Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1623897
MD5:e3a004b573f3b6a8e32a6cf74e63c9d2
SHA1:8e0bf5d952f7295996c577d0018eda13b13dd5e2
SHA256:2b4a222f385c2367518a3c8d5794219af21376850133208b63c0914e89527e59
Tags:CobaltStrikeexex64user-jstrosch
Infos:

Detection

CobaltStrike
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Yara detected Powershell download and execute
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found API chain indicative of debugger detection
Found potential dummy code loops (likely to delay analysis)
Joe Sandbox ML detected suspicious sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7360 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E3A004B573F3B6A8E32A6CF74E63C9D2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cobalt Strike, CobaltStrikeCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • Earth Baxia
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTPS"], "Port": 444, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "20.74.209.192,/updates.rss", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 318104477, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_CobaltStrike_4Yara detected CobaltStrikeJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.3710494904.0000000000A90000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
      00000000.00000002.3710494904.0000000000A90000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
        00000000.00000002.3710494904.0000000000A90000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_CobaltStrike_ee756db7Attempts to detect Cobalt Strike based on strings found in BEACONunknown
        • 0x36993:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
        • 0x36a0b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
        • 0x37170:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset.
        • 0x374a2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
        • 0x37434:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
        • 0x374a2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
        • 0x36a6e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
        • 0x36bff:$a7: could not run command (w/ token) because of its length of %d bytes!
        • 0x36ab4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s
        • 0x36af2:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s
        • 0x374ec:$a10: powershell -nop -exec bypass -EncodedCommand "%s"
        • 0x36d5a:$a11: Could not open service control manager on %s: %d
        • 0x3728c:$a12: %d is an x64 process (can't inject x86 content)
        • 0x372bc:$a13: %d is an x86 process (can't inject x64 content)
        • 0x375dd:$a14: Failed to impersonate logged on user %d (%u)
        • 0x37245:$a15: could not create remote thread in %d: %d
        • 0x36b28:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
        • 0x371f3:$a17: could not write to process memory: %d
        • 0x36d8b:$a18: Could not create service %s on %s: %d
        • 0x36e14:$a19: Could not delete service %s on %s: %d
        • 0x36c79:$a20: Could not open process token: %d (%u)
        00000000.00000002.3710494904.0000000000A90000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_CobaltStrike_663fc95dIdentifies CobaltStrike via unidentified function codeunknown
        • 0x21c90:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
        00000000.00000002.3710494904.0000000000A90000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_CobaltStrike_f0b627fcRule for beacon reflective loaderunknown
        • 0x1c035:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 41 8B 84 24 98 00 00 00 25 FF FF FF 00 3D 42 42 42 00 75
        Click to see the 28 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.file.exe.400000.0.unpackJoeSecurity_CobaltStrike_4Yara detected CobaltStrikeJoe Security
          0.2.file.exe.400000.0.unpackJoeSecurity_CobaltStrike_4Yara detected CobaltStrikeJoe Security
            0.2.file.exe.a30000.1.raw.unpackJoeSecurity_CobaltStrike_2Yara detected CobaltStrikeJoe Security
              0.2.file.exe.a30000.1.raw.unpackJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
                0.2.file.exe.a30000.1.raw.unpackJoeSecurity_CobaltStrike_4Yara detected CobaltStrikeJoe Security
                  Click to see the 45 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-25T17:19:35.895105+010020287653Unknown Traffic192.168.2.74970020.74.209.192444TCP
                  2025-02-25T17:19:39.891078+010020287653Unknown Traffic192.168.2.74970320.74.209.192444TCP
                  2025-02-25T17:19:43.954377+010020287653Unknown Traffic192.168.2.74970720.74.209.192444TCP
                  2025-02-25T17:19:47.978685+010020287653Unknown Traffic192.168.2.74973520.74.209.192444TCP
                  2025-02-25T17:19:52.236582+010020287653Unknown Traffic192.168.2.74976620.74.209.192444TCP
                  2025-02-25T17:19:56.290579+010020287653Unknown Traffic192.168.2.74979520.74.209.192444TCP
                  2025-02-25T17:20:00.324031+010020287653Unknown Traffic192.168.2.74982520.74.209.192444TCP
                  2025-02-25T17:20:04.448412+010020287653Unknown Traffic192.168.2.74985320.74.209.192444TCP
                  2025-02-25T17:20:08.889698+010020287653Unknown Traffic192.168.2.74988120.74.209.192444TCP
                  2025-02-25T17:20:12.977911+010020287653Unknown Traffic192.168.2.74991320.74.209.192444TCP
                  2025-02-25T17:20:17.010810+010020287653Unknown Traffic192.168.2.74994120.74.209.192444TCP
                  2025-02-25T17:20:21.043682+010020287653Unknown Traffic192.168.2.76438020.74.209.192444TCP
                  2025-02-25T17:20:25.258899+010020287653Unknown Traffic192.168.2.76440920.74.209.192444TCP
                  2025-02-25T17:20:29.275334+010020287653Unknown Traffic192.168.2.76441720.74.209.192444TCP
                  2025-02-25T17:20:33.320794+010020287653Unknown Traffic192.168.2.76442020.74.209.192444TCP
                  2025-02-25T17:20:37.424151+010020287653Unknown Traffic192.168.2.76442320.74.209.192444TCP
                  2025-02-25T17:20:41.543097+010020287653Unknown Traffic192.168.2.76442620.74.209.192444TCP
                  2025-02-25T17:20:45.589275+010020287653Unknown Traffic192.168.2.76442920.74.209.192444TCP
                  2025-02-25T17:20:49.668849+010020287653Unknown Traffic192.168.2.76443220.74.209.192444TCP
                  2025-02-25T17:20:53.697999+010020287653Unknown Traffic192.168.2.76443520.74.209.192444TCP
                  2025-02-25T17:20:57.932094+010020287653Unknown Traffic192.168.2.76443820.74.209.192444TCP
                  2025-02-25T17:21:02.181005+010020287653Unknown Traffic192.168.2.76444120.74.209.192444TCP
                  2025-02-25T17:21:06.419029+010020287653Unknown Traffic192.168.2.76444420.74.209.192444TCP
                  2025-02-25T17:21:10.885651+010020287653Unknown Traffic192.168.2.76444720.74.209.192444TCP
                  2025-02-25T17:21:14.915199+010020287653Unknown Traffic192.168.2.76445020.74.209.192444TCP
                  2025-02-25T17:21:18.964082+010020287653Unknown Traffic192.168.2.76445320.74.209.192444TCP
                  2025-02-25T17:21:23.057544+010020287653Unknown Traffic192.168.2.76445620.74.209.192444TCP
                  2025-02-25T17:21:27.073568+010020287653Unknown Traffic192.168.2.76445920.74.209.192444TCP
                  2025-02-25T17:21:31.073068+010020287653Unknown Traffic192.168.2.76446220.74.209.192444TCP
                  2025-02-25T17:21:35.105004+010020287653Unknown Traffic192.168.2.76446520.74.209.192444TCP
                  2025-02-25T17:21:39.263374+010020287653Unknown Traffic192.168.2.76446820.74.209.192444TCP
                  2025-02-25T17:21:43.294049+010020287653Unknown Traffic192.168.2.76447120.74.209.192444TCP
                  2025-02-25T17:21:47.463059+010020287653Unknown Traffic192.168.2.76447420.74.209.192444TCP
                  2025-02-25T17:21:51.462966+010020287653Unknown Traffic192.168.2.76447720.74.209.192444TCP
                  2025-02-25T17:21:55.431658+010020287653Unknown Traffic192.168.2.76448020.74.209.192444TCP
                  2025-02-25T17:21:59.448684+010020287653Unknown Traffic192.168.2.76448320.74.209.192444TCP
                  2025-02-25T17:22:03.528761+010020287653Unknown Traffic192.168.2.76448620.74.209.192444TCP
                  2025-02-25T17:22:07.541915+010020287653Unknown Traffic192.168.2.76448920.74.209.192444TCP
                  2025-02-25T17:22:11.573763+010020287653Unknown Traffic192.168.2.76449220.74.209.192444TCP
                  2025-02-25T17:22:15.605915+010020287653Unknown Traffic192.168.2.76449520.74.209.192444TCP
                  2025-02-25T17:22:19.634701+010020287653Unknown Traffic192.168.2.76449820.74.209.192444TCP
                  2025-02-25T17:22:23.887224+010020287653Unknown Traffic192.168.2.76450120.74.209.192444TCP
                  2025-02-25T17:22:27.928419+010020287653Unknown Traffic192.168.2.76450420.74.209.192444TCP
                  2025-02-25T17:22:31.999062+010020287653Unknown Traffic192.168.2.76450720.74.209.192444TCP
                  2025-02-25T17:22:36.036044+010020287653Unknown Traffic192.168.2.76451020.74.209.192444TCP
                  2025-02-25T17:22:40.045331+010020287653Unknown Traffic192.168.2.76451320.74.209.192444TCP
                  2025-02-25T17:22:44.091127+010020287653Unknown Traffic192.168.2.76451620.74.209.192444TCP
                  2025-02-25T17:22:48.137956+010020287653Unknown Traffic192.168.2.76451920.74.209.192444TCP
                  2025-02-25T17:22:52.246779+010020287653Unknown Traffic192.168.2.76452220.74.209.192444TCP
                  2025-02-25T17:22:56.355103+010020287653Unknown Traffic192.168.2.76452520.74.209.192444TCP
                  2025-02-25T17:23:00.387159+010020287653Unknown Traffic192.168.2.76452820.74.209.192444TCP
                  2025-02-25T17:23:04.420528+010020287653Unknown Traffic192.168.2.76453120.74.209.192444TCP
