Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U8d26#U53f7#U5bc6#U7801#U8868.xls.exe

Overview

General Information

Sample Name:#U8d26#U53f7#U5bc6#U7801#U8868.xls.exe
Analysis ID:679121
MD5:2d2e2831ae6351fbee7810bfc0d10955
SHA1:52a95894b8551743058a1bfe56e38919f43819c4
SHA256:ffeb7d694c82c2dfa5344d082b61386561202ccde69fc11257916b0da515c922
Tags:exe
Infos:

Detection

CobaltStrike
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected CobaltStrike
C2 URLs / IPs found in malware configuration
Uses an obfuscated file name to hide its real file extension (double extension)
Yara signature match
PE file contains strange resources
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • #U8d26#U53f7#U5bc6#U7801#U8868.xls.exe (PID: 5940 cmdline: "C:\Users\user\Desktop\#U8d26#U53f7#U5bc6#U7801#U8868.xls.exe" MD5: 2D2E2831AE6351FBEE7810BFC0D10955)
    • cmd.exe (PID: 5828 cmdline: c:\windows\system32\cmd.exe /C start ???????.xls MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 4540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • EXCEL.EXE (PID: 5232 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde MD5: 5D6638F2C8F8571C593999C58866007E)
  • cleanup

Malware Configuration

Threatname: CobaltStrike

{"C2Server": "http://jquery-min.us:8443/jquery-3.3.2.slim.min.js", "User Agent": "User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.449971931.000000C0001CE000.00000004.00001000.00020000.00000000.sdmpCobaltbaltstrike_RAW_Payload_https_stager_x64Detects CobaltStrike payloadsAvast Threat Intel Team
  • 0x4000:$h01: FC 48 83 E4 F0 E8 C8 00 00 00 41 51 41 50 52 51 56 48 31 D2 65 48 8B 52
00000000.00000002.449971931.000000C0001CE000.00000004.00001000.00020000.00000000.sdmpCobaltbaltstrike_Payload_EncodedDetects CobaltStrike payloadsAvast Threat Intel Team
  • 0x3400:$s10: /EiD5PDoyAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHA
  • 0x3900:$s10: /EiD5PDoyAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHA
00000000.00000002.449971931.000000C0001CE000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
    00000000.00000002.449971931.000000C0001CE000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
      00000000.00000002.449971931.000000C0001CE000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
      • 0x4011:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
      Click to see the 9 entries

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exeAvira: detected
      Multi AV Scanner detection for submitted file
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exeVirustotal: Detection: 60%Perma Link
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exeMetadefender: Detection: 25%Perma Link
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exeReversingLabs: Detection: 69%
      Source: 00000000.00000002.449971931.000000C0001CE000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: CobaltStrike {"C2Server": "http://jquery-min.us:8443/jquery-3.3.2.slim.min.js", "User Agent": "User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n"}

