Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
c_shlellcode.exe

Overview

General Information

Sample name:c_shlellcode.exe
Analysis ID:1585850
MD5:3e96c0115aeac2b89d926f326079fdc0
SHA1:a89bb148add8feaa7722fb050bb6b60a1ba00fa3
SHA256:e6cf1ddc88cf5b00cc2104cd0d9b87bc9f69674594d256dcc3da9ecc95da16fc
Tags:CobaltStrikeexeuser-kafan_shengui
Infos:

Detection

CobaltStrike
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Yara detected Powershell download and execute
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • c_shlellcode.exe (PID: 7116 cmdline: "C:\Users\user\Desktop\c_shlellcode.exe" MD5: 3E96C0115AEAC2B89D926F326079FDC0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cobalt Strike, CobaltStrikeCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • Earth Baxia
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTPS"], "Port": 18443, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "111.119.200.175,/updates.rss", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 666666666, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
    00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
      00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_CobaltStrike_ee756db7Attempts to detect Cobalt Strike based on strings found in BEACONunknown
      • 0x329a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
      • 0x32a1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
      • 0x33180:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset.
      • 0x334b2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
      • 0x33444:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
      • 0x334b2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
      • 0x32a7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
      • 0x32c0f:$a7: could not run command (w/ token) because of its length of %d bytes!
      • 0x32ac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s
      • 0x32b02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s
      • 0x334fc:$a10: powershell -nop -exec bypass -EncodedCommand "%s"
      • 0x32d6a:$a11: Could not open service control manager on %s: %d
      • 0x3329c:$a12: %d is an x64 process (can't inject x86 content)
      • 0x332cc:$a13: %d is an x86 process (can't inject x64 content)
      • 0x335ed:$a14: Failed to impersonate logged on user %d (%u)
      • 0x33255:$a15: could not create remote thread in %d: %d
      • 0x32b38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
      • 0x33203:$a17: could not write to process memory: %d
      • 0x32d9b:$a18: Could not create service %s on %s: %d
      • 0x32e24:$a19: Could not delete service %s on %s: %d
      • 0x32c89:$a20: Could not open process token: %d (%u)
      00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_CobaltStrike_663fc95dIdentifies CobaltStrike via unidentified function codeunknown
      • 0x1d93c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
      00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_CobaltStrike_f0b627fcRule for beacon reflective loaderunknown
      • 0x1956a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
      • 0x1a89b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
      Click to see the 36 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.c_shlellcode.exe.1bcf9b60000.0.raw.unpackJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
        0.2.c_shlellcode.exe.1bcf9b60000.0.raw.unpackJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
          0.2.c_shlellcode.exe.1bcf9b60000.0.raw.unpackWindows_Trojan_CobaltStrike_ee756db7Attempts to detect Cobalt Strike based on strings found in BEACONunknown
          • 0x329a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x32a1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x33180:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset.
          • 0x334b2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
          • 0x33444:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
          • 0x334b2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
          • 0x32a7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x32c0f:$a7: could not run command (w/ token) because of its length of %d bytes!
          • 0x32ac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x32b02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s
          • 0x334fc:$a10: powershell -nop -exec bypass -EncodedCommand "%s"
          • 0x32d6a:$a11: Could not open service control manager on %s: %d
          • 0x3329c:$a12: %d is an x64 process (can't inject x86 content)
          • 0x332cc:$a13: %d is an x86 process (can't inject x64 content)
          • 0x335ed:$a14: Failed to impersonate logged on user %d (%u)
          • 0x33255:$a15: could not create remote thread in %d: %d
          • 0x32b38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x33203:$a17: could not write to process memory: %d
          • 0x32d9b:$a18: Could not create service %s on %s: %d
          • 0x32e24:$a19: Could not delete service %s on %s: %d
          • 0x32c89:$a20: Could not open process token: %d (%u)
          0.2.c_shlellcode.exe.1bcf9b60000.0.raw.unpackWindows_Trojan_CobaltStrike_663fc95dIdentifies CobaltStrike via unidentified function codeunknown
          • 0x1d93c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
          0.2.c_shlellcode.exe.1bcf9b60000.0.raw.unpackWindows_Trojan_CobaltStrike_f0b627fcRule for beacon reflective loaderunknown
          • 0x1956a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
          • 0x1a89b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
          Click to see the 18 entries