                  2025-02-25T17:23:08.420815+010020287653Unknown Traffic192.168.2.76453420.74.209.192444TCP
                  2025-02-25T17:23:12.503169+010020287653Unknown Traffic192.168.2.76453720.74.209.192444TCP
                  2025-02-25T17:23:16.495452+010020287653Unknown Traffic192.168.2.76454020.74.209.192444TCP
                  2025-02-25T17:23:20.547122+010020287653Unknown Traffic192.168.2.76454320.74.209.192444TCP
                  2025-02-25T17:23:24.577386+010020287653Unknown Traffic192.168.2.76454620.74.209.192444TCP
                  2025-02-25T17:23:28.635169+010020287653Unknown Traffic192.168.2.76454920.74.209.192444TCP
                  2025-02-25T17:23:32.671664+010020287653Unknown Traffic192.168.2.76455220.74.209.192444TCP
                  2025-02-25T17:23:36.716192+010020287653Unknown Traffic192.168.2.76455520.74.209.192444TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: file.exeAvira: detected
                  Found malware configuration
                  Source: 00000000.00000002.3710436556.0000000000A30000.00000020.00001000.00020000.00000000.sdmpMalware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 444, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "20.74.209.192,/updates.rss", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 318104477, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}
                  Multi AV Scanner detection for submitted file
                  Source: file.exeVirustotal: Detection: 83%Perma Link
                  Source: file.exeReversingLabs: Detection: 86%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A91184 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_00A91184
                  Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA3B20 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,0_2_00AA3B20
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AABC98 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,0_2_00AABC98

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 20.74.209.192
                  Source: global trafficTCP traffic: 192.168.2.7:49700 -> 20.74.209.192:444
                  Source: global trafficTCP traffic: 192.168.2.7:64353 -> 162.159.36.2:53
                  Source: Joe Sandbox ViewIP Address: 20.74.209.192 20.74.209.192
                  Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49700 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49703 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49707 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49735 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49766 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49795 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49825 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49853 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49881 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49913 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49941 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64380 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64417 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64420 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64409 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64426 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64423 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64429 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64438 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64432 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64441 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64450 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64456 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64459 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64453 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64465 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64462 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64471 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64468 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64474 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64477 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64483 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64480 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64489 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64498 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64444 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64501 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64435 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64492 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64504 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64507 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64516 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64522 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64519 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64525 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64528 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64537 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64543 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64534 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64447 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64552 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64555 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64486 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64540 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64513 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64546 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64531 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64549 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64495 -> 20.74.209.192:444
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:64510 -> 20.74.209.192:444
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.74.209.192
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA0318 _snprintf,_snprintf,_snprintf,HttpOpenRequestA,HttpSendRequestA,InternetQueryDataAvailable,InternetCloseHandle,InternetReadFile,InternetCloseHandle,0_2_00AA0318
                  Source: file.exe, 00000000.00000002.3710436556.0000000000A30000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:%u/
                  Source: file.exe, 00000000.00000003.2124856393.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1488138869.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1384248122.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2274385808.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1528474940.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2293920913.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1695341643.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1981125983.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2021921590.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2000941231.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2335061965.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1405022219.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2041409022.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1426453259.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1303556511.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757230911.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2166903788.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782043.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1364777586.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1447653763.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2355807803.0000000000124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192/
                  Source: file.exe, 00000000.00000003.2124856393.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1488138869.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1384248122.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2274385808.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1528474940.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2293920913.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1695341643.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1981125983.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2021921590.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2000941231.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2335061965.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1405022219.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2041409022.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1426453259.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1303556511.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757230911.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2166903788.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782043.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1364777586.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1447653763.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2355807803.0000000000124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192/;
                  Source: file.exe, 00000000.00000003.1384248122.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1303556511.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1364777586.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1344211554.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1384424235.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1343804099.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1324145477.0000000000124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192/o
                  Source: file.exe, 00000000.00000003.2355807803.000000000014E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1324145477.0000000000124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/
