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49778 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49772 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49780 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49781 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49779 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49751 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49784 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49774 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49790 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49767 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49796 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49813 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49820 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49807 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49836 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49847 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49830 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49853 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49870 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49880 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49887 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49897 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49904 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49927 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49910 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49938 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49864 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49944 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49950 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49961 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49967 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49978 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49990 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49921 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50007 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50029 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50046 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50063 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50080 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50091 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50095 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50093 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50099 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50087 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50103 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50101 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50105 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50107 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50089 -> 89.197.154.116:7810
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50097 -> 89.197.154.116:7810
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007BE68C _snprintf,_snprintf,_snprintf,HttpOpenRequestA,HttpSendRequestA,InternetQueryDataAvailable,InternetCloseHandle,InternetReadFile,InternetCloseHandle, 0_2_007BE68C
Source: A1E0xfcSNl.exe, 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:%u/
Source: A1E0xfcSNl.exe, 00000000.00000003.2866742745.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2968344675.0000000003A47000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2625443691.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2575316910.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2696799052.0000000003A06000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2673578388.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2745045226.0000000003A06000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2967588825.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976844568.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2818377539.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2651363582.0000000003A06000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2720408020.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2914656617.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2733391662.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2698625132.0000000003A06000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2744902985.0000000003A06000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2587345424.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2792724674.0000000003A06000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2768714547.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2780187927.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: A1E0xfcSNl.exe, 00000000.00000003.2673578388.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/2
Source: A1E0xfcSNl.exe, 00000000.00000003.2866742745.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/?
Source: A1E0xfcSNl.exe, 00000000.00000003.2673578388.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/J
Source: A1E0xfcSNl.exe, 00000000.00000003.2745045226.0000000003A06000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2840042170.0000000003A06000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2914656617.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2841784165.0000000003A06000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2744902985.0000000003A06000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/Low
Source: A1E0xfcSNl.exe, 00000000.00000003.2866742745.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/Lowy
Source: A1E0xfcSNl.exe, 00000000.00000003.2891272705.0000000003A06000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2889324959.0000000003A06000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/Low~
Source: A1E0xfcSNl.exe, 00000000.00000003.2866742745.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/N
Source: A1E0xfcSNl.exe, 00000000.00000003.2914656617.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/Q
Source: A1E0xfcSNl.exe, 00000000.00000003.2673578388.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/Y
Source: A1E0xfcSNl.exe, 00000000.00000003.2720408020.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/Z
Source: A1E0xfcSNl.exe, 00000000.00000003.2866742745.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/f
Source: A1E0xfcSNl.exe, 00000000.00000003.2625443691.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2640172153.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2637205867.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/i
Source: A1E0xfcSNl.exe, 00000000.00000003.2841784165.00000000039FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msd
Source: A1E0xfcSNl.exe, 00000000.00000003.2613338606.00000000039A1000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2616187536.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2614484255.00000000039CD000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2625609224.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2615740912.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2625562236.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2625686592.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2615920623.00000000039F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/
Source: A1E0xfcSNl.exe, 00000000.00000003.2793173941.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2780187927.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2818377539.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2755973455.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2768714547.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2806338031.00000000008CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trust5
Source: A1E0xfcSNl.exe, 00000000.00000003.2755973455.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2768714547.00000000008CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/a