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-08T11:06:07.290596+010020287653Unknown Traffic192.168.2.649709111.119.200.17518443TCP
          2025-01-08T11:06:11.546982+010020287653Unknown Traffic192.168.2.649713111.119.200.17518443TCP
          2025-01-08T11:06:15.793084+010020287653Unknown Traffic192.168.2.649722111.119.200.17518443TCP
          2025-01-08T11:06:20.194483+010020287653Unknown Traffic192.168.2.649751111.119.200.17518443TCP
          2025-01-08T11:06:24.455613+010020287653Unknown Traffic192.168.2.649788111.119.200.17518443TCP
          2025-01-08T11:06:28.687808+010020287653Unknown Traffic192.168.2.649819111.119.200.17518443TCP
          2025-01-08T11:06:32.954691+010020287653Unknown Traffic192.168.2.649850111.119.200.17518443TCP
          2025-01-08T11:06:37.264398+010020287653Unknown Traffic192.168.2.649877111.119.200.17518443TCP
          2025-01-08T11:06:41.561225+010020287653Unknown Traffic192.168.2.649907111.119.200.17518443TCP
          2025-01-08T11:06:45.816095+010020287653Unknown Traffic192.168.2.649937111.119.200.17518443TCP
          2025-01-08T11:06:50.080727+010020287653Unknown Traffic192.168.2.649968111.119.200.17518443TCP
          2025-01-08T11:06:54.343088+010020287653Unknown Traffic192.168.2.650001111.119.200.17518443TCP
          2025-01-08T11:06:58.594089+010020287653Unknown Traffic192.168.2.650019111.119.200.17518443TCP
          2025-01-08T11:07:02.844226+010020287653Unknown Traffic192.168.2.650023111.119.200.17518443TCP
          2025-01-08T11:07:07.095041+010020287653Unknown Traffic192.168.2.650026111.119.200.17518443TCP
          2025-01-08T11:07:11.348646+010020287653Unknown Traffic192.168.2.650030111.119.200.17518443TCP
          2025-01-08T11:07:15.611478+010020287653Unknown Traffic192.168.2.650033111.119.200.17518443TCP
          2025-01-08T11:07:19.843146+010020287653Unknown Traffic192.168.2.650036111.119.200.17518443TCP
          2025-01-08T11:07:24.079139+010020287653Unknown Traffic192.168.2.650039111.119.200.17518443TCP
          2025-01-08T11:07:28.314430+010020287653Unknown Traffic192.168.2.650043111.119.200.17518443TCP
          2025-01-08T11:07:32.564423+010020287653Unknown Traffic192.168.2.650046111.119.200.17518443TCP
          2025-01-08T11:07:36.812047+010020287653Unknown Traffic192.168.2.650050111.119.200.17518443TCP
          2025-01-08T11:07:41.067674+010020287653Unknown Traffic192.168.2.650053111.119.200.17518443TCP
          2025-01-08T11:07:45.297024+010020287653Unknown Traffic192.168.2.650056111.119.200.17518443TCP
          2025-01-08T11:07:49.569308+010020287653Unknown Traffic192.168.2.650059111.119.200.17518443TCP
          2025-01-08T11:07:53.798141+010020287653Unknown Traffic192.168.2.650062111.119.200.17518443TCP
          2025-01-08T11:07:58.030076+010020287653Unknown Traffic192.168.2.650065111.119.200.17518443TCP
          2025-01-08T11:08:02.426285+010020287653Unknown Traffic192.168.2.650069111.119.200.17518443TCP
          2025-01-08T11:08:06.670631+010020287653Unknown Traffic192.168.2.650072111.119.200.17518443TCP
          2025-01-08T11:08:10.906925+010020287653Unknown Traffic192.168.2.650075111.119.200.17518443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: c_shlellcode.exeAvira: detected
          Found malware configuration
          Source: 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 18443, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "111.119.200.175,/updates.rss", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 666666666, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}
          Multi AV Scanner detection for submitted file
          Source: c_shlellcode.exeVirustotal: Detection: 25%Perma Link
          Source: c_shlellcode.exeReversingLabs: Detection: 15%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Source: c_shlellcode.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: 111.119.200.175
          Source: global trafficTCP traffic: 192.168.2.6:49709 -> 111.119.200.175:18443
          Source: Joe Sandbox ViewASN Name: SIPL-ASSysconInfowayPvtLtdIN SIPL-ASSysconInfowayPvtLtdIN
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49713 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49709 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49722 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49788 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49751 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49819 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49850 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49877 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49907 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49968 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50019 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50023 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50039 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50053 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50026 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50059 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50062 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50069 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50056 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50030 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50072 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50046 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50050 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50036 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50033 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50043 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50065 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50075 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50001 -> 111.119.200.175:18443
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49937 -> 111.119.200.175:18443
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: unknownTCP traffic detected without corresponding DNS query: 111.119.200.175
          Source: c_shlellcode.exe, 00000000.00000002.3386483169.000001BCF9A10000.00000040.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:%u/
          Source: c_shlellcode.exe, 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://111.119.200.175/
          Source: c_shlellcode.exe, 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://111.119.200.175:18443/
          Source: c_shlellcode.exe, 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://111.119.200.175:18443/.0;
          Source: c_shlellcode.exe, 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://111.119.200.175:18443/200.175:18443/updates.rss
          Source: c_shlellcode.exe, 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://111.119.200.175:18443/200.175:18443/updates.rssv
          Source: c_shlellcode.exe, 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://111.119.200.175:18443/ent/5.0;
          Source: c_shlellcode.exe, 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmp, c_shlellcode.exe, 00000000.00000002.3386186288.000001BCF998F000.00000004.00000020.00020000.00000000.sdmp, c_shlellcode.exe, 00000000.00000002.3386186288.000001BCF99C0000.00000004.00000020.00020000.00000000.sdmp, c_shlellcode.exe, 00000000.00000002.3386186288.000001BCF999D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://111.119.200.175:18443/updates.rss
          Source: c_shlellcode.exe, 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://111.119.200.175:18443/updates.rssA
          Source: c_shlellcode.exe, 00000000.00000002.3386186288.000001BCF999D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://111.119.200.175:18443/updates.rssZPH
          Source: c_shlellcode.exe, 00000000.00000002.3386186288.000001BCF99C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://111.119.200.175:18443/updates.rssings
          Source: c_shlellcode.exe, 00000000.00000002.3386186288.000001BCF999D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://111.119.200.175:18443/updates.rssrPP
          Source: c_shlellcode.exe, 00000000.00000002.3386186288.000001BCF999D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://111.119.200.175:18443/updates.rsstP
          Source: c_shlellcode.exe, 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://111.119.200.175:18443/updates.rssy

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
          Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
          Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
          Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
          Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
          Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
          Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
          Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
          Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
          Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
          Source: 00000000.00000002.3386483169.000001BCF9A10000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
          Source: 00000000.00000002.3386483169.000001BCF9A10000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
          Source: 00000000.00000002.3386483169.000001BCF9A10000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
          Source: 00000000.00000002.3386483169.000001BCF9A10000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
          Source: 00000000.00000002.3386483169.000001BCF9A10000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
          Source: 00000000.00000002.3386483169.000001BCF9A10000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 Author: unknown
          Source: 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
          Source: 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
          Source: 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
          Source: 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
          Source: 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
          Source: 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 Author: unknown
          Source: Process Memory Space: c_shlellcode.exe PID: 7116, type: MEMORYSTRMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
          Source: Process Memory Space: c_shlellcode.exe PID: 7116, type: MEMORYSTRMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
          Source: Process Memory Space: c_shlellcode.exe PID: 7116, type: MEMORYSTRMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
          Source: Process Memory Space: c_shlellcode.exe PID: 7116, type: MEMORYSTRMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
          Source: Process Memory Space: c_shlellcode.exe PID: 7116, type: MEMORYSTRMatched rule: CobaltStrike payload Author: ditekSHen
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
          Source: 0.2.c_shlellcode.exe.1bcf9b60000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
          Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
          Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
          Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
          Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
          Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
          Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
          Source: 00000000.00000002.3386483169.000001BCF9A10000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
          Source: 00000000.00000002.3386483169.000001BCF9A10000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
          Source: 00000000.00000002.3386483169.000001BCF9A10000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
          Source: 00000000.00000002.3386483169.000001BCF9A10000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
          Source: 00000000.00000002.3386483169.000001BCF9A10000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.3386483169.000001BCF9A10000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
          Source: 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
          Source: 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
          Source: 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
          Source: 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
          Source: 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
          Source: Process Memory Space: c_shlellcode.exe PID: 7116, type: MEMORYSTRMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
          Source: Process Memory Space: c_shlellcode.exe PID: 7116, type: MEMORYSTRMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
          Source: Process Memory Space: c_shlellcode.exe PID: 7116, type: MEMORYSTRMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
          Source: Process Memory Space: c_shlellcode.exe PID: 7116, type: MEMORYSTRMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: Process Memory Space: c_shlellcode.exe PID: 7116, type: MEMORYSTRMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
          Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
          Source: c_shlellcode.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\c_shlellcode.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: c_shlellcode.exeVirustotal: Detection: 25%
          Source: c_shlellcode.exeReversingLabs: Detection: 15%
          Source: C:\Users\user\Desktop\c_shlellcode.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\c_shlellcode.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\c_shlellcode.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\c_shlellcode.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\c_shlellcode.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\c_shlellcode.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\c_shlellcode.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\c_shlellcode.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\c_shlellcode.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\c_shlellcode.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\c_shlellcode.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\c_shlellcode.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\c_shlellcode.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\c_shlellcode.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\c_shlellcode.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\c_shlellcode.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\c_shlellcode.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\c_shlellcode.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\c_shlellcode.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\c_shlellcode.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\c_shlellcode.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
          Source: c_shlellcode.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: c_shlellcode.exeStatic PE information: Image base 0x140000000 > 0x60000000
          Source: c_shlellcode.exeStatic file information: File size 5593088 > 1048576
          Source: c_shlellcode.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x347e00
          Source: c_shlellcode.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1f9a00
          Source: c_shlellcode.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: c_shlellcode.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: c_shlellcode.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: c_shlellcode.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: c_shlellcode.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: c_shlellcode.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: c_shlellcode.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: c_shlellcode.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: c_shlellcode.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: c_shlellcode.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: c_shlellcode.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: c_shlellcode.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: c_shlellcode.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\c_shlellcode.exe TID: 3784Thread sleep time: -1740000s >= -30000sJump to behavior
          Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
          Source: C:\Users\user\Desktop\c_shlellcode.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\c_shlellcode.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\c_shlellcode.exeThread delayed: delay time: 60000Jump to behavior
          Source: c_shlellcode.exe, 00000000.00000002.3386064423.000001BCF97FD000.00000004.00000020.00020000.00000000.sdmp, c_shlellcode.exe, 00000000.00000002.3386186288.000001BCF999D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Yara detected Powershell download and execute
          Source: Yara matchFile source: Process Memory Space: c_shlellcode.exe PID: 7116, type: MEMORYSTR
          Source: C:\Users\user\Desktop\c_shlellcode.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Remote Access Functionality