                  Source: file.exe, 00000000.00000003.2125826358.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782043.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2062212310.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2166903788.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082132459.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1960016913.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147046630.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1919731532.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2021921590.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1981125983.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2000941231.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1940682857.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2041409022.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1919964890.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124856393.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1960279813.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1899474923.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2001232594.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2104552769.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2041645667.0000000000148000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/)d
                  Source: file.exe, 00000000.00000002.3709866097.000000000014E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444//
                  Source: file.exe, 00000000.00000003.2125826358.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1426453259.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782043.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2062212310.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1797616084.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2166903788.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2293920913.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1674553440.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1858506141.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1838015921.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2314872826.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1426854312.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082132459.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1960016913.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2234089313.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189422108.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147046630.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1919731532.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735670165.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2021921590.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1528474940.0000000000148000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/1e
                  Source: file.exe, 00000000.00000003.1797616084.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1858506141.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1838015921.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735670165.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878001612.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1837792556.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878250381.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1777823088.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757443023.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1899474923.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1715028291.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1817986661.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757230911.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1695341643.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3709866097.000000000014E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1714700662.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1797376850.0000000000148000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/20
                  Source: file.exe, 00000000.00000003.2125826358.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782043.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2062212310.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1797616084.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2166903788.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2293920913.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1858506141.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1838015921.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2314872826.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082132459.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1960016913.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2234089313.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189422108.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147046630.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2021921590.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878001612.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2315065289.000000000014D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1837792556.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878250381.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1777823088.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1981125983.0000000000148000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/209.192:444/
                  Source: file.exe, 00000000.00000002.3709866097.000000000014E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/209.192:444/5/
                  Source: file.exe, 00000000.00000002.3709866097.000000000014E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/209.192:444/9d
                  Source: file.exe, 00000000.00000003.2125826358.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782043.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2062212310.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2166903788.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2293920913.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2314872826.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082132459.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2234089313.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189422108.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147046630.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2021921590.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2315065289.000000000014D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2253620833.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2253880468.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2041409022.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124856393.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2104552769.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2294278387.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2041645667.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2210661642.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2212088351.0000000000148000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/209.192:444/pdates.rss
                  Source: file.exe, 00000000.00000003.2125826358.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782043.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2062212310.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2166903788.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2293920913.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2314872826.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082132459.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1960016913.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2234089313.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189422108.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147046630.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1919731532.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2021921590.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2315065289.000000000014D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1981125983.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2000941231.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1940682857.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2253620833.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2253880468.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2041409022.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1919964890.0000000000148000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/209.192:444/updates.rss
                  Source: file.exe, 00000000.00000003.2355807803.000000000014E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/209.192:444/updates.rssad
                  Source: file.exe, 00000000.00000003.2293920913.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2314872826.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2234089313.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189422108.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2315065289.000000000014D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2253620833.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2253880468.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2294278387.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2210661642.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2212088351.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3709866097.000000000014E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2274385808.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2355807803.000000000014E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/5/
