Loading ...

Play interactive tourEdit tour

Windows Analysis Report championship.dll

Overview

General Information

Sample Name:championship.dll
Analysis ID:476189
MD5:0b7da6388091ff9d696a18c95d41b587
SHA1:6c10d7d88606ac1afd30b4e61bf232329a276cdc
SHA256:6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b
Tags:dodefoh_comexehidusi_com
Infos:

Most interesting Screenshot:

Detection

CobaltStrike
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Yara detected CobaltStrike
Maps a DLL or memory area into another process
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Creates processes via WMI
Queues an APC in another process (thread injection)
Deletes itself after installation
C2 URLs / IPs found in malware configuration
Queries the volume information (name, serial number etc) of a device
Yara signature match
Drops certificate files (DER)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 5460 cmdline: loaddll64.exe 'C:\Users\user\Desktop\championship.dll' MD5: A84133CCB118CF35D49A423CD836D0EF)
    • cmd.exe (PID: 7068 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\championship.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 5196 cmdline: rundll32.exe 'C:\Users\user\Desktop\championship.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)
        • wabmig.exe (PID: 1280 cmdline: C:\Program Files\Windows Mail\wabmig.exe MD5: 7E7C6F1B88DDD641254F573DCADE3D49)
    • wabmig.exe (PID: 5840 cmdline: C:\Program Files\Windows Mail\wabmig.exe MD5: 7E7C6F1B88DDD641254F573DCADE3D49)
  • powershell.exe (PID: 6796 cmdline: powershell -c 'Sleep 5 ; Remove-Item -Path 'C:\Users\user\Desktop\championship.dll' -Force MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 6704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • powershell.exe (PID: 6820 cmdline: powershell -c 'Sleep 5 ; Remove-Item -Path 'C:\Users\user\Desktop\championship.dll' -Force MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 6676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTPS"], "Port": 443, "SleepTime": 5000, "MaxGetSize": 2796542, "Jitter": 22, "C2Server": "dodefoh.com,/ml.html,joxinu.com,/hr.html", "HttpPostUri": "/ky", "Malleable_C2_Instructions": ["Remove 338 bytes from the beginning", "Base64 decode", "NetBIOS decode 'A'"], "SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 1580103814, "bStageCleanup": "True", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 16583, "ProcInject_PrependAppend_x86": ["kJCQkJA=", "Empty"], "ProcInject_PrependAppend_x64": ["kJCQkJA=", "Empty"], "ProcInject_Execute": ["CreateThread", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.665031164.000001B6BC390000.00000004.00000001.sdmpCobaltbaltstrike_Payload_EncodedDetects CobaltStrike payloadsAvast Threat Intel Team
  • 0xfd0:$s10: /EiD5PDoyAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHA
00000000.00000003.660087003.000001987DD70000.00000004.00000001.sdmpCobaltbaltstrike_Payload_EncodedDetects CobaltStrike payloadsAvast Threat Intel Team
  • 0xc590:$s10: /EiD5PDoyAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHA
00000003.00000003.664078704.000001B6BC38B000.00000004.00000001.sdmpCobaltbaltstrike_Payload_EncodedDetects CobaltStrike payloadsAvast Threat Intel Team
  • 0x5fd0:$s10: /EiD5PDoyAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHA
00000000.00000003.655300454.000001987DD97000.00000004.00000001.sdmpCobaltbaltstrike_Payload_EncodedDetects CobaltStrike payloadsAvast Threat Intel Team
  • 0x3710:$s10: /EiD5PDoyAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHA
  • 0x31798:$s10: /EiD5PDoyAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHA
00000005.00000003.664412438.000001D6A37B0000.00000040.00000001.sdmpCobaltbaltstrike_Beacon_x64Detects CobaltStrike payloadsAvast Threat Intel Team
  • 0x4c:$h01: 4D 5A 41 52 55 48 89 E5 48 81 EC 20 00 00 00 48 8D 1D EA FF FF FF 48 89
  • 0x3a67c:$h13: 2E 2F 2E 2F 2E 2C 2E 26 2E 2C 2E 2F 2E 2C 2F 95 2E
Click to see the 46 entries

Sigma Overview

System Summary:

barindex
Sigma detected: T1086 PowerShell ExecutionShow sources
Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132750284528384759.6796.DefaultAppDomain.powershell

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Found malware configurationShow sources
Source: 00000005.00000003.664412438.000001D6A37B0000.00000040.00000001.sdmpMalware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 443, "SleepTime": 5000, "MaxGetSize": 2796542, "Jitter": 22, "C2Server": "dodefoh.com,/ml.html,joxinu.com,/hr.html", "HttpPostUri": "/ky", "Malleable_C2_Instructions": ["Remove 338 bytes from the beginning", "Base64 decode", "NetBIOS decode 'A'"], "SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 1580103814, "bStageCleanup": "True", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 16583, "ProcInject_PrependAppend_x86": ["kJCQkJA=", "Empty"], "ProcInject_PrependAppend_x64": ["kJCQkJA=", "Empty"], "ProcInject_Execute": ["CreateThread", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}
Multi AV Scanner detection for submitted fileShow sources
Source: championship.dllVirustotal: Detection: 36%Perma Link
Source: championship.dllReversingLabs: Detection: 22%
Antivirus detection for URL or domainShow sources
Source: https://joxinu.com/hr.html?dbprefix=false2Avira URL Cloud: Label: malware
Source: https://joxinu.com/hr.html?dbprefix=falseko)Avira URL Cloud: Label: malware
Source: https://joxinu.com/hr.html?dbprefix=false0Avira URL Cloud: Label: malware
Source: https://joxinu.com/hr.html?dbprefix=falseseeJ6Avira URL Cloud: Label: malware
Source: https://joxinu.com/hr.html?dbprefix=false/Avira URL Cloud: Label: malware
Source: https://dodefoh.com/5Avira URL Cloud: Label: malware
Source: https://joxinu.com/hr.html?dbprefix=falseP0Avira URL Cloud: Label: malware
Source: https://joxinu.com/hr.html?dbprefix=false-end-point:Avira URL Cloud: Label: malware
Source: https://joxinu.com/eAvira URL Cloud: Label: malware
Source: https://joxinu.com/hr.html?dbprefix=false)Avira URL Cloud: Label: malware
Source: https://joxinu.com/8f6-4e9a-955c-4899f5f57b9aAvira URL Cloud: Label: malware
Source: https://dodefoh.com/ml.html?dbprefix=falsecAvira URL Cloud: Label: malware
Source: https://joxinu.com/hr.html?dbprefix=false$Avira URL Cloud: Label: malware
Source: https://dodefoh.com/static-directory/media.gifGISTRAvira URL Cloud: Label: malware
Source: https://dodefoh.com/ml.html?dbprefix=falseeAvira URL Cloud: Label: malware
Source: https://dodefoh.com/ml.html?dbprefix=falsegAvira URL Cloud: Label: malware
Source: https://dodefoh.com/ml.html?dbprefix=falsehAvira URL Cloud: Label: malware
Source: https://joxinu.com/hr.html?dbprefix=falseseAvira URL Cloud: Label: malware
Source: https://dodefoh.com/ml.html?dbprefix=falseupAvira URL Cloud: Label: malware
Source: https://dodefoh.com/ml.html?dbprefix=falsenAvira URL Cloud: Label: malware
Source: https://dodefoh.com/ml.html?dbprefix=falseoAvira URL Cloud: Label: malware
Source: https://dodefoh.com/f6-4e9a-955c-4899f5f57b9aeL6Avira URL Cloud: Label: malware
Source: https://joxinu.com/hr.html?dbprefix=falseRAvira URL Cloud: Label: malware
Source: https://joxinu.com/hr.html?dbprefix=falsePAvira URL Cloud: Label: malware
Source: https://joxinu.com/hr.html?dbprefix=falseyptographyAvira URL Cloud: Label: malware
Source: https://joxinu.com/xinu.com/hr.html?dbprefix=falseAvira URL Cloud: Label: malware
Source: https://dodefoh.com/static-directory/media.gifdodefoh.comAvira URL Cloud: Label: malware
Source: https://joxinu.com/hr.html?dbprefix=falseAvira URL Cloud: Label: malware
Source: dodefoh.comAvira URL Cloud: Label: malware
Source: https://joxinu.com/0Avira URL Cloud: Label: malware
Source: https://joxinu.com/3Avira URL Cloud: Label: malware
Source: https://joxinu.com/hr.html?dbprefix=false8Avira URL Cloud: Label: malware
Source: https://joxinu.com/hr.html?dbprefix=false9Avira URL Cloud: Label: malware
Source: https://joxinu.com/8f6-4e9a-955c-4899f5f57b9ajAvira URL Cloud: Label: malware
Source: https://joxinu.com/hr.html?dbprefix=falseqAvira URL Cloud: Label: malware
Source: https://dodefoh.com/kAvira URL Cloud: Label: malware