          barindex
          Yara detected CobaltStrike
          Source: Yara matchFile source: Process Memory Space: c_shlellcode.exe PID: 7116, type: MEMORYSTR
          Source: Yara matchFile source: 00000000.00000002.3386483169.000001BCF9A10000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.c_shlellcode.exe.1bcf9b60000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.c_shlellcode.exe.1bcf9b60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading          		1
          DLL Side-Loading          		11
          Virtualization/Sandbox Evasion          		OS Credential Dumping1
          Security Software Discovery          		Remote ServicesData from Local System1
          Non-Standard Port          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          DLL Side-Loading          		LSASS Memory11
          Virtualization/Sandbox Evasion          		Remote Desktop ProtocolData from Removable Media1
          Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager2
          System Information Discovery          		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          c_shlellcode.exe25%VirustotalBrowse
          c_shlellcode.exe16%ReversingLabsWin64.Trojan.BeaconMarte
          c_shlellcode.exe100%AviraHEUR/AGEN.1318781

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://111.119.200.175:18443/0%Avira URL Cloudsafe
          https://111.119.200.175:18443/updates.rssA0%Avira URL Cloudsafe
          https://111.119.200.175:18443/200.175:18443/updates.rssv0%Avira URL Cloudsafe
          https://111.119.200.175:18443/updates.rss0%Avira URL Cloudsafe
          https://111.119.200.175:18443/updates.rssy0%Avira URL Cloudsafe
          https://111.119.200.175:18443/.0;0%Avira URL Cloudsafe
          https://111.119.200.175:18443/updates.rssrPP0%Avira URL Cloudsafe
          https://111.119.200.175/0%Avira URL Cloudsafe
          https://111.119.200.175:18443/updates.rssZPH0%Avira URL Cloudsafe
          https://111.119.200.175:18443/updates.rssings0%Avira URL Cloudsafe
          111.119.200.1750%Avira URL Cloudsafe
          https://111.119.200.175:18443/200.175:18443/updates.rss0%Avira URL Cloudsafe
          https://111.119.200.175:18443/updates.rsstP0%Avira URL Cloudsafe
          https://111.119.200.175:18443/ent/5.0;0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          111.119.200.175true
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://111.119.200.175:18443/c_shlellcode.exe, 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://111.119.200.175:18443/updates.rssAc_shlellcode.exe, 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://111.119.200.175:18443/.0;c_shlellcode.exe, 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://111.119.200.175:18443/200.175:18443/updates.rssvc_shlellcode.exe, 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://111.119.200.175:18443/updates.rssyc_shlellcode.exe, 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://111.119.200.175:18443/updates.rssrPPc_shlellcode.exe, 00000000.00000002.3386186288.000001BCF999D000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://111.119.200.175:18443/updates.rssc_shlellcode.exe, 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmp, c_shlellcode.exe, 00000000.00000002.3386186288.000001BCF998F000.00000004.00000020.00020000.00000000.sdmp, c_shlellcode.exe, 00000000.00000002.3386186288.000001BCF99C0000.00000004.00000020.00020000.00000000.sdmp, c_shlellcode.exe, 00000000.00000002.3386186288.000001BCF999D000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://111.119.200.175:18443/updates.rssZPHc_shlellcode.exe, 00000000.00000002.3386186288.000001BCF999D000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://111.119.200.175/c_shlellcode.exe, 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://111.119.200.175:18443/updates.rssingsc_shlellcode.exe, 00000000.00000002.3386186288.000001BCF99C0000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://127.0.0.1:%u/c_shlellcode.exe, 00000000.00000002.3386483169.000001BCF9A10000.00000040.00000020.00020000.00000000.sdmpfalse
            		high
            https://111.119.200.175:18443/200.175:18443/updates.rssc_shlellcode.exe, 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://111.119.200.175:18443/updates.rsstPc_shlellcode.exe, 00000000.00000002.3386186288.000001BCF999D000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://111.119.200.175:18443/ent/5.0;c_shlellcode.exe, 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            111.119.200.175
            		unknownIndia
            		45194SIPL-ASSysconInfowayPvtLtdINtrue

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1585850
            Start date and time:2025-01-08 11:05:10 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 4m 19s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:5
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:c_shlellcode.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@1/0@0/1
            EGA Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
            • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Report size getting too big, too many NtDeviceIoControlFile calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            05:06:08API Interceptor29x Sleep call for process: c_shlellcode.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            SIPL-ASSysconInfowayPvtLtdINFantazy.spc.elfGet hashmaliciousUnknownBrowse
            • 160.22.201.149
            Hilix.x86.elfGet hashmaliciousMiraiBrowse
            • 45.117.212.14
            armv7l.elfGet hashmaliciousUnknownBrowse
            • 160.21.14.112
            hmips.elfGet hashmaliciousMiraiBrowse
            • 160.21.176.231
            sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
            • 160.22.166.105
            Invoice DHL - AWB 2024 E4001 - 0000731.exeGet hashmaliciousSnake KeyloggerBrowse
            • 160.22.121.182
            mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
            • 160.21.29.33
            mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
            • 160.22.199.61
            jew.mpsl.elfGet hashmaliciousUnknownBrowse
            • 183.87.70.106
            i486.elfGet hashmaliciousMiraiBrowse
            • 160.22.118.22