      Networking

      barindex
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: http://jquery-min.us:8443/jquery-3.3.2.slim.min.js
      Source: unknownDNS traffic detected: query: jquery-min.us replaycode: Server failure (2)
      Source: unknownTCP traffic detected without corresponding DNS query: 27.0.135.13
      Source: unknownTCP traffic detected without corresponding DNS query: 27.0.135.13
      Source: unknownTCP traffic detected without corresponding DNS query: 27.0.135.13
      Source: unknownTCP traffic detected without corresponding DNS query: 27.0.135.13
      Source: unknownTCP traffic detected without corresponding DNS query: 27.0.135.13
      Source: unknownTCP traffic detected without corresponding DNS query: 27.0.135.13
      Source: unknownTCP traffic detected without corresponding DNS query: 27.0.135.13
      Source: unknownTCP traffic detected without corresponding DNS query: 27.0.135.13
      Source: unknownTCP traffic detected without corresponding DNS query: 27.0.135.13
      Source: unknownTCP traffic detected without corresponding DNS query: 27.0.135.13
      Source: unknownTCP traffic detected without corresponding DNS query: 27.0.135.13
      Source: unknownTCP traffic detected without corresponding DNS query: 27.0.135.13
      Source: unknownTCP traffic detected without corresponding DNS query: 27.0.135.13
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exeString found in binary or memory: http://27.0.135.13/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exe, 00000000.00000002.444448493.0000000000131000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.jquery.com/
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exe, 00000000.00000002.444448493.0000000000131000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.jquery.com/o
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exe, 00000000.00000002.444448493.0000000000131000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.jquery.com/u
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exe, 00000000.00000002.444303139.00000000000AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.jquery.com/x
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exe, 00000000.00000002.444303139.00000000000AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.jquery.com/~
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: http://weather.service.msn.com/data.aspx
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://analysis.windows.net/powerbi/api
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://api.aadrm.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://api.aadrm.com/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://api.addins.store.office.com/app/query
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://api.cortana.ai
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://api.diagnostics.office.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://api.diagnosticssdf.office.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://api.microsoftstream.com/api/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://api.office.net
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://api.onedrive.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://apis.live.net/v5.0/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://arc.msn.com/v4/api/selection
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://augloop.office.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://augloop.office.com/v2
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://autodiscover-s.outlook.com/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://cdn.entity.
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://clients.config.office.net/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://config.edge.skype.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://cortana.ai
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://cortana.ai/api
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://cr.office.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://dataservice.o365filtering.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://dataservice.o365filtering.com/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://dev.cortana.ai
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://devnull.onenote.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://directory.services.
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://ecs.office.com/config/v2/Office
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://enrichment.osi.office.net/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://entitlement.diagnostics.office.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://globaldisco.crm.dynamics.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://graph.ppe.windows.net
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://graph.ppe.windows.net/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://graph.windows.net
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://graph.windows.net/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://incidents.diagnostics.office.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://inclient.store.office.com/gyro/client
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://invites.office.com/
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exe, 00000000.00000002.444303139.00000000000AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jquery-min.us/
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exe, 00000000.00000002.444391043.0000000000105000.00000004.00000020.00020000.00000000.sdmp, #U8d26#U53f7#U5bc6#U7801#U8868.xls.exe, 00000000.00000002.444431501.0000000000121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jquery-min.us:8443/
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exe, 00000000.00000002.444303139.00000000000AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jquery-min.us:8443/jquery-3.3.2.slim.min.js
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exe, 00000000.00000002.444303139.00000000000AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jquery-min.us:8443/jquery-3.3.2.slim.min.jsL
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exe, 00000000.00000002.444431501.0000000000121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jquery-min.us:8443/s
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://lifecycle.office.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://login.microsoftonline.com/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://login.windows.local
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://management.azure.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://management.azure.com/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://messaging.action.office.com/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://messaging.engagement.office.com/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://messaging.lifecycle.office.com/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://messaging.office.com/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://my.microsoftpersonalcontent.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://ncus.contentsync.
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://ncus.pagecontentsync.
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://officeapps.live.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://officeci.azurewebsites.net/api/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://onedrive.live.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://onedrive.live.com/embed?
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://osi.office.net
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://otelrules.azureedge.net
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://outlook.office.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://outlook.office.com/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://outlook.office365.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://outlook.office365.com/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://pages.store.office.com/review/query
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://powerlift.acompli.net
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://roaming.edog.
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://settings.outlook.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://shell.suite.office.com:1443
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://skyapi.live.net/Activity/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://staging.cortana.ai
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://store.office.cn/addinstemplate
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://store.office.de/addinstemplate
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://tasks.office.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://web.microsoftstream.com/video/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://webshell.suite.office.com
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://wus2.contentsync.
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://wus2.pagecontentsync.
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
      Source: B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drString found in binary or memory: https://www.odwebp.svc.ms
      Source: unknownDNS traffic detected: queries for: jquery-min.us
      Source: global trafficHTTP traffic detected: GET /%E6%B6%89%E7%96%AB%E8%BD%A8%E8%BF%B9%E6%A3%80%E6%9F%A5%E8%A1%A8.xls HTTP/1.1Host: 27.0.135.13User-Agent: Go-http-client/1.1Accept-Encoding: gzip