Source: https://joxinu.com/hr.html?dbprefix=falsenAvira URL Cloud: Label: malware
Source: https://dodefoh.com/ml.html?dbprefix=falsec-4899f5f57b9aPAvira URL Cloud: Label: malware
Source: https://dodefoh.com/ml.html?dbprefix=falseeJ6Avira URL Cloud: Label: malware
Source: https://dodefoh.com/static-directory/media.gifAvira URL Cloud: Label: malware
Source: https://dodefoh.com/_FAvira URL Cloud: Label: malware
Source: https://joxinu.com/hr.html?dbprefix=falseicAvira URL Cloud: Label: malware
Source: https://dodefoh.com/ml.html?dbprefix=false$Avira URL Cloud: Label: malware
Source: https://joxinu.com/hr.html?dbprefix=false5c-4899f5f57b9aAvira URL Cloud: Label: malware
Source: https://joxinu.com/hr.html?dbprefix=falsecAvira URL Cloud: Label: malware
Source: https://dodefoh.com/ml.html?dbprefix=false)Avira URL Cloud: Label: malware
Source: https://joxinu.com/b4PYDAvira URL Cloud: Label: malware
Source: https://joxinu.com/hr.html?dbprefix=falseZAvira URL Cloud: Label: malware
Source: https://dodefoh.com/aAvira URL Cloud: Label: malware
Source: https://dodefoh.com/ml.html?dbprefix=false/Avira URL Cloud: Label: malware
Source: https://dodefoh.com/ml.html?dbprefix=false0Avira URL Cloud: Label: malware
Source: https://dodefoh.com/ml.html?dbprefix=falsec-4899f5f57b9aAvira URL Cloud: Label: malware
Source: https://dodefoh.com/ml.html?dbprefix=false2Avira URL Cloud: Label: malware
Source: https://dodefoh.com/Avira URL Cloud: Label: malware
Source: https://dodefoh.com/ml.html?dbprefix=false8Avira URL Cloud: Label: malware
Source: https://dodefoh.com/ml.html?dbprefix=false9Avira URL Cloud: Label: malware
Source: https://dodefoh.com/QAvira URL Cloud: Label: malware
Source: https://joxinu.com/Avira URL Cloud: Label: malware
Source: https://dodefoh.com/ml.html?dbprefix=falseeKAvira URL Cloud: Label: malware
Source: https://dodefoh.com/ml.html?dbprefix=falseAvira URL Cloud: Label: malware
Source: https://dodefoh.com/ml.html?dbprefix=falseKAvira URL Cloud: Label: malware
Source: https://dodefoh.com/5c-4899f5f57b9aAvira URL Cloud: Label: malware
Source: https://dodefoh.com/ml.html?dbprefix=falsePAvira URL Cloud: Label: malware
Source: https://joxinu.com/hr.html?dbprefix=falsevAvira URL Cloud: Label: malware
Source: https://dodefoh.com/ml.html?dbprefix=falseRAvira URL Cloud: Label: malware
Source: https://dodefoh.com/static-directory/media.gifvAvira URL Cloud: Label: malware
Source: https://joxinu.com/hr.html?dbprefix=falsewAvira URL Cloud: Label: malware
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B419040 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,QueryPerformanceCounter,GetTickCount,GlobalMemoryStatus,GetCurrentProcessId,0_2_00007FFA9B419040
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B3FBB40 CryptCreateHash,CryptSetHashParam,CryptSignHashW,CryptDestroyHash,0_2_00007FFA9B3FBB40
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B3F9F20 CryptAcquireContextW,CryptGetUserKey,CryptReleaseContext,0_2_00007FFA9B3F9F20
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B3F9E50 CryptDestroyKey,CryptReleaseContext,CertFreeCertificateContext,0_2_00007FFA9B3F9E50
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B3F93E0 CryptCreateHash,CryptSetHashParam,CryptSignHashW,CryptDestroyHash,0_2_00007FFA9B3F93E0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B3FB460 CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertEnumCertificatesInStore,CertCloseStore,CryptDestroyKey,CryptReleaseContext,CertFreeCertificateContext,0_2_00007FFA9B3FB460
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B3FB110 CryptEnumProvidersW,CryptEnumProvidersW,GetLastError,GetLastError,0_2_00007FFA9B3FB110
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B3F9190 MultiByteToWideChar,MultiByteToWideChar,CryptAcquireContextW,CryptReleaseContext,0_2_00007FFA9B3F9190
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B3FB7E0 CryptDestroyKey,CryptReleaseContext,CertFreeCertificateContext,0_2_00007FFA9B3FB7E0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B3FB870 CryptDecrypt,0_2_00007FFA9B3FB870