Source: A1E0xfcSNl.exe, 00000000.00000003.2805877584.00000000039FC000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976522408.000000000089F000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: A1E0xfcSNl.exe, 00000000.00000003.2768714547.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2780187927.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab/
Source: A1E0xfcSNl.exe, 00000000.00000003.2575782822.00000000039FB000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2625562236.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2625686592.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2638500805.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2615920623.00000000039F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?11987e592cac6
Source: A1E0xfcSNl.exe, 00000000.00000003.2720408020.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2720408020.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2721210841.00000000039FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1bd4e0020130a
Source: A1E0xfcSNl.exe, 00000000.00000003.2662905991.0000000003A18000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2637546484.0000000003A18000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2651175055.0000000003A18000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2625402864.0000000003A18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1c7bb69fbb7ef
Source: A1E0xfcSNl.exe, 00000000.00000003.2956932174.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2930638048.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2930638048.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2943156877.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2914656617.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2955114449.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2914656617.00000000008CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?206335be2112e
Source: A1E0xfcSNl.exe, 00000000.00000003.2903284596.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2956932174.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2967588825.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2904698086.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976844568.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2890231842.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2930638048.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2889324959.0000000003A1A000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2903844664.0000000003A1A000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2943156877.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2903284596.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2890231842.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2914656617.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2955114449.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2904698086.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?379de8c2583ed
Source: A1E0xfcSNl.exe, 00000000.00000003.2673851598.0000000003A18000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2674815841.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2686121048.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2673578388.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2674540264.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2674943880.00000000039F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3ceef9ea5f336
Source: A1E0xfcSNl.exe, 00000000.00000002.2976844568.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976522408.000000000083C000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2967588825.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976844568.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2967588825.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976522408.000000000089F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3dd6a9b033069
Source: A1E0xfcSNl.exe, 00000000.00000003.2793173941.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2818377539.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2806338031.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2806338031.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2793173941.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?49417627e635c
Source: A1E0xfcSNl.exe, 00000000.00000003.2853918191.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2855323562.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2841111103.00000000008C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?69c3c58cd8d4e
Source: A1E0xfcSNl.exe, 00000000.00000003.2598576195.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7fe4746b978ee
Source: A1E0xfcSNl.exe, 00000000.00000003.2756572032.00000000039FC000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2755973455.00000000008CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9926f10342b95
Source: A1E0xfcSNl.exe, 00000000.00000003.2744902985.0000000003A06000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a6d0c8e63b213
Source: A1E0xfcSNl.exe, 00000000.00000003.2866742745.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2879314585.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2903284596.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2866742745.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2879314585.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2956932174.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2967588825.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976844568.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2930638048.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2943156877.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2890231842.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2914656617.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2955114449.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2904698086.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ad1b3d16883af
Source: A1E0xfcSNl.exe, 00000000.00000003.2830432845.00000000039FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c63bb198e70dc
Source: A1E0xfcSNl.exe, 00000000.00000002.2976522408.000000000083C000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2956932174.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2967588825.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976844568.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2943156877.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2955114449.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2956932174.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2943156877.00000000008CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ddd978b2426bf
Source: A1E0xfcSNl.exe, 00000000.00000003.2768085189.00000000039FC000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2806484117.00000000039FE000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2783909509.00000000039FC000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2818377539.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2782832541.00000000039FC000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2784047530.00000000039FC000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2806338031.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2792724674.00000000039FC000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2768714547.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2768714547.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2780187927.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2783522079.00000000039FC000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2841111103.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2793173941.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2805877584.00000000039FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?eca10e5755dad