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 00000000.00000002.449971931.000000C0001CE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
      Source: 00000000.00000002.449971931.000000C0001CE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
      Source: 00000000.00000002.447338281.0000000026E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
      Source: 00000000.00000002.447338281.0000000026E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
      Source: 00000000.00000002.449971931.000000C0001CE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_RAW_Payload_https_stager_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
      Source: 00000000.00000002.449971931.000000C0001CE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
      Source: 00000000.00000002.449971931.000000C0001CE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
      Source: 00000000.00000002.449971931.000000C0001CE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
      Source: 00000000.00000002.450050616.000000C0001D4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
      Source: 00000000.00000002.447338281.0000000026E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_RAW_Payload_https_stager_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
      Source: 00000000.00000002.447338281.0000000026E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
      Source: 00000000.00000002.447338281.0000000026E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
      Source: Process Memory Space: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exe PID: 5940, type: MEMORYSTRMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: C:\Windows\System32\cmd.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Users\user\Desktop\#U8d26#U53f7#U5bc6#U7801#U8868.xls.exeCode function: 0_2_26E3010C0_2_26E3010C
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exeStatic PE information: Section: UPX1 ZLIB complexity 0.9995077597128378
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exeVirustotal: Detection: 60%
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exeMetadefender: Detection: 25%
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exeReversingLabs: Detection: 69%
      Source: C:\Users\user\Desktop\#U8d26#U53f7#U5bc6#U7801#U8868.xls.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\#U8d26#U53f7#U5bc6#U7801#U8868.xls.exe "C:\Users\user\Desktop\#U8d26#U53f7#U5bc6#U7801#U8868.xls.exe"
      Source: C:\Users\user\Desktop\#U8d26#U53f7#U5bc6#U7801#U8868.xls.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /C start ???????.xls
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde
      Source: C:\Users\user\Desktop\#U8d26#U53f7#U5bc6#U7801#U8868.xls.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /C start ???????.xlsJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /ddeJump to behavior
      Source: C:\Users\user\Desktop\#U8d26#U53f7#U5bc6#U7801#U8868.xls.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
      Source: ???????.LNK.3.drLNK file: ..\..\..\..\..\Desktop\.xls
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4540:120:WilError_01
      Source: C:\Users\user\Desktop\#U8d26#U53f7#U5bc6#U7801#U8868.xls.exeFile created: C:\Users\user\Desktop\???????.xlsJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{2D790E46-2036-426D-8900-E2C1DA7A8819} - OProcSessId.datJump to behavior
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exeString found in binary or memory: D:/a/shellcode-launch/shellcode-launch/main.go
      Source: classification engineClassification label: mal88.troj.evad.winEXE@7/4@10/1
      Source: C:\Windows\System32\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\#U8d26#U53f7#U5bc6#U7801#U8868.xls.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\#U8d26#U53f7#U5bc6#U7801#U8868.xls.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exeStatic file information: File size 1553920 > 1048576
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x172000
      Source: C:\Users\user\Desktop\#U8d26#U53f7#U5bc6#U7801#U8868.xls.exeCode function: 0_2_26E3012B push eax; ret 0_2_26E30387
      Source: C:\Users\user\Desktop\#U8d26#U53f7#U5bc6#U7801#U8868.xls.exeCode function: 0_2_26E3010C push eax; ret 0_2_26E30387
      Source: initial sampleStatic PE information: section name: UPX0
      Source: initial sampleStatic PE information: section name: UPX1

      Hooking and other Techniques for Hiding and Protection

      barindex
      Uses an obfuscated file name to hide its real file extension (double extension)
      Source: Possible double extension: xls.exeStatic PE information: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exe
      Source: C:\Users\user\Desktop\#U8d26#U53f7#U5bc6#U7801#U8868.xls.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\#U8d26#U53f7#U5bc6#U7801#U8868.xls.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\#U8d26#U53f7#U5bc6#U7801#U8868.xls.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\#U8d26#U53f7#U5bc6#U7801#U8868.xls.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exe, 00000000.00000002.444609671.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: lmPVmnet/url.Parse
      Source: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exe, 00000000.00000002.444303139.00000000000AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlliiJ
      Source: C:\Users\user\Desktop\#U8d26#U53f7#U5bc6#U7801#U8868.xls.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /C start ???????.xlsJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /ddeJump to behavior