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B3F9740 CryptDestroyKey,CryptReleaseContext,CertFreeCertificateContext,0_2_00007FFA9B3F9740
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B3FA990 CryptAcquireContextW,CryptReleaseContext,0_2_00007FFA9B3FA990
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B3FAD90 MultiByteToWideChar,MultiByteToWideChar,CryptAcquireContextW,CryptGetProvParam,CryptReleaseContext,CryptGetProvParam,GetLastError,CryptReleaseContext,0_2_00007FFA9B3FAD90
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B3FA130 CryptExportKey,CryptExportKey,0_2_00007FFA9B3FA130
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B3FA790 CryptEnumProvidersW,GetLastError,CryptEnumProvidersW,GetLastError,0_2_00007FFA9B3FA790
Source: unknownHTTPS traffic detected: 45.153.241.127:443 -> 192.168.2.4:49722 version: TLS 1.2
Source: unknownHTTPS traffic detected: 45.153.241.127:443 -> 192.168.2.4:49723 version: TLS 1.2
Source: unknownHTTPS traffic detected: 45.147.229.242:443 -> 192.168.2.4:49724 version: TLS 1.2
Source: unknownHTTPS traffic detected: 45.147.229.242:443 -> 192.168.2.4:49725 version: TLS 1.2
Source: unknownHTTPS traffic detected: 108.62.118.69:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknownHTTPS traffic detected: 108.62.118.69:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: championship.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: wabmig.pdbGCTL source: loaddll64.exe, 00000000.00000002.660873205.000001987DDC8000.00000004.00000001.sdmp
Source: Binary string: wabmig.pdb source: loaddll64.exe, 00000000.00000002.660873205.000001987DDC8000.00000004.00000001.sdmp

Networking:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\rundll32.exeDomain query: macuwuf.com
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 45.153.241.127 443Jump to behavior
C2 URLs / IPs found in malware configurationShow sources
Source: Malware configuration extractorURLs: dodefoh.com
Source: Joe Sandbox ViewASN Name: COMBAHTONcombahtonGmbHDE COMBAHTONcombahtonGmbHDE
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Joe Sandbox ViewIP Address: 91.199.212.52 91.199.212.52
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
Source: wabmig.exe, 00000005.00000003.821323732.000001D6A19F4000.00000004.00000001.sdmp, wabmig.exe, 00000006.00000003.776573295.00000210864C5000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.696292516.000002163DB90000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.698992058.000002C5A035E000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wabmig.exe, 00000005.00000002.919979444.000001D6A1968000.00000004.00000020.sdmp, 30D802E0E248FEE17AAF4A62594CC75A.5.drString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
Source: loaddll64.exe, 00000000.00000003.660087003.000001987DD70000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.656244953.000001B6BC330000.00000004.00000001.sdmp, wabmig.exe, 00000005.00000003.776697468.000001D6A1A4C000.00000004.00000001.sdmp, wabmig.exe, 00000006.00000003.776573295.00000210864C5000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: powershell.exe, 00000008.00000002.695952140.0000021635D38000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.685646029.000002C588540000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: loaddll64.exe, 00000000.00000003.660087003.000001987DD70000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.656244953.000001B6BC330000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com
Source: loaddll64.exe, 00000000.00000003.655274872.000001987DD7B000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.656244953.000001B6BC330000.00000004.00000001.sdmp, wabmig.exe, 00000005.00000003.776697468.000001D6A1A4C000.00000004.00000001.sdmp, wabmig.exe, 00000006.00000003.776573295.00000210864C5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
Source: loaddll64.exe, 00000000.00000003.660087003.000001987DD70000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com;
Source: rundll32.exe, 00000003.00000003.656312714.000001B6BC330000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.comacuwuf.