                  Source: file.exe, 00000000.00000003.2293920913.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2314872826.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2234089313.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189422108.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2315065289.000000000014D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2253620833.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2253880468.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2294278387.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2210661642.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2212088351.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2274385808.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2355807803.000000000014E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/9d
                  Source: file.exe, 00000000.00000003.2125826358.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782043.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2062212310.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1797616084.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1674553440.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1858506141.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1838015921.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082132459.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1960016913.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147046630.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1919731532.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735670165.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2021921590.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1634599084.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878001612.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1837792556.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1569716854.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878250381.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1634376076.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1777823088.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1981125983.0000000000148000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/Ad
                  Source: file.exe, 00000000.00000003.1405022219.0000000000148000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/Qd
                  Source: file.exe, 00000000.00000003.1467199619.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1467558003.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1507891892.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1447653763.0000000000149000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1507671346.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1488138869.0000000000149000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/Qg
                  Source: file.exe, 00000000.00000003.2274385808.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1528474940.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2293920913.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2335061965.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1548051388.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2314872826.0000000000124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/S
                  Source: file.exe, 00000000.00000002.3709866097.000000000014E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/Yd$
                  Source: file.exe, 00000000.00000003.2125826358.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782043.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2062212310.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1797616084.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2166903788.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2293920913.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1858506141.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1838015921.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2314872826.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082132459.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1960016913.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2234089313.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189422108.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147046630.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1919731532.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735670165.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2021921590.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878001612.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2315065289.000000000014D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1837792556.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878250381.0000000000148000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/Yg$
                  Source: file.exe, 00000000.00000003.2355807803.0000000000124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/_
                  Source: file.exe, 00000000.00000002.3709866097.000000000014E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/a
                  Source: file.exe, 00000000.00000003.1507891892.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1507671346.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1488138869.0000000000149000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/ae
                  Source: file.exe, 00000000.00000003.2274385808.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2293920913.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2021921590.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2041409022.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2166903788.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878001612.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1919731532.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1899474923.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1919916767.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1858506141.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1817986661.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1797376850.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147046630.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1777823088.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1940682857.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1837792556.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1960016913.0000000000124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/o
                  Source: file.exe, 00000000.00000003.1797616084.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2166903788.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2293920913.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1858506141.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1838015921.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2314872826.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1960016913.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2234089313.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189422108.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147046630.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1919731532.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735670165.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2021921590.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878001612.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2315065289.000000000014D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1837792556.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878250381.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1777823088.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1981125983.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2000941231.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1940682857.0000000000148000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/pdates.rss
                  Source: file.exe, 00000000.00000002.3709866097.000000000014E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/pdates.rssyd
                  Source: file.exe, 00000000.00000003.2355807803.000000000014E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1324145477.0000000000124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/updates.rss
                  Source: file.exe, 00000000.00000003.1797616084.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2699191944.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1777823088.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1507891892.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1507671346.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2619393287.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1797376850.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1488138869.0000000000149000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/updates.rss%~
                  Source: file.exe, 00000000.00000003.2124856393.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2021921590.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2041409022.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782043.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2355807803.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878001612.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1919731532.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1899474923.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1919916767.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1858506141.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1817986661.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2062212310.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1940682857.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1837792556.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1960016913.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2104552769.0000000000124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/updates.rss(