      Remote Access Functionality

      barindex
      Yara detected CobaltStrike
      Source: Yara matchFile source: 00000000.00000002.449971931.000000C0001CE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.450050616.000000C0001D4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: #U8d26#U53f7#U5bc6#U7801#U8868.xls.exe PID: 5940, type: MEMORYSTR
      Source: Yara matchFile source: 00000000.00000002.447338281.0000000026E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts2
      Command and Scripting Interpreter      		1
      DLL Side-Loading      		11
      Process Injection      		11
      Masquerading      		OS Credential Dumping1
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		Exfiltration Over Other Network Medium1
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading      		11
      Process Injection      		LSASS Memory1
      Remote System Discovery      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
      Ingress Tool Transfer      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)111
      Obfuscated Files or Information      		Security Account Manager1
      File and Directory Discovery      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
      Non-Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
      Software Packing      		NTDS2
      System Information Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer12
      Application Layer Protocol      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading      		LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      #U8d26#U53f7#U5bc6#U7801#U8868.xls.exe61%VirustotalBrowse
      #U8d26#U53f7#U5bc6#U7801#U8868.xls.exe26%MetadefenderBrowse
      #U8d26#U53f7#U5bc6#U7801#U8868.xls.exe69%ReversingLabsWin64.Backdoor.CobaltStrikeBeacon
      #U8d26#U53f7#U5bc6#U7801#U8868.xls.exe100%AviraTR/Rozena.eozmy