Source: rundll32.exe, 00000003.00000003.656244953.000001B6BC330000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.comacuwuf.2
Source: powershell.exe, 00000009.00000002.685646029.000002C588540000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.680196555.0000021625B91000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.685318482.000002C588331000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.685646029.000002C588540000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000009.00000002.685646029.000002C588540000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.685646029.000002C588540000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.685646029.000002C588540000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
Source: wabmig.exe, 00000005.00000002.919979444.000001D6A1968000.00000004.00000020.sdmp, wabmig.exe, 00000006.00000003.666880440.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/
Source: wabmig.exe, 00000006.00000003.713937343.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/5
Source: wabmig.exe, 00000006.00000003.733457308.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/5c-4899f5f57b9a
Source: wabmig.exe, 00000005.00000000.658303101.000001D6A19B6000.00000004.00000020.sdmpString found in binary or memory: https://dodefoh.com/Q
Source: wabmig.exe, 00000005.00000003.754453843.000001D6A1A27000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/_F
Source: wabmig.exe, 00000006.00000002.920184075.0000021086500000.00000004.00000020.sdmpString found in binary or memory: https://dodefoh.com/a
Source: wabmig.exe, 00000006.00000003.733457308.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/f6-4e9a-955c-4899f5f57b9aeL6
Source: wabmig.exe, 00000005.00000003.919469628.000001D6A1A27000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/k
Source: wabmig.exe, 00000005.00000003.776671004.000001D6A1A27000.00000004.00000001.sdmp, wabmig.exe, 00000005.00000003.732225466.000001D6A1A27000.00000004.00000001.sdmp, wabmig.exe, 00000005.00000003.810052275.000001D6A1A27000.00000004.00000001.sdmp, wabmig.exe, 00000005.00000003.798235232.000001D6A1A27000.00000004.00000001.sdmp, wabmig.exe, 00000006.00000003.835105766.0000021086500000.00000004.00000001.sdmp, wabmig.exe, 00000006.00000003.666880440.0000021086500000.00000004.00000001.sdmp, wabmig.exe, 00000006.00000003.846191460.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/ml.html?dbprefix=false
Source: wabmig.exe, 00000005.00000003.887635952.000001D6A1A27000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/ml.html?dbprefix=false$
Source: wabmig.exe, 00000005.00000003.821361761.000001D6A1A27000.00000004.00000001.sdmp, wabmig.exe, 00000006.00000003.733457308.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/ml.html?dbprefix=false)
Source: wabmig.exe, 00000005.00000003.862534086.000001D6A1A27000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/ml.html?dbprefix=false/
Source: wabmig.exe, 00000005.00000003.862534086.000001D6A1A27000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/ml.html?dbprefix=false0
Source: wabmig.exe, 00000005.00000003.776671004.000001D6A1A27000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/ml.html?dbprefix=false2
Source: wabmig.exe, 00000006.00000003.825418056.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/ml.html?dbprefix=false8
Source: wabmig.exe, 00000005.00000003.754453843.000001D6A1A27000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/ml.html?dbprefix=false9
Source: wabmig.exe, 00000006.00000003.825418056.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/ml.html?dbprefix=falseH
Source: wabmig.exe, 00000005.00000003.776671004.000001D6A1A27000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/ml.html?dbprefix=falseK
Source: wabmig.exe, 00000006.00000003.825418056.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/ml.html?dbprefix=falseN
Source: wabmig.exe, 00000006.00000003.776696965.000002108650D000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/ml.html?dbprefix=falseP
Source: wabmig.exe, 00000006.00000003.798446763.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/ml.html?dbprefix=falseR
Source: wabmig.exe, 00000005.00000003.732225466.000001D6A1A27000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/ml.html?dbprefix=falsec
Source: wabmig.exe, 00000005.00000003.821361761.000001D6A1A27000.00000004.00000001.sdmp, wabmig.exe, 00000006.00000003.713937343.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/ml.html?dbprefix=falsec-4899f5f57b9a
Source: wabmig.exe, 00000006.00000003.798446763.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/ml.html?dbprefix=falsec-4899f5f57b9aP
Source: wabmig.exe, 00000005.00000003.732225466.000001D6A1A27000.00000004.00000001.sdmp, wabmig.exe, 00000005.00000003.842345473.000001D6A1A27000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/ml.html?dbprefix=falsee
Source: wabmig.exe, 00000006.00000003.753093592.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/ml.html?dbprefix=falseeJ6
Source: wabmig.exe, 00000005.00000003.907579981.000001D6A1A27000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/ml.html?dbprefix=falseeK
Source: wabmig.exe, 00000005.00000003.897979025.000001D6A1A27000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/ml.html?dbprefix=falseg
Source: wabmig.exe, 00000006.00000003.733457308.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/ml.html?dbprefix=falseh
Source: wabmig.exe, 00000006.00000003.776660552.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/ml.html?dbprefix=falsen
Source: wabmig.exe, 00000005.00000003.862534086.000001D6A1A27000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/ml.html?dbprefix=falseo
Source: wabmig.exe, 00000006.00000003.666880440.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/ml.html?dbprefix=falseup
Source: wabmig.exe, 00000006.00000000.659072976.0000021086447000.00000004.00000020.sdmpString found in binary or memory: https://dodefoh.com/static-directory/media.gif