Source: A1E0xfcSNl.exe, 00000000.00000003.2662905991.0000000003A18000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2673851598.0000000003A18000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2663639953.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2662520472.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2651048419.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2651175055.0000000003A18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ee3d636b31fbc
Source: A1E0xfcSNl.exe, 00000000.00000002.2976522408.000000000089F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabp
Source: A1E0xfcSNl.exe, 00000000.00000003.1787137011.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.1775591276.00000000008A2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2769115094.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2756222341.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2756717399.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976522408.000000000089F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enc
Source: A1E0xfcSNl.exe, 00000000.00000003.2768714547.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/rueB
Source: A1E0xfcSNl.exe, 00000000.00000003.2637123523.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2574726157.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2610184152.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2588229355.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2625193016.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2587577247.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2597793401.0000000003A69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?11987e592c
Source: A1E0xfcSNl.exe, 00000000.00000003.2735305600.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2719700549.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2744211745.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2733333181.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2755824852.0000000003A69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1bd4e00201
Source: A1E0xfcSNl.exe, 00000000.00000003.2914281384.0000000003A69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?206335be21
Source: A1E0xfcSNl.exe, 00000000.00000003.2673341320.0000000003A69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3ceef9ea5f
Source: A1E0xfcSNl.exe, 00000000.00000003.2967121042.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2977577154.0000000003A69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3dd6a9b033
Source: A1E0xfcSNl.exe, 00000000.00000003.2792724674.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2805877584.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2830837440.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2816663192.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2830350068.0000000003A69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?49417627e6
Source: A1E0xfcSNl.exe, 00000000.00000003.2840042170.0000000003A69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?69c3c58cd8
Source: A1E0xfcSNl.exe, 00000000.00000003.2744211745.0000000003A69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9926f10342
Source: A1E0xfcSNl.exe, 00000000.00000003.2865992163.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2878495999.0000000003A69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ad1b3d1688
Source: A1E0xfcSNl.exe, 00000000.00000003.2840042170.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2830837440.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2853486155.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2816663192.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2830350068.0000000003A69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c63bb198e7
Source: A1E0xfcSNl.exe, 00000000.00000003.2768561421.0000000003A69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?eca10e5755
Source: A1E0xfcSNl.exe, 00000000.00000003.2651000762.0000000003A69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ee3d636b31
Source: A1E0xfcSNl.exe, 00000000.00000002.2976522408.000000000083C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116/
Source: A1E0xfcSNl.exe, 00000000.00000003.2612763222.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2575316910.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.1892702680.00000000008FB000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2564095844.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2640172153.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2039567077.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976844568.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2733391662.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2637205867.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2780187927.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116:7810/
Source: A1E0xfcSNl.exe, 00000000.00000003.2640172153.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2637205867.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116:7810/.net
Source: A1E0xfcSNl.exe, 00000000.00000003.2686121048.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116:7810//
Source: A1E0xfcSNl.exe, 00000000.00000003.2640172153.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2637205867.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116:7810/SX
Source: A1E0xfcSNl.exe, 00000000.00000003.2564095844.00000000008FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116:7810/dll
Source: A1E0xfcSNl.exe, 00000000.00000003.2841111103.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2943156877.00000000008CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116:7810/en_US/all.js
Source: A1E0xfcSNl.exe, 00000000.00000003.2039567077.00000000008C9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2564095844.00000000008C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116:7810/en_US/all.js-Ce
Source: A1E0xfcSNl.exe, 00000000.00000002.2976844568.00000000008CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116:7810/en_US/all.js4
Source: A1E0xfcSNl.exe, 00000000.00000003.1775591276.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116:7810/en_US/all.jsA
Source: A1E0xfcSNl.exe, 00000000.00000003.2564095844.00000000008FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116:7810/en_US/all.jsB
Source: A1E0xfcSNl.exe, 00000000.00000003.2039567077.00000000008C9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2564095844.00000000008C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116:7810/en_US/all.jsG2
Source: A1E0xfcSNl.exe, 00000000.00000003.1775591276.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116:7810/en_US/all.jsKi
Source: A1E0xfcSNl.exe, 00000000.00000003.2866742745.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2598576195.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2662520472.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2769115094.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2744289857.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2756222341.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2673578388.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2564095844.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2039567077.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2956932174.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2967588825.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976844568.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2855323562.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2818377539.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2663639953.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2756717399.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2720408020.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2806338031.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2955114449.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2853918191.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2709742244.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116:7810/en_US/all.jsM9