                  Source: file.exe, 00000000.00000003.2415595495.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1324145477.000000000014A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1343804099.000000000014A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1634599084.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1344263330.000000000014A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1364777586.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1569716854.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1634376076.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1384248122.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2779948550.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1384424235.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2375442389.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1614451350.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2355807803.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1589240884.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1589425126.0000000000148000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/updates.rss.~
                  Source: file.exe, 00000000.00000003.2021921590.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1528474940.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1548051388.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2041409022.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1549193452.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2041645667.0000000000148000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/updates.rss1~
                  Source: file.exe, 00000000.00000003.3064924684.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3024672136.0000000000148000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/updates.rss4~
                  Source: file.exe, 00000000.00000003.1858506141.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1838015921.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1960016913.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1919731532.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1528474940.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878001612.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1837792556.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878250381.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1548051388.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2983362217.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1940682857.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1919964890.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1960279813.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1899474923.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1549193452.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1817986661.0000000000148000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/updates.rss7~
                  Source: file.exe, 00000000.00000003.2125826358.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124856393.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2104552769.0000000000148000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/updates.rss=~
                  Source: file.exe, 00000000.00000003.2124856393.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1488138869.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2274385808.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1528474940.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2293920913.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1695341643.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1981125983.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2021921590.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2000941231.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2335061965.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2041409022.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757230911.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2166903788.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782043.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2355807803.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1507671346.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3709624199.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1548051388.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1589240884.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878001612.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1634376076.0000000000124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/updates.rssF
                  Source: file.exe, 00000000.00000003.2125826358.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782043.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2062212310.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1797616084.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2166903788.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2293920913.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1674553440.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1858506141.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1838015921.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2314872826.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082132459.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1960016913.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2234089313.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189422108.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147046630.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1919731532.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735670165.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2021921590.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878001612.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2315065289.000000000014D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1837792556.0000000000148000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/updates.rssId
                  Source: file.exe, 00000000.00000002.3709624199.0000000000124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/updates.rssL
                  Source: file.exe, 00000000.00000003.1797616084.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1674553440.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1858506141.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1838015921.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735670165.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1528474940.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1634599084.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1837792556.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1569716854.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1548051388.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1634376076.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1777823088.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1674772703.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757443023.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1715028291.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1549193452.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1817986661.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757230911.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1695341643.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1614451350.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1714700662.0000000000148000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/updates.rssQg
                  Source: file.exe, 00000000.00000003.2124856393.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2274385808.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2293920913.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2335061965.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2166903788.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782043.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2355807803.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2314872826.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2234089313.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2253620833.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2210661642.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147046630.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2062212310.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189422108.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2104552769.0000000000124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/updates.rssR
                  Source: file.exe, 00000000.00000003.2124856393.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1488138869.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1528474940.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1695341643.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1981125983.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2021921590.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2000941231.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2041409022.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757230911.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2166903788.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782043.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1447653763.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1507671346.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1548051388.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1589240884.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878001612.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1634376076.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1714700662.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1919731532.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1899474923.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1919916767.0000000000124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/updates.rssX