Source: wabmig.exe, 00000005.00000002.919979444.000001D6A1968000.00000004.00000020.sdmpString found in binary or memory: https://dodefoh.com/static-directory/media.gifGISTR
Source: wabmig.exe, 00000005.00000000.658151163.00000065D037D000.00000004.00000001.sdmpString found in binary or memory: https://dodefoh.com/static-directory/media.gifdodefoh.com
Source: wabmig.exe, 00000006.00000000.659187165.0000021086494000.00000004.00000020.sdmpString found in binary or memory: https://dodefoh.com/static-directory/media.gifv
Source: powershell.exe, 00000009.00000002.685646029.000002C588540000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.694923262.00000216277ED000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
Source: wabmig.exe, 00000005.00000003.872734292.000001D6A1A27000.00000004.00000001.sdmp, wabmig.exe, 00000005.00000003.744165637.000001D6A1A27000.00000004.00000001.sdmp, wabmig.exe, 00000006.00000003.776573295.00000210864C5000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/
Source: wabmig.exe, 00000005.00000003.744096911.000001D6A19F4000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/0
Source: wabmig.exe, 00000005.00000003.821323732.000001D6A19F4000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/3
Source: wabmig.exe, 00000005.00000003.872734292.000001D6A1A27000.00000004.00000001.sdmp, wabmig.exe, 00000006.00000003.723925005.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/8f6-4e9a-955c-4899f5f57b9a
Source: wabmig.exe, 00000005.00000003.744165637.000001D6A1A27000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/8f6-4e9a-955c-4899f5f57b9aj
Source: wabmig.exe, 00000005.00000002.920329137.000001D6A36D4000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/b4PYD
Source: wabmig.exe, 00000005.00000003.821323732.000001D6A19F4000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/e
Source: wabmig.exe, 00000006.00000003.835105766.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/hr.html?dbprefix=false
Source: wabmig.exe, 00000005.00000003.810052275.000001D6A1A27000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/hr.html?dbprefix=false$
Source: wabmig.exe, 00000006.00000003.787510967.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/hr.html?dbprefix=false)
Source: wabmig.exe, 00000006.00000003.723925005.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/hr.html?dbprefix=false-end-point:
Source: wabmig.exe, 00000005.00000003.897979025.000001D6A1A27000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/hr.html?dbprefix=false/
Source: wabmig.exe, 00000005.00000003.872734292.000001D6A1A27000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/hr.html?dbprefix=false0
Source: wabmig.exe, 00000005.00000003.786738526.000001D6A1A27000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/hr.html?dbprefix=false2
Source: wabmig.exe, 00000005.00000003.897979025.000001D6A1A27000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/hr.html?dbprefix=false5c-4899f5f57b9a
Source: wabmig.exe, 00000006.00000003.787529655.000002108650D000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/hr.html?dbprefix=false8
Source: wabmig.exe, 00000005.00000003.776671004.000001D6A1A27000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/hr.html?dbprefix=false9
Source: wabmig.exe, 00000005.00000003.776671004.000001D6A1A27000.00000004.00000001.sdmp, wabmig.exe, 00000006.00000003.810927414.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/hr.html?dbprefix=falseP
Source: wabmig.exe, 00000005.00000003.832056547.000001D6A1A27000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/hr.html?dbprefix=falseP0
Source: wabmig.exe, 00000006.00000003.787510967.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/hr.html?dbprefix=falseR
Source: wabmig.exe, 00000006.00000003.835105766.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/hr.html?dbprefix=falseZ
Source: wabmig.exe, 00000005.00000003.744165637.000001D6A1A27000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/hr.html?dbprefix=falsec
Source: wabmig.exe, 00000005.00000003.776671004.000001D6A1A27000.00000004.00000001.sdmp, wabmig.exe, 00000005.00000003.832056547.000001D6A1A27000.00000004.00000001.sdmp, wabmig.exe, 00000006.00000003.810927414.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/hr.html?dbprefix=falseic
Source: wabmig.exe, 00000005.00000003.872734292.000001D6A1A27000.00000004.00000001.sdmp, wabmig.exe, 00000006.00000003.835105766.0000021086500000.00000004.00000001.sdmp, wabmig.exe, 00000006.00000003.810927414.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/hr.html?dbprefix=falseko)
Source: wabmig.exe, 00000006.00000003.787510967.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/hr.html?dbprefix=falsen
Source: wabmig.exe, 00000006.00000003.702692942.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/hr.html?dbprefix=falseq
Source: wabmig.exe, 00000005.00000003.872734292.000001D6A1A27000.00000004.00000001.sdmp, wabmig.exe, 00000005.00000003.810052275.000001D6A1A27000.00000004.00000001.sdmp, wabmig.exe, 00000006.00000003.702692942.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/hr.html?dbprefix=falsese
Source: wabmig.exe, 00000006.00000003.723925005.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/hr.html?dbprefix=falseseeJ6
Source: wabmig.exe, 00000006.00000003.835105766.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/hr.html?dbprefix=falsev
Source: wabmig.exe, 00000005.00000003.786738526.000001D6A1A27000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/hr.html?dbprefix=falsew
Source: wabmig.exe, 00000005.00000003.810052275.000001D6A1A27000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/hr.html?dbprefix=falseyptography
Source: wabmig.exe, 00000006.00000003.723925005.0000021086500000.00000004.00000001.sdmpString found in binary or memory: https://joxinu.com/xinu.com/hr.html?dbprefix=false