Source: A1E0xfcSNl.exe, 00000000.00000003.1892702680.00000000008FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116:7810/en_US/all.jsP
Source: A1E0xfcSNl.exe, 00000000.00000003.2879314585.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2890231842.00000000008CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116:7810/en_US/all.jsZ0
Source: A1E0xfcSNl.exe, 00000000.00000002.2976522408.000000000089F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116:7810/en_US/all.jsb
Source: A1E0xfcSNl.exe, 00000000.00000003.2793173941.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2709742244.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2780187927.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2564242417.00000000039A1000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.1892702680.00000000008FB000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2564344046.00000000039CD000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2904698086.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2720408020.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2573493710.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2903284596.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2563680413.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2914656617.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2841111103.00000000008C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116:7810/en_US/all.jshic
Source: A1E0xfcSNl.exe, 00000000.00000003.2625443691.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2611121723.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2955114449.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2930638048.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2818377539.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2967588825.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2956932174.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2806338031.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2943156877.00000000008CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116:7810/en_US/all.jsom
Source: A1E0xfcSNl.exe, 00000000.00000003.2755973455.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2768714547.00000000008CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116:7810/en_US/all.jsoms
Source: A1E0xfcSNl.exe, 00000000.00000003.2686121048.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116:7810/en_US/all.jspData
Source: A1E0xfcSNl.exe, 00000000.00000003.2564095844.00000000008FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116:7810/l
Source: A1E0xfcSNl.exe, 00000000.00000003.2587345424.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116:7810/lla
Source: A1E0xfcSNl.exe, 00000000.00000003.2686121048.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116:7810/m/J
Source: A1E0xfcSNl.exe, 00000000.00000003.2733391662.00000000008FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116:7810/m/Z
Source: A1E0xfcSNl.exe, 00000000.00000002.2976844568.00000000008F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.116:7810/y

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPE Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPE Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPE Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPE Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPE Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPE Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPE Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPE Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPE Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.A1E0xfcSNl.exe.760000.1.unpack, type: UNPACKEDPE Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.A1E0xfcSNl.exe.760000.1.unpack, type: UNPACKEDPE Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.A1E0xfcSNl.exe.760000.1.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.A1E0xfcSNl.exe.760000.1.unpack, type: UNPACKEDPE Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.A1E0xfcSNl.exe.760000.1.unpack, type: UNPACKEDPE Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike payload Author: ditekSHen
Source: Process Memory Space: A1E0xfcSNl.exe PID: 7420, type: MEMORYSTR Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: Process Memory Space: A1E0xfcSNl.exe PID: 7420, type: MEMORYSTR Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: Process Memory Space: A1E0xfcSNl.exe PID: 7420, type: MEMORYSTR Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007E2078 CreateProcessWithLogonW, 0_2_007E2078
Detected potential crypto function
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_0076916C 0_2_0076916C
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_00781928 0_2_00781928
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_00785914 0_2_00785914
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007B2980 0_2_007B2980
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_00781264 0_2_00781264
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_0078AAB0 0_2_0078AAB0
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007B2B78 0_2_007B2B78
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_00780374 0_2_00780374
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_00770334 0_2_00770334
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007B2BD8 0_2_007B2BD8
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007B2BC8 0_2_007B2BC8
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_0078239C 0_2_0078239C
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_0078C397 0_2_0078C397
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007B2C40 0_2_007B2C40
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007B2C08 0_2_007B2C08
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_0077F5A8 0_2_0077F5A8
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_0076CE3C 0_2_0076CE3C
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_0078E600 0_2_0078E600
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_00769680 0_2_00769680
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_0078C680 0_2_0078C680
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_00776F38 0_2_00776F38
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_0078CFF0 0_2_0078CFF0
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_0078B7B0 0_2_0078B7B0
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007D01A8 0_2_007D01A8
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007BDA3C 0_2_007BDA3C
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007DF200 0_2_007DF200
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007BA280 0_2_007BA280
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007DD280 0_2_007DD280
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007C7B38 0_2_007C7B38
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007DDBF0 0_2_007DDBF0
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007DC3B0 0_2_007DC3B0
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007B9D6C 0_2_007B9D6C
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007D2528 0_2_007D2528
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007D6514 0_2_007D6514
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007C867C 0_2_007C867C
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007D1E64 0_2_007D1E64
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007DB6B0 0_2_007DB6B0
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007D0F74 0_2_007D0F74
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007C0F34 0_2_007C0F34
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007D2F9C 0_2_007D2F9C
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007DCF97 0_2_007DCF97
Yara signature match
