Source: 00000000.00000002.2888204760.000000C000180000.00000004.00001000.00020000.00000000.sdmp |
Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 18896, "SleepTime": 45000, "MaxGetSize": 1403644, "Jitter": 37, "C2Server": "156.255.2.100,/jquery-3.3.1.min.js", "HttpPostUri": "/jquery-3.3.2.min.js", "Malleable_C2_Instructions": ["Remove 1522 bytes from the end", "Remove 84 bytes from the beginning", "Remove 3931 bytes from the beginning", "Base64 URL-safe decode", "XOR mask w/ random key"], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe", "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "True", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 17500, "ProcInject_PrependAppend_x86": ["kJA=", "Empty"], "ProcInject_PrependAppend_x64": ["kJA=", "Empty"], "ProcInject_Execute": ["ntdll:RtlUserThreadStart", "CreateThread", "NtQueueApcThread-s", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "True", "HostHeader": ""} |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 4x nop then cmp rdx, rbx |
0_2_0006B320 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 4x nop then cmp rdx, 40h |
0_2_0007F360 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 4x nop then shr r10, 0Dh |
0_2_0008A580 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 4x nop then shr r10, 0Dh |
0_2_0008BA00 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 4x nop then lock or byte ptr [rdx], dil |
0_2_0007FAA0 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.255.2.100 |
Source: 1x6jzcZeRu.exe, 00000000.00000003.2102786401.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000003.1848453343.000001464D52F000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D464000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4FA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://code.jquery.com/ |
Source: 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D464000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://code.jquery.com/9 |
Source: 1x6jzcZeRu.exe, 00000000.00000003.1665460692.0000014674A27000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/ |
Source: 1x6jzcZeRu.exe, 00000000.00000003.2102786401.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en |
Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.dr |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: 1x6jzcZeRu.exe, 00000000.00000003.2102918478.000001464D4FC000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4FC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab) |
Source: 1x6jzcZeRu.exe, 00000000.00000003.2102918478.000001464D4FC000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4FC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2ecca012f8 |
Source: 1x6jzcZeRu.exe, 00000000.00000003.2102786401.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100/ |
Source: 1x6jzcZeRu.exe, 00000000.00000003.1848453343.000001464D52F000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D532000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100:18896/ |
Source: 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D532000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100:18896/SMF |
Source: 1x6jzcZeRu.exe, 00000000.00000003.1848453343.000001464D52F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100:18896/dlliCe |
Source: 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D464000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000003.1865259540.0000014674A09000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.js |
Source: 1x6jzcZeRu.exe, 00000000.00000002.2889081795.0000014674A09000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.js$Y |
Source: 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D532000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000003.1865495196.000001464D532000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.js% |
Source: 1x6jzcZeRu.exe, 00000000.00000003.2102786401.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.js. |
Source: 1x6jzcZeRu.exe, 00000000.00000003.1848453343.000001464D52F000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000003.1865495196.000001464D532000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.js2 |
Source: 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D532000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.js53011b87bd06M |
Source: 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4B4000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.js9 |
Source: 1x6jzcZeRu.exe, 00000000.00000003.2102918478.000001464D532000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000003.1848453343.000001464D52F000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D532000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsV |
Source: 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D464000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsY |
Source: 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsl |
Source: 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D532000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsography |
Source: 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D532000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsoint:V |
Source: 1x6jzcZeRu.exe, 00000000.00000002.2889081795.0000014674A09000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jspXS |
Source: 1x6jzcZeRu.exe, 00000000.00000003.2102786401.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsr |
Source: 1x6jzcZeRu.exe, 00000000.00000003.2102918478.000001464D532000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D532000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsrovider |
Source: 1x6jzcZeRu.exe, 00000000.00000003.1865495196.000001464D532000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsrovider9 |
Source: 1x6jzcZeRu.exe, 00000000.00000003.1848453343.000001464D52F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsvider |
Source: 1x6jzcZeRu.exe, 00000000.00000002.2889081795.0000014674A09000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsvider8Xk |
Source: 1x6jzcZeRu.exe, 00000000.00000003.1865259540.0000014674A09000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsxX |
Source: 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsyptnetUrlCache |
Source: 1x6jzcZeRu.exe, 00000000.00000003.1865259540.0000014674A09000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsy~Z |
Source: 1x6jzcZeRu.exe, 00000000.00000003.1848453343.000001464D52F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://156.255.2.100:18896/l |
Source: 00000000.00000002.2888204760.000000C000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Rule for beacon reflective loader Author: unknown |
Source: 00000000.00000003.1642564620.0000014673FE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Rule for beacon reflective loader Author: unknown |
Source: 00000000.00000002.2889323471.0000014674DC0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Rule for beacon sleep obfuscation routine Author: unknown |
Source: 00000000.00000002.2888836654.0000014674030000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_0006C240 |
0_2_0006C240 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_000942C0 |
0_2_000942C0 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_0009D920 |
0_2_0009D920 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_00087A60 |
0_2_00087A60 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_00061AA0 |
0_2_00061AA0 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_00086C60 |
0_2_00086C60 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_000A4CA0 |
0_2_000A4CA0 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_0006CDE0 |
0_2_0006CDE0 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_00074E20 |
0_2_00074E20 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_00063040 |
0_2_00063040 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_000AE040 |
0_2_000AE040 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_000970C0 |
0_2_000970C0 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_0007D0E0 |
0_2_0007D0E0 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_000C2109 |
0_2_000C2109 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_000AF260 |
0_2_000AF260 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_0009E3A0 |
0_2_0009E3A0 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_000793C0 |
0_2_000793C0 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_00084560 |
0_2_00084560 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_0009F560 |
0_2_0009F560 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_0008A580 |
0_2_0008A580 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_00081600 |
0_2_00081600 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_0009B600 |
0_2_0009B600 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_00069620 |
0_2_00069620 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_000798E0 |
0_2_000798E0 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_00097900 |
0_2_00097900 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_0008E980 |
0_2_0008E980 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_0006D9A0 |
0_2_0006D9A0 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_000859A0 |
0_2_000859A0 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_0008BA00 |
0_2_0008BA00 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_00073A20 |
0_2_00073A20 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_0008AA40 |
0_2_0008AA40 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_0008DC00 |
0_2_0008DC00 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_000B9C00 |
0_2_000B9C00 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_0009ACA0 |
0_2_0009ACA0 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_00078D00 |
0_2_00078D00 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_0007FD20 |
0_2_0007FD20 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_000AAD20 |
0_2_000AAD20 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_0008CDE0 |
0_2_0008CDE0 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_00077F60 |
0_2_00077F60 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_0000014674051528 |
0_2_0000014674051528 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_0000014674050E64 |
0_2_0000014674050E64 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_0000014674051F9C |
0_2_0000014674051F9C |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_000001467404F1A8 |
0_2_000001467404F1A8 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_0000014674046B38 |
0_2_0000014674046B38 |
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe |
Code function: 0_2_0000014674DC0000 |
0_2_0000014674DC0000 |
Source: 00000000.00000002.2888204760.000000C000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13 |
Source: 00000000.00000003.1642564620.0000014673FE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13 |
Source: 00000000.00000002.2889323471.0000014674DC0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13 |
Source: 00000000.00000002.2888836654.0000014674030000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17 |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: |
Source: 1x6jzcZeRu.exe |
String found in binary or memory: unsafe.String: len out of rangefaa2375edd5eade9607c79ab4660cbb1CertAddCertificateContextToStoreCertVerifyCertificateChainPolicyGetVolumePathNamesForVolumeNameWcrypto/aes: input not full blockresource temporarily unavailablesoftware caused connection abortnumerical argument out of domainslice bounds out of range [::%x]slice bounds out of range [:%x:]slice bounds out of range [%x::] (types from different packages)end outside usable address spaceGCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoned" not supported for cpu option "use of closed network connectionCryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWcrypto/aes: output not full blocktoo many levels of symbolic linksslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangeGODEBUG: no value specified for "waiting for unsupported file typeCM_Get_Device_Interface_List_SizeWSetFileCompletionNotificationModescrypto/aes: invalid buffer overlaptoo many references: cannot spliceslice bounds out of range [:%x:%y]slice b |