Source: powershell.exe, 00000008.00000002.695952140.0000021635D38000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.685646029.000002C588540000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: loaddll64.exe, 00000000.00000003.655274872.000001987DD7B000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.656244953.000001B6BC330000.00000004.00000001.sdmp, wabmig.exe, 00000005.00000003.776697468.000001D6A1A4C000.00000004.00000001.sdmp, wabmig.exe, 00000006.00000003.776573295.00000210864C5000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
Source: championship.dllString found in binary or memory: https://www.openssl.org/docs/faq.html
Source: unknownDNS traffic detected: queries for: macuwuf.com
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B3C8E80 WSASetLastError,WSARecv,WSAGetLastError,0_2_00007FFA9B3C8E80
Source: global trafficHTTP traffic detected: GET /SectigoRSADomainValidationSecureServerCA.crt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: crt.sectigo.com
Source: unknownHTTPS traffic detected: 45.153.241.127:443 -> 192.168.2.4:49722 version: TLS 1.2
Source: unknownHTTPS traffic detected: 45.153.241.127:443 -> 192.168.2.4:49723 version: TLS 1.2
Source: unknownHTTPS traffic detected: 45.147.229.242:443 -> 192.168.2.4:49724 version: TLS 1.2
Source: unknownHTTPS traffic detected: 45.147.229.242:443 -> 192.168.2.4:49725 version: TLS 1.2
Source: unknownHTTPS traffic detected: 108.62.118.69:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknownHTTPS traffic detected: 108.62.118.69:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: C:\Program Files\Windows Mail\wabmig.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30D802E0E248FEE17AAF4A62594CC75AJump to dropped file

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000005.00000003.664412438.000001D6A37B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 Author: FireEye
Source: 00000006.00000002.920231025.0000021086660000.00000020.00000001.sdmp, type: MEMORYMatched rule: Detects CobaltStrike sleep_mask decoder Author: yara@s3c.za.net
Source: 00000006.00000003.665228337.0000021088270000.00000040.00000001.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 Author: FireEye
Source: 00000005.00000002.920387455.000001D6A3BB0000.00000020.00000001.sdmp, type: MEMORYMatched rule: Detects CobaltStrike sleep_mask decoder Author: yara@s3c.za.net
Source: 00000003.00000002.665031164.000001B6BC390000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000000.00000003.660087003.000001987DD70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000003.00000003.664078704.000001B6BC38B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000000.00000003.655300454.000001987DD97000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000005.00000003.664412438.000001D6A37B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Beacon_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000005.00000003.664412438.000001D6A37B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000005.00000003.664412438.000001D6A37B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
Source: 00000005.00000003.664412438.000001D6A37B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher
Source: 00000005.00000003.664412438.000001D6A37B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 00000003.00000003.656244953.000001B6BC330000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000003.00000003.664287710.000001B6BC390000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000000.00000003.660126445.000001987DD97000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_RAW_Payload_https_stager_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000000.00000003.660126445.000001987DD97000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000000.00000003.660181017.000001987DD72000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000006.00000002.920231025.0000021086660000.00000020.00000001.sdmp, type: MEMORYMatched rule: CobaltStrike_Sleep_Decoder_Indicator date = 2021-07-19, author = yara@s3c.za.net, description = Detects CobaltStrike sleep_mask decoder
Source: 00000000.00000003.660378089.000001987DD97000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_RAW_Payload_https_stager_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000000.00000003.660378089.000001987DD97000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000000.00000003.660221132.000001987DD97000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_RAW_Payload_https_stager_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000000.00000003.660221132.000001987DD97000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000000.00000003.655274872.000001987DD7B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000003.00000003.663987628.000001B6BC35E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000003.00000002.664892717.000001B6BC322000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_RAW_Payload_https_stager_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000003.00000003.656312714.000001B6BC330000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000000.00000003.659712789.000001987DD97000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_RAW_Payload_https_stager_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000000.00000003.659712789.000001987DD97000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000003.00000003.656330879.000001B6BC35E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000000.00000002.660803756.000001987DD79000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000003.00000003.664038361.000001B6BC321000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_RAW_Payload_https_stager_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000000.00000002.660833593.000001987DD97000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_RAW_Payload_https_stager_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000000.00000002.660833593.000001987DD97000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000003.00000003.664330957.000001B6BC390000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000000.00000003.659667065.000001987DD6A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000003.00000003.656265037.000001B6BC35E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000000.00000003.660280260.000001987DD78000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000006.00000003.665228337.0000021088270000.00000040.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Beacon_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000006.00000003.665228337.0000021088270000.00000040.00000001.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000006.00000003.665228337.0000021088270000.00000040.00000001.sdmp, type: MEMORYMatched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