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            No created / dropped files found

            Static File Info

            General

            File type:PE32+ executable (GUI) x86-64, for MS Windows
            Entropy (8bit):5.620101170481614
            TrID:
            • Win64 Executable GUI (202006/5) 92.65%
            • Win64 Executable (generic) (12005/4) 5.51%
            • Generic Win/DOS Executable (2004/3) 0.92%
            • DOS Executable Generic (2002/1) 0.92%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:c_shlellcode.exe
            File size:5'593'088 bytes
            MD5:3e96c0115aeac2b89d926f326079fdc0
            SHA1:a89bb148add8feaa7722fb050bb6b60a1ba00fa3
            SHA256:e6cf1ddc88cf5b00cc2104cd0d9b87bc9f69674594d256dcc3da9ecc95da16fc
            SHA512:c3d9399e6654f69a0ab5db00953dd28983084eafb4eb8d9f6daf52394f898811eca75e81e1e6ac6a375cfe8fd581148d281a1a5c5049f46c82a6bb3283db2601
            SSDEEP:98304:Opmw8u6dz3TnvMMMMMMSQMMMMMMqiMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMh:Opz8LJj
            TLSH:8546F5218E3F61E0E56A3F72C8B7A46FC71E6F609356D4D16BE434870637A62E15CCA0
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..Qn.x.n.x.n.x.%.{.h.x.%.}...x.%.|.~.x..C{.d.x..C|.~.x..C}.<.x.%.y.m.x.n.y...x..C}.o.x..C..o.x..Cz.o.x.Richn.x................

            File Icon

            Icon Hash:00928e8e8686b000

            Static PE Info

            General

            Entrypoint:0x1403288ac
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x140000000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Time Stamp:0x677D2EFB [Tue Jan 7 13:41:15 2025 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:6
            OS Version Minor:0
            File Version Major:6
            File Version Minor:0
            Subsystem Version Major:6
            Subsystem Version Minor:0
            Import Hash:ac3973a69755a7d751cb90349483f62d

            Entrypoint Preview

            Instruction
            dec eax
            sub esp, 28h
            call 00007F786CE0977Ch
            dec eax
            add esp, 28h
            jmp 00007F786CE08DA7h
            int3
            int3
            inc eax
            push ebx
            dec eax
            sub esp, 20h
            dec eax
            mov ebx, ecx
            jmp 00007F786CE08F41h
            dec eax
            mov ecx, ebx
            call 00007F786CE1685Eh
            test eax, eax
            je 00007F786CE08F45h
            dec eax
            mov ecx, ebx
            call 00007F786CE1287Eh
            dec eax
            test eax, eax
            je 00007F786CE08F19h
            dec eax
            add esp, 20h
            pop ebx
            ret
            dec eax
            cmp ebx, FFFFFFFFh
            je 00007F786CE08F38h
            call 00007F786CE05EF4h
            int3
            call 00007F786CE09ACAh
            int3
            jmp 00007F786CE09AE4h
            int3
            int3
            int3
            dec eax
            sub esp, 28h
            call 00007F786CE09AE0h
            test eax, eax
            je 00007F786CE08F53h
            dec eax
            mov eax, dword ptr [00000030h]
            dec eax
            mov ecx, dword ptr [eax+08h]
            jmp 00007F786CE08F37h
            dec eax
            cmp ecx, eax
            je 00007F786CE08F46h
            xor eax, eax
            dec eax
            cmpxchg dword ptr [00031E20h], ecx
            jne 00007F786CE08F20h
            xor al, al
            dec eax
            add esp, 28h
            ret
            mov al, 01h
            jmp 00007F786CE08F29h
            int3
            int3
            int3
            dec eax
            sub esp, 28h
            test ecx, ecx
            jne 00007F786CE08F39h
            mov byte ptr [00031E09h], 00000001h
            call 00007F786CE09411h
            call 00007F786CE0AF34h
            test al, al
            jne 00007F786CE08F36h
            xor al, al
            jmp 00007F786CE08F46h
            call 00007F786CE16D7Bh
            test al, al
            jne 00007F786CE08F3Bh
            xor ecx, ecx
            call 00007F786CE0AF44h
            jmp 00007F786CE08F1Ch

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x357dc40x28.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x35f0000x1f9808.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x35c0000x273c.pdata
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x5590000x938.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x3542b00x38.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x3544800x28.rdata
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3541700x140.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x3490000x2e0.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x347dc40x347e00d200e01b90d1929dea134f71098bf124unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x3490000xf7880xf80048828846ca66669aae69ec84258e90c3False0.4185672883064516data4.91659459017448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0x3590000x2a200x1200596db483a36b5a246b304f40384bf833False0.1736111111111111data2.8441863096632924IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .pdata0x35c0000x273c0x28008c4ac94a314a34e48f9f3285f3d85addFalse0.476171875data5.491342301571783IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .rsrc0x35f0000x1f98080x1f9a0096f60c36a393c205e5cd69b13f51c84bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x5590000x9380xa00a435dc0bb531f084139b014157d6c298False0.489453125data5.284777266639493IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_BITMAP0x35f0600x1f97a8Device independent bitmap graphic, 862 x 800 x 24, image size 0, resolution 4724 x 4724 px/mChineseChina0.10166549682617188

            Imports

            DLLImport
            KERNEL32.dllHeapCreate, HeapAlloc, GetCurrentProcess, CreateThread, FlushInstructionCache, GetModuleHandleW, GetProcAddress, WriteConsoleW, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, GetStringTypeW, GetCPInfo, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, TerminateProcess, RtlPcToFileHeader, RaiseException, RtlUnwindEx, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapFree, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, HeapSize, CreateFileW, RtlUnwind