                  Source: file.exe, 00000000.00000003.2124856393.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1488138869.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1384248122.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2274385808.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1528474940.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2293920913.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1695341643.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1981125983.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2021921590.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2000941231.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2335061965.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1405022219.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2041409022.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1426453259.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757230911.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2166903788.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782043.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1364777586.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1447653763.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2355807803.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1507671346.0000000000124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/updates.rssb
                  Source: file.exe, 00000000.00000003.1384248122.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1364777586.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1344211554.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1384424235.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1343804099.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1324145477.0000000000124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/updates.rssmui
                  Source: file.exe, 00000000.00000003.1488138869.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1528474940.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1405022219.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1426453259.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1447653763.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1507671346.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1548051388.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1467199619.0000000000124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/updates.rssmui(
                  Source: file.exe, 00000000.00000003.2335061965.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2355807803.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3709624199.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2314872826.0000000000124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/updates.rssmuih
                  Source: file.exe, 00000000.00000003.2124856393.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2274385808.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1528474940.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2293920913.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1695341643.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1981125983.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2021921590.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2000941231.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2335061965.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2041409022.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757230911.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2166903788.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782043.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1548051388.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1589240884.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878001612.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1634376076.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1714700662.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1919731532.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1899474923.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1919916767.0000000000124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/updates.rssn
                  Source: file.exe, 00000000.00000002.3709358127.00000000000FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/updates.rssr
                  Source: file.exe, 00000000.00000003.2125826358.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782043.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2062212310.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1797616084.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2166903788.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2293920913.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1674553440.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1858506141.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1838015921.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2314872826.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082132459.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1960016913.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2234089313.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189422108.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147046630.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1919731532.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1735670165.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2021921590.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1634599084.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878001612.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2315065289.000000000014D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/updates.rssyd
                  Source: file.exe, 00000000.00000003.1797616084.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1838015921.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3105085222.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2189422108.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2860667309.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1837792556.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1777823088.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1817986661.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2210661642.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2212088351.0000000000148000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1797376850.0000000000148000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/updates.rss~
                  Source: file.exe, 00000000.00000003.2166903788.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1634376076.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2234089313.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1614451350.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2253620833.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147046630.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1655029615.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1674553440.0000000000124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.74.209.192:444/w

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.file.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 0.2.file.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 0.2.file.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 0.2.file.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 0.2.file.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 0.2.file.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 0.2.file.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 0.2.file.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 0.2.file.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                  Source: 0.2.file.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 0.2.file.exe.a90000.2.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 0.2.file.exe.a90000.2.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 0.2.file.exe.a90000.2.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 0.2.file.exe.a90000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 0.2.file.exe.a90000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 0.2.file.exe.a90000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 0.2.file.exe.a90000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 0.2.file.exe.a90000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 0.2.file.exe.a90000.2.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 0.2.file.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 0.2.file.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 0.2.file.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 0.2.file.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 0.2.file.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 0.2.file.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 0.2.file.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 0.2.file.exe.a90000.2.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 0.2.file.exe.a90000.2.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 0.2.file.exe.a90000.2.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 0.2.file.exe.a90000.2.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 0.2.file.exe.a90000.2.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 0.2.file.exe.a90000.2.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 0.2.file.exe.a90000.2.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 0.2.file.exe.a90000.2.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 0.2.file.exe.a90000.2.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                  Source: 0.2.file.exe.a90000.2.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 00000000.00000002.3710494904.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 00000000.00000002.3710494904.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 00000000.00000002.3710494904.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 00000000.00000002.3710494904.