Source: 00000006.00000003.665228337.0000021088270000.00000040.00000001.sdmp, type: MEMORYMatched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher
Source: 00000006.00000003.665228337.0000021088270000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 00000005.00000002.920387455.000001D6A3BB0000.00000020.00000001.sdmp, type: MEMORYMatched rule: CobaltStrike_Sleep_Decoder_Indicator date = 2021-07-19, author = yara@s3c.za.net, description = Detects CobaltStrike sleep_mask decoder
Source: Process Memory Space: loaddll64.exe PID: 5460, type: MEMORYSTRMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: Process Memory Space: rundll32.exe PID: 5196, type: MEMORYSTRMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B3EBB500_2_00007FFA9B3EBB50
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B3D74300_2_00007FFA9B3D7430
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B3CB7300_2_00007FFA9B3CB730
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B4190400_2_00007FFA9B419040
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B3EC1D00_2_00007FFA9B3EC1D0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B4001200_2_00007FFA9B400120
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B449C000_2_00007FFA9B449C00
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B453C800_2_00007FFA9B453C80
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B3F9C400_2_00007FFA9B3F9C40
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B463B100_2_00007FFA9B463B10
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B455AF00_2_00007FFA9B455AF0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B45FB800_2_00007FFA9B45FB80
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B429BB00_2_00007FFA9B429BB0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B42BBA00_2_00007FFA9B42BBA0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B421A130_2_00007FFA9B421A13
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B42DA400_2_00007FFA9B42DA40
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B41DA400_2_00007FFA9B41DA40
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B427A400_2_00007FFA9B427A40
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B42DA700_2_00007FFA9B42DA70
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B45F9100_2_00007FFA9B45F910
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B41590E0_2_00007FFA9B41590E
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B4159170_2_00007FFA9B415917
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B4299000_2_00007FFA9B429900
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B4159050_2_00007FFA9B415905
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B4159320_2_00007FFA9B415932
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B4159290_2_00007FFA9B415929
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B42B9900_2_00007FFA9B42B990
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B43B9800_2_00007FFA9B43B980
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B4280100_2_00007FFA9B428010
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B40DFD00_2_00007FFA9B40DFD0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B4DE0500_2_00007FFA9B4DE050
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B44A0400_2_00007FFA9B44A040
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B459EC00_2_00007FFA9B459EC0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B41DF800_2_00007FFA9B41DF80
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B3F1FA00_2_00007FFA9B3F1FA0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B429F700_2_00007FFA9B429F70
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B437F700_2_00007FFA9B437F70
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B419F700_2_00007FFA9B419F70
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B419E100_2_00007FFA9B419E10
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B4DDDD40_2_00007FFA9B4DDDD4
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B423EA30_2_00007FFA9B423EA3
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B42BE600_2_00007FFA9B42BE60
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B42DD000_2_00007FFA9B42DD00
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B423D000_2_00007FFA9B423D00
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B421CF30_2_00007FFA9B421CF3
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B439CE00_2_00007FFA9B439CE0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B3FFCF00_2_00007FFA9B3FFCF0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B41DD500_2_00007FFA9B41DD50
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B3D9D400_2_00007FFA9B3D9D40
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B41D4300_2_00007FFA9B41D430
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B4314800_2_00007FFA9B431480
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B4232FF0_2_00007FFA9B4232FF
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B42D3900_2_00007FFA9B42D390
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B45D2100_2_00007FFA9B45D210
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFA9B40B280