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            ChineseChina

            Network Behavior

            Suricata IDS Alerts

            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
            2025-01-08T11:06:07.290596+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.649709111.119.200.17518443TCP
            2025-01-08T11:06:11.546982+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.649713111.119.200.17518443TCP
            2025-01-08T11:06:15.793084+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.649722111.119.200.17518443TCP
            2025-01-08T11:06:20.194483+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.649751111.119.200.17518443TCP
            2025-01-08T11:06:24.455613+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.649788111.119.200.17518443TCP
            2025-01-08T11:06:28.687808+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.649819111.119.200.17518443TCP
            2025-01-08T11:06:32.954691+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.649850111.119.200.17518443TCP
            2025-01-08T11:06:37.264398+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.649877111.119.200.17518443TCP
            2025-01-08T11:06:41.561225+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.649907111.119.200.17518443TCP
            2025-01-08T11:06:45.816095+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.649937111.119.200.17518443TCP
            2025-01-08T11:06:50.080727+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.649968111.119.200.17518443TCP
            2025-01-08T11:06:54.343088+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.650001111.119.200.17518443TCP
            2025-01-08T11:06:58.594089+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.650019111.119.200.17518443TCP
            2025-01-08T11:07:02.844226+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.650023111.119.200.17518443TCP
            2025-01-08T11:07:07.095041+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.650026111.119.200.17518443TCP
            2025-01-08T11:07:11.348646+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.650030111.119.200.17518443TCP
            2025-01-08T11:07:15.611478+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.650033111.119.200.17518443TCP
            2025-01-08T11:07:19.843146+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.650036111.119.200.17518443TCP
            2025-01-08T11:07:24.079139+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.650039111.119.200.17518443TCP
            2025-01-08T11:07:28.314430+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.650043111.119.200.17518443TCP
            2025-01-08T11:07:32.564423+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.650046111.119.200.17518443TCP
            2025-01-08T11:07:36.812047+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.650050111.119.200.17518443TCP
            2025-01-08T11:07:41.067674+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.650053111.119.200.17518443TCP
            2025-01-08T11:07:45.297024+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.650056111.119.200.17518443TCP
            2025-01-08T11:07:49.569308+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.650059111.119.200.17518443TCP
            2025-01-08T11:07:53.798141+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.650062111.119.200.17518443TCP
            2025-01-08T11:07:58.030076+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.650065111.119.200.17518443TCP
            2025-01-08T11:08:02.426285+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.650069111.119.200.17518443TCP
            2025-01-08T11:08:06.670631+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.650072111.119.200.17518443TCP
            2025-01-08T11:08:10.906925+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.650075111.119.200.17518443TCP