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 00000000.00000002.3710494904.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 00000000.00000002.3710494904.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 00000000.00000002.3710494904.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 00000000.00000002.3710494904.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 00000000.00000002.3710494904.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 00000000.00000002.3710436556.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 00000000.00000002.3710436556.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 00000000.00000002.3710436556.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 00000000.00000002.3710436556.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 00000000.00000002.3710436556.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 00000000.00000002.3710436556.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 00000000.00000002.3710436556.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 00000000.00000002.3710436556.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 00000000.00000002.3710436556.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                  Source: 00000000.00000002.3710436556.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: Process Memory Space: file.exe PID: 7360, type: MEMORYSTRMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: Process Memory Space: file.exe PID: 7360, type: MEMORYSTRMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: Process Memory Space: file.exe PID: 7360, type: MEMORYSTRMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC6080 CreateProcessAsUserA,0_2_00AC6080
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A548840_2_00A54884
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5709C0_2_00A5709C
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4F0E80_2_00A4F0E8
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A498F40_2_00A498F4
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4F8D80_2_00A4F8D8
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A560780_2_00A56078
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A629D00_2_00A629D0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3E9600_2_00A3E960
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3916C0_2_00A3916C
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4F2B80_2_00A4F2B8
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3DAF00_2_00A3DAF0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4221C0_2_00A4221C
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A60A500_2_00A60A50
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5FB800_2_00A5FB80
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A613C00_2_00A613C0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4E3D00_2_00A4E3D0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A503040_2_00A50304
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3DC840_2_00A3DC84
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A4380_2_00A4A438
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A53C400_2_00A53C40
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A59D440_2_00A59D44
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A396800_2_00A39680
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5EE800_2_00A5EE80
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A506CC0_2_00A506CC
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A566340_2_00A56634
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4F6080_2_00A4F608
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A607670_2_00A60767
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9E8840_2_00A9E884
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9E6F00_2_00A9E6F0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AAB0380_2_00AAB038
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB48400_2_00AB4840
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABA9440_2_00ABA944
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9A2800_2_00A9A280
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABFA800_2_00ABFA80
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB12CC0_2_00AB12CC
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB72340_2_00AB7234
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB02080_2_00AB0208
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC62600_2_00AC6260
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC62400_2_00AC6240
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC63200_2_00AC6320
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC13670_2_00AC1367
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB54840_2_00AB5484
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB7C9C0_2_00AB7C9C
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AAFCE80_2_00AAFCE8
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AAA4F40_2_00AAA4F4
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB04D80_2_00AB04D8
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB0C780_2_00AB0C78
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB6C780_2_00AB6C78
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9CD900_2_00A9CD90
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB1DC80_2_00AB1DC8
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC35D00_2_00AC35D0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A99D6C0_2_00A99D6C
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9F5600_2_00A9F560
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AAFEB80_2_00AAFEB8
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA2E1C0_2_00AA2E1C
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC16500_2_00AC1650
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC07800_2_00AC0780
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC1FC00_2_00AC1FC0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AAEFD00_2_00AAEFD0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACA7D20_2_00ACA7D2
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB0F040_2_00AB0F04
                  Source: 0.2.file.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 0.2.file.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 0.2.file.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 0.2.file.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.file.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 0.2.file.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.file.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 0.2.file.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.file.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                  Source: 0.2.file.exe.a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 0.2.file.exe.a90000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 0.2.file.exe.a90000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 0.2.file.exe.a90000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 0.2.file.exe.a90000.2.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.file.exe.a90000.2.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 0.2.file.exe.a90000.2.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.file.exe.a90000.2.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 0.2.file.exe.a90000.2.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.file.exe.a90000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 0.2.file.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 0.2.file.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 0.2.file.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 0.2.file.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 0.2.file.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 0.2.file.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.file.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 0.2.file.exe.a90000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 0.2.file.exe.a90000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 0.2.file.exe.a90000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 0.2.file.exe.a90000.2.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.file.exe.a90000.2.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 0.2.file.exe.a90000.2.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.file.exe.a90000.2.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 0.2.file.exe.a90000.2.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.file.exe.a90000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                  Source: 0.2.file.exe.a90000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 00000000.00000002.3710494904.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 00000000.00000002.3710494904.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 00000000.00000002.3710494904.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 00000000.00000002.3710494904.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000000.00000002.3710494904.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 00000000.00000002.3710494904.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000000.00000002.3710494904.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 00000000.00000002.3710494904.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000000.00000002.3710494904.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 00000000.00000002.3710436556.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 00000000.00000002.3710436556.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 00000000.00000002.3710436556.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 00000000.00000002.3710436556.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000000.00000002.3710436556.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 00000000.00000002.3710436556.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000000.00000002.3710436556.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 00000000.00000002.3710436556.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000000.00000002.3710436556.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                  Source: 00000000.00000002.3710436556.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: Process Memory Space: file.exe PID: 7360, type: MEMORYSTRMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: Process Memory Space: file.exe PID: 7360, type: MEMORYSTRMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: Process Memory Space: file.exe PID: 7360, type: MEMORYSTRMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC6098 AdjustTokenPrivileges,0_2_00AC6098