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPE Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPE Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPE Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPE Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPE Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPE Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPE Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPE Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.A1E0xfcSNl.exe.760000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.A1E0xfcSNl.exe.760000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.A1E0xfcSNl.exe.760000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.A1E0xfcSNl.exe.760000.1.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.A1E0xfcSNl.exe.760000.1.unpack, type: UNPACKEDPE Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: Process Memory Space: A1E0xfcSNl.exe PID: 7420, type: MEMORYSTR Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: Process Memory Space: A1E0xfcSNl.exe PID: 7420, type: MEMORYSTR Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: Process Memory Space: A1E0xfcSNl.exe PID: 7420, type: MEMORYSTR Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/2@0/1
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007C0B70 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 0_2_007C0B70
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007C3A64 CreateThread,GetModuleHandleA,GetProcAddress,CreateToolhelp32Snapshot,Thread32Next,Sleep, 0_2_007C3A64
Source: A1E0xfcSNl.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: A1E0xfcSNl.exe ReversingLabs: Detection: 84%
Source: A1E0xfcSNl.exe Virustotal: Detection: 79%
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007BD83C GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_007BD83C
PE file contains sections with non-standard names
Source: A1E0xfcSNl.exe Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_0079776C push 0000006Ah; retf 0_2_00797784
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007E916C push 0000006Ah; retf 0_2_007E9184
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007D01A8 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_007D01A8
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007C5854 0_2_007C5854
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007BFA1C 0_2_007BFA1C
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Window / User API: threadDelayed 6393 Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Window / User API: threadDelayed 3234 Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe API coverage: 6.6 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007BFA1C 0_2_007BFA1C
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe TID: 7424 Thread sleep count: 6393 > 30 Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe TID: 7424 Thread sleep time: -63930000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe TID: 7436 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe TID: 7424 Thread sleep count: 3234 > 30 Jump to behavior
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe TID: 7424 Thread sleep time: -32340000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007C9220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose, 0_2_007C9220
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007C1C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose, 0_2_007C1C30
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Thread delayed: delay time: 60000 Jump to behavior
Source: A1E0xfcSNl.exe, 00000000.00000003.1787137011.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.1775591276.00000000008A2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2769115094.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2756222341.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2756717399.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976522408.000000000089F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: A1E0xfcSNl.exe, 00000000.00000002.2976522408.000000000083C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe API call chain: ExitProcess graph end node

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007DF810 MultiByteToWideChar,MultiByteToWideChar,DebuggerProbe,DebuggerRuntime,IsDebuggerPresent,_RTC_GetSrcLine,WideCharToMultiByte,WideCharToMultiByte, 0_2_007DF810
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007D9744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_007D9744
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007BD83C GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_007BD83C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007DC0C8 _lseeki64_nolock,_lseeki64_nolock,GetProcessHeap,HeapAlloc,_errno,_errno,_setmode_nolock,__doserrno,_errno,_setmode_nolock,GetProcessHeap,HeapFree,_lseeki64_nolock,SetEndOfFile,_errno,__doserrno,GetLastError,_lseeki64_nolock, 0_2_007DC0C8
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA, 0_2_00401180
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_00402F62 SetUnhandledExceptionFilter, 0_2_00402F62
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_00401A70 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 0_2_00401A70
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_004542E4 SetUnhandledExceptionFilter, 0_2_004542E4
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007E24F0 SetUnhandledExceptionFilter, 0_2_007E24F0
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007D44D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_007D44D0

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: A1E0xfcSNl.exe PID: 7420, type: MEMORYSTR
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007CDF50 LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError, 0_2_007CDF50
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007E2050 AllocateAndInitializeSid, 0_2_007E2050
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_00401630 CreateNamedPipeA,ConnectNamedPipe,WriteFile,CloseHandle, 0_2_00401630
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_00401990 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00401990
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007C5E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf, 0_2_007C5E28
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007C5E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf, 0_2_007C5E28
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Remote Access Functionality
barindex
Yara detected CobaltStrike
Source: Yara match File source: Process Memory Space: A1E0xfcSNl.exe PID: 7420, type: MEMORYSTR
Source: Yara match File source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.A1E0xfcSNl.exe.760000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007C6A78 socket,htons,ioctlsocket,closesocket,bind,listen, 0_2_007C6A78
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007C6670 htonl,htons,socket,closesocket,bind,ioctlsocket, 0_2_007C6670
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007E2630 bind, 0_2_007E2630
Source: C:\Users\user\Desktop\A1E0xfcSNl.exe Code function: 0_2_007CEE8C socket,closesocket,htons,bind,listen, 0_2_007CEE8C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1532360 Sample: A1E0xfcSNl.exe Startdate: 13/10/2024 Architecture: WINDOWS Score: 100 11 Multi AV Scanner detection for domain / URL 2->11 13 Suricata IDS alerts for network traffic 2->13 15 Found malware configuration 2->15 17 8 other signatures 2->17 5 A1E0xfcSNl.exe 2->5         started        process3 dnsIp4 9 89.197.154.116, 49730, 49732, 49733 VIRTUAL1GB United Kingdom 5->9 19 Found API chain indicative of debugger detection 5->19 21 Contains functionality to detect sleep reduction / modifications 5->21 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
89.197.154.116
 unknown United Kingdom
47474 VIRTUAL1GB true

Contacted URLs

Name Malicious Antivirus Detection Reputation
89.197.154.116 true unknown