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jan 8, 2025 11:06:05.214843035 CET4970918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:05.219635010 CET1844349709111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:05.219723940 CET4970918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:05.228331089 CET4970918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:05.233087063 CET1844349709111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:07.290504932 CET1844349709111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:07.290596008 CET4970918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:07.290735960 CET4970918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:07.291233063 CET4971118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:07.295511961 CET1844349709111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:07.296035051 CET1844349711111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:07.296099901 CET4971118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:07.296336889 CET4971118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:07.301104069 CET1844349711111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:09.363903999 CET1844349711111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:09.363970041 CET4971118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:09.364339113 CET4971118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:09.364528894 CET4971218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:09.369133949 CET1844349711111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:09.369350910 CET1844349712111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:09.369417906 CET4971218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:09.369565010 CET4971218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:09.374382973 CET1844349712111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:09.374430895 CET4971218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:09.474889040 CET4971318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:09.479747057 CET1844349713111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:09.479844093 CET4971318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:09.480176926 CET4971318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:09.485025883 CET1844349713111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:11.546891928 CET1844349713111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:11.546982050 CET4971318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:11.548959970 CET4971318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:11.550649881 CET4971418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:11.553791046 CET1844349713111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:11.555466890 CET1844349714111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:11.555540085 CET4971418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:11.568377018 CET4971418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:11.573185921 CET1844349714111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:13.627902031 CET1844349714111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:13.627973080 CET4971418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:13.628040075 CET4971418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:13.628525019 CET4972118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:13.632805109 CET1844349714111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:13.633268118 CET1844349721111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:13.633440018 CET4972118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:13.633588076 CET4972118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:13.638427973 CET1844349721111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:13.638493061 CET4972118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:13.740494013 CET4972218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:13.745266914 CET1844349722111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:13.745325089 CET4972218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:13.745610952 CET4972218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:13.750351906 CET1844349722111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:15.793018103 CET1844349722111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:15.793083906 CET4972218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:15.793167114 CET4972218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:15.793648005 CET4973718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:15.797903061 CET1844349722111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:15.798388958 CET1844349737111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:15.798449993 CET4973718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:15.798688889 CET4973718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:15.803442001 CET1844349737111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:17.861895084 CET1844349737111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:17.862032890 CET4973718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:17.862308025 CET4973718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:17.862926006 CET4975018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:17.867086887 CET1844349737111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:17.867785931 CET1844349750111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:17.868038893 CET4975018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:17.868133068 CET4975018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:17.873034954 CET1844349750111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:17.873085022 CET4975018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:17.977165937 CET4975118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:17.981971979 CET1844349751111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:17.982086897 CET4975118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:17.982291937 CET4975118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:17.987109900 CET1844349751111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:20.194403887 CET1844349751111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:20.194483042 CET4975118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:20.194605112 CET4975118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:20.195244074 CET4976718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:20.199600935 CET1844349751111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:20.200056076 CET1844349767111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:20.200150013 CET4976718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:20.200539112 CET4976718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:20.205282927 CET1844349767111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:22.266381979 CET1844349767111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:22.266513109 CET4976718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:22.266649008 CET4976718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:22.267282009 CET4978618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:22.271420002 CET1844349767111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:22.272072077 CET1844349786111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:22.272289991 CET4978618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:22.272396088 CET4978618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:22.277605057 CET1844349786111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:22.277659893 CET4978618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:22.381110907 CET4978818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:22.386126041 CET1844349788111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:22.386205912 CET4978818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:22.386559010 CET4978818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:22.391326904 CET1844349788111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:24.455457926 CET1844349788111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:24.455612898 CET4978818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:24.455697060 CET4978818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:24.459578991 CET4980318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:24.460474968 CET1844349788111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:24.464432001 CET1844349803111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:24.464618921 CET4980318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:24.464843035 CET4980318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:24.469650984 CET1844349803111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:26.515157938 CET1844349803111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:26.515223026 CET4980318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:26.515331984 CET4980318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:26.515984058 CET4981618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:26.520117044 CET1844349803111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:26.520737886 CET1844349816111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:26.520796061 CET4981618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:26.520901918 CET4981618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:26.525685072 CET1844349816111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:26.525958061 CET1844349816111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:26.526006937 CET4981618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:26.631053925 CET4981918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:26.635894060 CET1844349819111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:26.635968924 CET4981918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:26.636236906 CET4981918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:26.640995979 CET1844349819111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:28.687679052 CET1844349819111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:28.687808037 CET4981918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:28.687901020 CET4981918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:28.688390017 CET4983318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:28.692681074 CET1844349819111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:28.693229914 CET1844349833111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:28.693314075 CET4983318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:28.694359064 CET4983318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:28.699127913 CET1844349833111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:30.768124104 CET1844349833111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:30.768237114 CET4983318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:30.768321037 CET4983318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:30.768846035 CET4984918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:30.773052931 CET1844349833111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:30.773663044 CET1844349849111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:30.773732901 CET4984918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:30.773853064 CET4984918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:30.778790951 CET1844349849111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:30.778856993 CET4984918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:30.882297993 CET4985018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:30.887131929 CET1844349850111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:30.887232065 CET4985018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:30.887484074 CET4985018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:30.892282009 CET1844349850111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:32.954606056 CET1844349850111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:32.954690933 CET4985018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:32.954771996 CET4985018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:32.955226898 CET4986318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:32.960238934 CET1844349850111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:32.960732937 CET1844349863111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:32.960799932 CET4986318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:32.961110115 CET4986318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:32.966938019 CET1844349863111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:35.046350002 CET1844349863111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:35.046437025 CET4986318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:35.046508074 CET4986318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:35.047733068 CET4987518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:35.051284075 CET1844349863111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:35.052561998 CET1844349875111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:35.052623987 CET4987518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:35.052737951 CET4987518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:35.057554007 CET1844349875111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:35.057598114 CET4987518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:35.162826061 CET4987718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:35.167634964 CET1844349877111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:35.167700052 CET4987718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:35.169147015 CET4987718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:35.173907995 CET1844349877111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:37.264280081 CET1844349877111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:37.264398098 CET4987718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:37.327601910 CET4987718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:37.328641891 CET4989018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:37.332437992 CET1844349877111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:37.333447933 CET1844349890111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:37.333507061 CET4989018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:37.376315117 CET4989018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:37.381076097 CET1844349890111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:39.389239073 CET1844349890111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:39.389357090 CET4989018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:39.389425039 CET4989018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:39.389825106 CET4990618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:39.394200087 CET1844349890111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:39.394680977 CET1844349906111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:39.394737959 CET4990618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:39.394803047 CET4990618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:39.399776936 CET1844349906111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:39.402369022 CET4990618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:39.506069899 CET4990718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:39.510919094 CET1844349907111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:39.511014938 CET4990718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:39.511369944 CET4990718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:39.518311024 CET1844349907111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:41.561141014 CET1844349907111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:41.561224937 CET4990718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:41.561343908 CET4990718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:41.561816931 CET4992018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:41.566128016 CET1844349907111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:41.566636086 CET1844349920111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:41.566703081 CET4992018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:41.566905022 CET4992018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:41.571672916 CET1844349920111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:43.625844002 CET1844349920111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:43.625901937 CET4992018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:43.625978947 CET4992018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:43.626351118 CET4993618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:43.630781889 CET1844349920111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:43.631122112 CET1844349936111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:43.631186962 CET4993618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:43.631602049 CET4993618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:43.636404037 CET1844349936111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:43.636482000 CET4993618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:43.741489887 CET4993718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:43.746388912 CET1844349937111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:43.746481895 CET4993718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:43.746710062 CET4993718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:43.751530886 CET1844349937111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:45.815625906 CET1844349937111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:45.816095114 CET4993718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:45.816167116 CET4993718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:45.816682100 CET4995318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:45.820951939 CET1844349937111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:45.821424961 CET1844349953111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:45.821528912 CET4995318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:45.821849108 CET4995318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:45.826698065 CET1844349953111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:47.887206078 CET1844349953111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:47.888045073 CET4995318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:47.888124943 CET4995318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:47.888569117 CET4996718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:47.892889977 CET1844349953111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:47.893424034 CET1844349967111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:47.893491030 CET4996718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:47.893635035 CET4996718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:47.898550987 CET1844349967111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:47.898611069 CET4996718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:48.006011009 CET4996818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:48.010807991 CET1844349968111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:48.012059927 CET4996818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:48.012322903 