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA2A58 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00AA2A58
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AAB998 GetCurrentProcess,CreateToolhelp32Snapshot,Process32First,ProcessIdToSessionId,Process32Next,0_2_00AAB998
                  Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: file.exeVirustotal: Detection: 83%
                  Source: file.exeReversingLabs: Detection: 86%
                  Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                  Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABDB14 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00ABDB14
                  Source: file.exeStatic PE information: section name: .xdata
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A6BB5C push 0000006Ah; retf 0_2_00A6BB74
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC7821 pushfq ; ret 0_2_00AC7823
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACD15C push 0000006Ah; retf 0_2_00ACD174
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACAA98 push rax; retn 00ACh0_2_00ACAA99
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC77A0 push rdi; ret 0_2_00AC77A1
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACA740 push rax; retn 00ACh0_2_00ACA741
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB4840 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00AB4840

                  Malware Analysis System Evasion

                  barindex
                  Contains functionality to detect sleep reduction / modifications
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA81980_2_00AA8198
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA19040_2_00AA1904
                  Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 9363Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 516Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeAPI coverage: 6.9 %
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA19040_2_00AA1904
                  Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep count: 9363 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -93630000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\file.exe TID: 7416Thread sleep time: -180000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep count: 516 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -5160000s >= -30000sJump to behavior
                  Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                  Source: C:\Users\user\Desktop\file.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\file.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA3B20 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,0_2_00AA3B20
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AABC98 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,0_2_00AABC98
                  Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 60000Jump to behavior
                  Source: file.exe, 00000000.00000002.3709124454.00000000000CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
                  Source: file.exe, 00000000.00000003.2124856393.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1488138869.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1384248122.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2274385808.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1528474940.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2293920913.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1695341643.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1981125983.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2021921590.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2000941231.0000000000124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2335061965.0000000000124000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-41212
                  Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-41077

                  Anti Debugging

                  barindex
                  Found API chain indicative of debugger detection
                  Source: C:\Users\user\Desktop\file.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_0-40798
                  Found potential dummy code loops (likely to delay analysis)
                  Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 42% for more than 60s
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC3BE0 MultiByteToWideChar,MultiByteToWideChar,DebuggerProbe,DebuggerRuntime,IsDebuggerPresent,_RTC_GetSrcLine,WideCharToMultiByte,WideCharToMultiByte,0_2_00AC3BE0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABDB14 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00ABDB14
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABDB14 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00ABDB14
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AAA0AC InitializeProcThreadAttributeList,GetProcessHeap,HeapAlloc,InitializeProcThreadAttributeList,0_2_00AAA0AC
                  Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004011B0 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_initterm,GetStartupInfoA,0_2_004011B0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402F74 SetUnhandledExceptionFilter,0_2_00402F74
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401B30 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,0_2_00401B30
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045D2FC SetUnhandledExceptionFilter,0_2_0045D2FC
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB6280 SetUnhandledExceptionFilter,UnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AB6280
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC64A8 SetUnhandledExceptionFilter,0_2_00AC64A8

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 7360, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB2308 LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError,0_2_00AB2308
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB2280 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00AB2280
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A55DB4 cpuid 0_2_00A55DB4
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401630 CreateNamedPipeA,ConnectNamedPipe,WriteFile,CloseHandle,0_2_00401630
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401A50 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00401A50
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA8768 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,0_2_00AA8768
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA8768 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,0_2_00AA8768
                  Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Remote Access Functionality

                  barindex
                  Yara detected CobaltStrike
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 7360, type: MEMORYSTR
                  Source: Yara matchFile source: 0.2.file.exe.a30000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.a90000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.a30000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.a90000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.3710494904.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.3710436556.0000000000A30000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: file.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA902C htonl,htons,socket,closesocket,bind,ioctlsocket,0_2_00AA902C
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB3320 socket,closesocket,htons,bind,listen,0_2_00AB3320
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA9434 socket,htons,ioctlsocket,closesocket,bind,listen,0_2_00AA9434

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure2
                  Valid Accounts                  		1
                  Native API                  		2
                  Valid Accounts                  		2
                  Valid Accounts                  		2
                  Valid Accounts                  		OS Credential Dumping1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		2
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  DLL Side-Loading                  		21
                  Access Token Manipulation                  		212
                  Virtualization/Sandbox Evasion                  		LSASS Memory341
                  Security Software Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  Process Injection                  		21
                  Access Token Manipulation                  		Security Account Manager212
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Ingress Tool Transfer                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                  DLL Side-Loading                  		1
                  Process Injection                  		NTDS1
                  Process Discovery                  		Distributed Component Object ModelInput Capture1
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Obfuscated Files or Information                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials1
                  Account Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                  System Owner/User Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                  File and Directory Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow14
                  System Information Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.