CET4996818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:48.017096996 CET1844349968111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:50.080668926 CET1844349968111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:50.080727100 CET4996818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:50.080944061 CET4996818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:50.081386089 CET4998418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:50.085724115 CET1844349968111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:50.086193085 CET1844349984111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:50.086271048 CET4998418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:50.087207079 CET4998418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:50.092036963 CET1844349984111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:52.174536943 CET1844349984111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:52.174695969 CET4998418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:52.174786091 CET4998418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:52.175198078 CET5000018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:52.179836988 CET1844349984111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:52.180265903 CET1844350000111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:52.180330038 CET5000018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:52.180457115 CET5000018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:52.185513973 CET1844350000111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:52.185563087 CET5000018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:52.287585020 CET5000118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:52.292678118 CET1844350001111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:52.292809963 CET5000118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:52.293170929 CET5000118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:52.297914982 CET1844350001111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:54.343029022 CET1844350001111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:54.343087912 CET5000118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:54.343173027 CET5000118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:54.343594074 CET5001518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:54.347898006 CET1844350001111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:54.348402023 CET1844350015111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:54.348488092 CET5001518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:54.348660946 CET5001518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:54.353442907 CET1844350015111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:56.405559063 CET1844350015111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:56.405668974 CET5001518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:56.405755997 CET5001518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:56.406224966 CET5001818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:56.410588026 CET1844350015111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:56.411143064 CET1844350018111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:56.411202908 CET5001818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:56.411268950 CET5001818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:56.416450977 CET1844350018111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:56.416543007 CET5001818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:56.522902012 CET5001918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:56.527785063 CET1844350019111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:56.527867079 CET5001918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:56.528172016 CET5001918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:56.532916069 CET1844350019111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:58.594022989 CET1844350019111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:58.594089031 CET5001918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:58.594290018 CET5001918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:58.594610929 CET5002118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:58.599040031 CET1844350019111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:58.599370003 CET1844350021111.119.200.175192.168.2.6
            Jan 8, 2025 11:06:58.599436045 CET5002118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:58.599764109 CET5002118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:06:58.604528904 CET1844350021111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:00.672632933 CET1844350021111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:00.672920942 CET5002118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:00.673063993 CET5002118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:00.673564911 CET5002218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:00.677885056 CET1844350021111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:00.678378105 CET1844350022111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:00.678456068 CET5002218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:00.678571939 CET5002218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:00.683459997 CET1844350022111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:00.684052944 CET5002218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:00.787770033 CET5002318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:00.792730093 CET1844350023111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:00.792797089 CET5002318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:00.793093920 CET5002318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:00.797866106 CET1844350023111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:02.844000101 CET1844350023111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:02.844225883 CET5002318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:02.845545053 CET5002318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:02.846044064 CET5002418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:02.850346088 CET1844350023111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:02.850915909 CET1844350024111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:02.850989103 CET5002418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:02.865696907 CET5002418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:02.870512962 CET1844350024111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:04.902734041 CET1844350024111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:04.908088923 CET5002418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:04.908154011 CET5002418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:04.908613920 CET5002518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:04.912935019 CET1844350024111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:04.913502932 CET1844350025111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:04.913609982 CET5002518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:04.913712978 CET5002518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:04.918745995 CET1844350025111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:04.922167063 CET5002518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:05.021886110 CET5002618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:05.026726007 CET1844350026111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:05.026823997 CET5002618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:05.027173996 CET5002618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:05.031974077 CET1844350026111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:07.094938993 CET1844350026111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:07.095041037 CET5002618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:07.095118999 CET5002618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:07.095623970 CET5002818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:07.099895954 CET1844350026111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:07.100419044 CET1844350028111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:07.100490093 CET5002818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:07.100725889 CET5002818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:07.105500937 CET1844350028111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:09.155616999 CET1844350028111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:09.155690908 CET5002818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:09.155775070 CET5002818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:09.156227112 CET5002918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:09.160537958 CET1844350028111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:09.161067963 CET1844350029111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:09.161128998 CET5002918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:09.161206007 CET5002918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:09.166163921 CET1844350029111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:09.166225910 CET5002918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:09.273065090 CET5003018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:09.277899981 CET1844350030111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:09.277992010 CET5003018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:09.278239965 CET5003018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:09.282991886 CET1844350030111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:11.348572969 CET1844350030111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:11.348645926 CET5003018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:11.348721027 CET5003018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:11.349206924 CET5003118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:11.353521109 CET1844350030111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:11.354057074 CET1844350031111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:11.354131937 CET5003118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:11.354418993 CET5003118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:11.359204054 CET1844350031111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:13.416903019 CET1844350031111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:13.419110060 CET5003118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:13.419178009 CET5003118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:13.419672012 CET5003218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:13.423933983 CET1844350031111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:13.424546003 CET1844350032111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:13.424628019 CET5003218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:13.424761057 CET5003218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:13.429646015 CET1844350032111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:13.430418968 CET1844350032111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:13.430485010 CET5003218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:13.537421942 CET5003318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:13.542324066 CET1844350033111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:13.542401075 CET5003318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:13.542673111 CET5003318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:13.547485113 CET1844350033111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:15.611366987 CET1844350033111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:15.611478090 CET5003318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:15.611555099 CET5003318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:15.612067938 CET5003418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:15.616363049 CET1844350033111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:15.616928101 CET1844350034111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:15.616991043 CET5003418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:15.617319107 CET5003418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:15.622112036 CET1844350034111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:17.670703888 CET1844350034111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:17.670900106 CET5003418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:17.670900106 CET5003418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:17.671382904 CET5003518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:17.675761938 CET1844350034111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:17.676199913 CET1844350035111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:17.676265001 CET5003518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:17.676331997 CET5003518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:17.681351900 CET1844350035111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:17.681404114 CET5003518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:17.787421942 CET5003618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:17.792326927 CET1844350036111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:17.792459011 CET5003618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:17.792917013 CET5003618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:17.797693014 CET1844350036111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:19.843025923 CET1844350036111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:19.843146086 CET5003618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:19.843410015 CET5003618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:19.843781948 CET5003718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:19.848143101 CET1844350036111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:19.848599911 CET1844350037111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:19.848671913 CET5003718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:19.848999023 CET5003718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:19.853733063 CET1844350037111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:21.887517929 CET1844350037111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:21.887664080 CET5003718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:21.887804031 CET5003718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:21.888351917 CET5003818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:21.892561913 CET1844350037111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:21.893157959 CET1844350038111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:21.893229008 CET5003818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:21.893290997 CET5003818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:21.898288012 CET1844350038111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:21.898345947 CET5003818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:22.007720947 CET5003918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:22.012626886 CET1844350039111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:22.012703896 CET5003918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:22.012940884 CET5003918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:22.017745018 CET1844350039111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:24.079025030 CET1844350039111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:24.079138994 CET5003918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:24.079251051 CET5003918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:24.079752922 CET5004118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:24.084012985 CET1844350039111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:24.084638119 CET1844350041111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:24.084711075 CET5004118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:24.084939957 CET5004118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:24.089720964 CET1844350041111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:26.139609098 CET1844350041111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:26.139815092 CET5004118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:26.139815092 CET5004118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:26.140242100 CET5004218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:26.144685030 CET1844350041111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:26.145041943 CET1844350042111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:26.145104885 CET5004218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:26.145176888 CET5004218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:26.153609037 CET1844350042111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:26.153666019 CET5004218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:26.256386042 CET5004318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:26.261205912 CET1844350043111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:26.261354923 CET5004318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:26.261676073 CET5004318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:26.266437054 CET1844350043111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:28.314347029 CET1844350043111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:28.314429998 CET5004318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:28.314502001 CET5004318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:28.314950943 CET5004418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:28.319212914 CET1844350043111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:28.319727898 CET1844350044111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:28.319813967 CET5004418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:28.320101976 CET5004418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:28.324805975 CET1844350044111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:30.375570059 CET1844350044111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:30.375691891 CET5004418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:30.375768900 CET5004418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:30.376267910 CET5004518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:30.380677938 CET1844350044111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:30.381093025 CET1844350045111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:30.381151915 CET5004518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:30.395741940 CET5004518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:30.400696993 CET1844350045111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:30.400810957 CET5004518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:30.506572008 CET5004618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:30.511473894 CET1844350046111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:30.511549950 CET5004618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:30.511842966 CET5004618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:30.516639948 CET1844350046111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:32.564326048 CET1844350046111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:32.564423084 CET5004618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:32.564498901 CET5004618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:32.564974070 CET5004818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:32.569293022 CET1844350046111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:32.569809914 CET1844350048111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:32.569889069 CET5004818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:32.570107937 CET5004818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:32.574873924 CET1844350048111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:34.624443054 CET1844350048111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:34.624562979 CET5004818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:34.624687910 CET5004818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:34.625191927 CET5004918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:34.640125990 CET1844350048111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:34.640139103 CET1844350049111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:34.640225887 CET5004918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:34.640328884 CET5004918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:34.652666092 CET1844350049111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:34.652775049 CET5004918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:34.757436991 CET5005018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:34.762331009 CET1844350050111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:34.762398958 CET5005018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:34.762834072 CET5005018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:34.767597914 CET1844350050111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:36.811937094 CET1844350050111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:36.812047005 CET5005018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:36.812139034 CET5005018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:36.812613010 CET5005118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:36.816873074 CET1844350050111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:36.817424059 CET1844350051111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:36.817492008 CET5005118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:36.817703962 CET5005118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:36.822484016 CET1844350051111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:38.878916979 CET1844350051111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:38.879018068 CET5005118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:38.879086971 CET5005118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:38.879657984 CET5005218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:38.883816957 CET1844350051111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:38.884459019 CET1844350052111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:38.884525061 CET5005218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:38.884598017 CET5005218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:38.889434099 CET1844350052111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:38.889488935 CET5005218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:38.990767956 CET5005318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:38.995660067 CET1844350053111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:38.995763063 CET5005318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:38.996037006 CET5005318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:39.001058102 CET1844350053111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:41.067466974 CET1844350053111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:41.067673922 CET5005318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:41.068221092 CET5005318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:41.068222046 CET5005418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:41.075287104 CET1844350053111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:41.075300932 CET1844350054111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:41.075376987 CET5005418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:41.075615883 CET5005418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:41.083880901 CET1844350054111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:43.123900890 CET1844350054111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:43.124310017 CET5005418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:43.124403954 CET5005418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:43.124919891 CET5005518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:43.129148006 CET1844350054111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:43.129759073 CET1844350055111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:43.129966021 CET5005518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:43.130093098 CET5005518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:43.135019064 CET1844350055111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:43.136281967 CET5005518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:43.240852118 CET5005618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:43.245779991 CET1844350056111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:43.245867014 CET5005618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:43.246140957 CET5005618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:43.250869989 CET1844350056111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:45.296962023 CET1844350056111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:45.297024012 CET5005618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:45.297091961 CET5005618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:45.297560930 CET5005718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:45.301882982 CET1844350056111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:45.302439928 CET1844350057111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:45.302505970 CET5005718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:45.302846909 CET5005718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:45.307634115 CET1844350057111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:47.359940052 CET1844350057111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:47.360002041 CET5005718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:47.360081911 CET5005718443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:47.360570908 CET5005818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:47.364862919 CET1844350057111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:47.365391970 CET1844350058111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:47.365452051 CET5005818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:47.365559101 CET5005818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:47.370420933 CET1844350058111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:47.370462894 CET5005818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:47.481825113 CET5005918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:47.486635923 CET1844350059111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:47.486709118 CET5005918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:47.487740040 CET5005918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:47.492486000 CET1844350059111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:49.569233894 CET1844350059111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:49.569308043 CET5005918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:49.569387913 CET5005918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:49.569873095 CET5006018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:49.574105978 CET1844350059111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:49.574667931 CET1844350060111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:49.574737072 CET5006018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:49.574942112 CET5006018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:49.579682112 CET1844350060111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:51.627310991 CET1844350060111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:51.627425909 CET5006018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:51.627505064 CET5006018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:51.628027916 CET5006118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:51.632265091 CET1844350060111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:51.632935047 CET1844350061111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:51.633004904 CET5006118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:51.633121014 CET5006118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:51.638076067 CET1844350061111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:51.638148069 CET5006118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:51.740953922 CET5006218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:51.745778084 CET1844350062111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:51.745863914 CET5006218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:51.746148109 CET5006218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:51.750891924 CET1844350062111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:53.798022032 CET1844350062111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:53.798141003 CET5006218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:53.798213005 CET5006218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:53.798693895 CET5006318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:53.802964926 CET1844350062111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:53.803541899 CET1844350063111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:53.803606033 CET5006318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:53.803817987 CET5006318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:53.808579922 CET1844350063111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:55.858005047 CET1844350063111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:55.858134985 CET5006318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:55.858249903 CET5006318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:55.858895063 CET5006418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:55.863095045 CET1844350063111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:55.863770962 CET1844350064111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:55.863859892 CET5006418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:55.864022017 CET5006418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:55.868973970 CET1844350064111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:55.869071960 CET5006418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:55.975377083 CET5006518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:55.980237961 CET1844350065111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:55.980371952 CET5006518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:55.980792999 CET5006518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:55.985542059 CET1844350065111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:58.029908895 CET1844350065111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:58.030076027 CET5006518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:58.030286074 CET5006518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:58.031507015 CET5006618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:58.035021067 CET1844350065111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:58.036308050 CET1844350066111.119.200.175192.168.2.6
            Jan 8, 2025 11:07:58.036420107 CET5006618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:58.037079096 CET5006618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:07:58.041807890 CET1844350066111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:00.101104021 CET1844350066111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:00.101222992 CET5006618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:00.121656895 CET5006618443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:00.122868061 CET5006818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:00.126506090 CET1844350066111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:00.127669096 CET1844350068111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:00.127736092 CET5006818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:00.127932072 CET5006818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:00.132762909 CET1844350068111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:00.132810116 CET5006818443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:00.333074093 CET5006918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:00.338010073 CET1844350069111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:00.338073969 CET5006918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:00.364023924 CET5006918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:00.368860006 CET1844350069111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:02.426177979 CET1844350069111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:02.426285028 CET5006918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:02.426382065 CET5006918443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:02.426912069 CET5007018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:02.431212902 CET1844350069111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:02.431735039 CET1844350070111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:02.431802988 CET5007018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:02.432092905 CET5007018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:02.436817884 CET1844350070111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:04.499265909 CET1844350070111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:04.499365091 CET5007018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:04.499455929 CET5007018443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:04.499999046 CET5007118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:04.504173040 CET1844350070111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:04.504748106 CET1844350071111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:04.504822016 CET5007118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:04.504895926 CET5007118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:04.510070086 CET1844350071111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:04.510081053 CET1844350071111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:04.510138035 CET5007118443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:04.616050959 CET5007218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:04.621232033 CET1844350072111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:04.621346951 CET5007218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:04.621702909 CET5007218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:04.626461983 CET1844350072111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:06.670515060 CET1844350072111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:06.670630932 CET5007218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:06.670722008 CET5007218443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:06.671221972 CET5007318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:06.675508976 CET1844350072111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:06.676043034 CET1844350073111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:06.676110029 CET5007318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:06.676307917 CET5007318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:06.681124926 CET1844350073111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:08.737998009 CET1844350073111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:08.738145113 CET5007318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:08.738235950 CET5007318443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:08.738723993 CET5007418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:08.743211985 CET1844350073111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:08.743505001 CET1844350074111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:08.743571043 CET5007418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:08.743640900 CET5007418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:08.748744011 CET1844350074111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:08.748801947 CET5007418443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:08.850404024 CET5007518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:08.855288029 CET1844350075111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:08.855390072 CET5007518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:08.855700016 CET5007518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:08.860539913 CET1844350075111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:10.906843901 CET1844350075111.119.200.175192.168.2.6
            Jan 8, 2025 11:08:10.906924963 CET5007518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:10.907020092 CET5007518443192.168.2.6111.119.200.175
            Jan 8, 2025 11:08:10.911787033 CET1844350075111.119.200.175192.168.2.6

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:05:06:03
            Start date:08/01/2025
            Path:C:\Users\user\Desktop\c_shlellcode.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\Desktop\c_shlellcode.exe"
            Imagebase:0x7ff7653a0000
            File size:5'593'088 bytes
            MD5 hash:3E96C0115AEAC2B89D926F326079FDC0
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
            • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
            • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, Author: @VK_Intel
            • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000000.00000002.3386553887.000001BCF9B60000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
            • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3386483169.000001BCF9A10000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3386483169.000001BCF9A10000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3386483169.000001BCF9A10000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3386483169.000001BCF9A10000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.3386483169.000001BCF9A10000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.3386483169.000001BCF9A10000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.3386483169.000001BCF9A10000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.3386483169.000001BCF9A10000.00000040.00000020.00020000.00000000.sdmp, Author: yara@s3c.za.net
            • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.3386483169.000001BCF9A10000.00000040.00000020.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000002.3386483169.000001BCF9A10000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmp, Author: yara@s3c.za.net
            • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000002.3386186288.000001BCF9910000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
            Reputation:low
            Has exited:false

            Disassembly

            No disassembly