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      jquery-min.us4%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      https://roaming.edog.0%URL Reputationsafe
      https://cdn.entity.0%URL Reputationsafe
      https://powerlift.acompli.net0%URL Reputationsafe
      https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
      https://cortana.ai0%URL Reputationsafe
      http://27.0.135.13/0%Avira URL Cloudsafe
      https://api.aadrm.com/0%URL Reputationsafe
      https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
      https://jquery-min.us:8443/jquery-3.3.2.slim.min.jsL0%Avira URL Cloudsafe
      https://jquery-min.us:8443/5%VirustotalBrowse
      https://jquery-min.us:8443/0%Avira URL Cloudsafe
      https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
      https://jquery-min.us:8443/jquery-3.3.2.slim.min.js0%Avira URL Cloudsafe
      https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
      https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
      https://officeci.azurewebsites.net/api/0%URL Reputationsafe
      https://my.microsoftpersonalcontent.com0%Avira URL Cloudsafe
      https://store.office.cn/addinstemplate0%URL Reputationsafe
      https://api.aadrm.com0%URL Reputationsafe
      https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
      https://www.odwebp.svc.ms0%URL Reputationsafe
      https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
      https://dataservice.o365filtering.com/0%URL Reputationsafe
      https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
      https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
      https://jquery-min.us:8443/s0%Avira URL Cloudsafe
      http://27.0.135.13/%E6%B6%89%E7%96%AB%E8%BD%A8%E8%BF%B9%E6%A3%80%E6%9F%A5%E8%A1%A8.xls0%Avira URL Cloudsafe
      https://ncus.contentsync.0%URL Reputationsafe
      https://apis.live.net/v5.0/0%URL Reputationsafe
      https://wus2.contentsync.0%URL Reputationsafe
      http://jquery-min.us:8443/jquery-3.3.2.slim.min.js0%Avira URL Cloudsafe
      https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
      https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      jquery-min.us
      		unknown
      		unknowntrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://27.0.135.13/%E6%B6%89%E7%96%AB%E8%BD%A8%E8%BF%B9%E6%A3%80%E6%9F%A5%E8%A1%A8.xlsfalse
      • Avira URL Cloud: safe
      		unknown
      http://jquery-min.us:8443/jquery-3.3.2.slim.min.jstrue
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://api.diagnosticssdf.office.comB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
        		high
        https://login.microsoftonline.com/B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
          		high
          https://shell.suite.office.com:1443B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
            		high
            https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
              		high
              https://autodiscover-s.outlook.com/B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                		high
                https://roaming.edog.B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                • URL Reputation: safe
                		unknown
                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                  		high
                  https://cdn.entity.B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://api.addins.omex.office.net/appinfo/queryB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                    		high
                    https://clients.config.office.net/user/v1.0/tenantassociationkeyB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                      		high
                      https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                        		high
                        https://powerlift.acompli.netB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://rpsticket.partnerservices.getmicrosoftkey.comB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://lookup.onenote.com/lookup/geolocation/v1B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                          		high
                          https://cortana.aiB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                            		high
                            https://cloudfiles.onenote.com/upload.aspxB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                              		high
                              https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                		high
                                https://entitlement.diagnosticssdf.office.comB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                  		high
                                  https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                    		high
                                    http://27.0.135.13/#U8d26#U53f7#U5bc6#U7801#U8868.xls.exefalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://api.aadrm.com/B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://ofcrecsvcapi-int.azurewebsites.net/B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://jquery-min.us:8443/jquery-3.3.2.slim.min.jsL#U8d26#U53f7#U5bc6#U7801#U8868.xls.exe, 00000000.00000002.444303139.00000000000AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://jquery-min.us:8443/#U8d26#U53f7#U5bc6#U7801#U8868.xls.exe, 00000000.00000002.444391043.0000000000105000.00000004.00000020.00020000.00000000.sdmp, #U8d26#U53f7#U5bc6#U7801#U8868.xls.exe, 00000000.00000002.444431501.0000000000121000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • 5%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                      		high
                                      https://api.microsoftstream.com/api/B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                        		high
                                        https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=ImmersiveB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                          		high
                                          https://cr.office.comB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                            		high
                                            https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;hB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            https://portal.office.com/account/?ref=ClientMeControlB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                              		high
                                              https://jquery-min.us:8443/jquery-3.3.2.slim.min.js#U8d26#U53f7#U5bc6#U7801#U8868.xls.exe, 00000000.00000002.444303139.00000000000AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://graph.ppe.windows.netB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                		high
                                                https://res.getmicrosoftkey.com/api/redemptioneventsB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://powerlift-frontdesk.acompli.netB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://tasks.office.comB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                  		high
                                                  https://officeci.azurewebsites.net/api/B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://sr.outlook.office.net/ws/speech/recognize/assistant/workB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                    		high
                                                    https://my.microsoftpersonalcontent.comB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://store.office.cn/addinstemplateB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://api.aadrm.comB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://outlook.office.com/autosuggest/api/v1/init?cvid=B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                      		high
                                                      https://globaldisco.crm.dynamics.comB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                        		high
                                                        https://messaging.engagement.office.com/B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                          		high
                                                          https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                            		high
                                                            https://dev0-api.acompli.net/autodetectB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://www.odwebp.svc.msB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://api.diagnosticssdf.office.com/v2/feedbackB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                              		high
                                                              https://api.powerbi.com/v1.0/myorg/groupsB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                		high
                                                                https://web.microsoftstream.com/video/B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                  		high
                                                                  https://api.addins.store.officeppe.com/addinstemplateB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://graph.windows.netB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                    		high
                                                                    https://dataservice.o365filtering.com/B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://officesetup.getmicrosoftkey.comB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://analysis.windows.net/powerbi/apiB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                      		high
                                                                      https://prod-global-autodetect.acompli.net/autodetectB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://jquery-min.us:8443/s#U8d26#U53f7#U5bc6#U7801#U8868.xls.exe, 00000000.00000002.444431501.0000000000121000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://outlook.office365.com/autodiscover/autodiscover.jsonB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                        		high
                                                                        https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                          		high
                                                                          https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                            		high
                                                                            https://learningtools.onenote.com/learningtoolsapi/v2.0/GetvoicesB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                              		high
                                                                              https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                		high
                                                                                https://ncus.contentsync.B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                  		high
                                                                                  https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                    		high
                                                                                    http://weather.service.msn.com/data.aspxB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                      		high
                                                                                      https://apis.live.net/v5.0/B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                        		high
                                                                                        https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                          		high
                                                                                          https://messaging.lifecycle.office.com/B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                            		high
                                                                                            https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                              		high
                                                                                              https://management.azure.comB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                		high
                                                                                                https://outlook.office365.comB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                  		high
                                                                                                  http://code.jquery.com/#U8d26#U53f7#U5bc6#U7801#U8868.xls.exe, 00000000.00000002.444448493.0000000000131000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://wus2.contentsync.B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://incidents.diagnostics.office.comB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                      		high
                                                                                                      https://clients.config.office.net/user/v1.0/iosB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                        		high
                                                                                                        https://insertmedia.bing.office.net/odc/insertmediaB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                          		high
                                                                                                          https://o365auditrealtimeingestion.manage.office.comB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                            		high
                                                                                                            https://outlook.office365.com/api/v1.0/me/ActivitiesB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                              		high
                                                                                                              https://api.office.netB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                                		high
                                                                                                                https://incidents.diagnosticssdf.office.comB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                                  		high
                                                                                                                  https://asgsmsproxyapi.azurewebsites.net/B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  https://clients.config.office.net/user/v1.0/android/policiesB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                                    		high
                                                                                                                    https://entitlement.diagnostics.office.comB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                                      		high
                                                                                                                      https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                                        		high
                                                                                                                        https://substrate.office.com/search/api/v2/initB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                                          		high
                                                                                                                          https://outlook.office.com/B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                                            		high
                                                                                                                            https://storage.live.com/clientlogs/uploadlocationB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                                              		high
                                                                                                                              https://outlook.office365.com/B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                                                		high
                                                                                                                                https://webshell.suite.office.comB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                                                  		high
                                                                                                                                  https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                                                    		high
                                                                                                                                    https://substrate.office.com/search/api/v1/SearchHistoryB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                                                      		high
                                                                                                                                      https://management.azure.com/B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                                                        		high
                                                                                                                                        https://messaging.lifecycle.office.com/getcustommessage16B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                                                          		high
                                                                                                                                          https://clients.config.office.net/c2r/v1.0/InteractiveInstallationB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                                                            		high
                                                                                                                                            https://login.windows.net/common/oauth2/authorizeB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                                                              		high
                                                                                                                                              https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileB0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD.3.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown

                                                                                                                                              World Map of Contacted IPs

                                                                                                                                              • No. of IPs < 25%
                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                              • 75% < No. of IPs

                                                                                                                                              Public IPs

                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                              27.0.135.13
                                                                                                                                              		unknownChina
                                                                                                                                              		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse

                                                                                                                                              General Information

                                                                                                                                              Joe Sandbox Version:35.0.0 Citrine
                                                                                                                                              Analysis ID:679121
                                                                                                                                              Start date and time: 05/08/202209:51:092022-08-05 09:51:09 +02:00
                                                                                                                                              Joe Sandbox Product:CloudBasic
                                                                                                                                              Overall analysis duration:0h 8m 43s
                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                              Report type:full
                                                                                                                                              Sample file name:#U8d26#U53f7#U5bc6#U7801#U8868.xls.exe
                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                              Number of analysed new started processes analysed:17
                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                              Technologies:
                                                                                                                                              • HCA enabled
                                                                                                                                              • EGA enabled
                                                                                                                                              • HDC enabled
                                                                                                                                              • AMSI enabled
                                                                                                                                              Analysis Mode:default
                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                              Detection:MAL
                                                                                                                                              Classification:mal88.troj.evad.winEXE@7/4@10/1
                                                                                                                                              EGA Information:
                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                              HDC Information:
                                                                                                                                              • Successful, ratio: 85.7% (good quality ratio 74.3%)
                                                                                                                                              • Quality average: 53.9%
                                                                                                                                              • Quality standard deviation: 34.8%
                                                                                                                                              HCA Information:
                                                                                                                                              • Successful, ratio: 57%
                                                                                                                                              • Number of executed functions: 3
                                                                                                                                              • Number of non-executed functions: 2
                                                                                                                                              Cookbook Comments:
                                                                                                                                              • Found application associated with file extension: .exe
                                                                                                                                              • Adjust boot time
                                                                                                                                              • Enable AMSI

                                                                                                                                              Warnings

                                                                                                                                              • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                                              • Excluded IPs from analysis (whitelisted): 52.109.32.24, 52.109.76.36, 52.109.88.37, 52.242.101.226, 52.152.110.14, 40.125.122.176
                                                                                                                                              • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, arc.msn.com, licensing.mp.microsoft.com, store-images.s-microsoft.com, login.live.com, config.officeapps.live.com, sls.update.microsoft.com, nexus.officeapps.live.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                              Simulations

                                                                                                                                              Behavior and APIs

                                                                                                                                              No simulations

                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                              IPs

                                                                                                                                              No context

                                                                                                                                              Domains

                                                                                                                                              No context

                                                                                                                                              ASNs

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                              CHINA169-BACKBONECHINAUNICOMChina169BackboneCNTgwUjEDwgtGet hashmaliciousBrowse
                                                                                                                                              • 112.239.47.66
                                                                                                                                              hOP0tFKwjiGet hashmaliciousBrowse
                                                                                                                                              • 101.31.134.212
                                                                                                                                              xd.mpslGet hashmaliciousBrowse
                                                                                                                                              • 116.141.64.116
                                                                                                                                              xd.armGet hashmaliciousBrowse
                                                                                                                                              • 124.165.135.90
                                                                                                                                              xd.mipsGet hashmaliciousBrowse
                                                                                                                                              • 116.167.131.107
                                                                                                                                              xd.x86Get hashmaliciousBrowse
                                                                                                                                              • 124.164.104.84
                                                                                                                                              xd.arm7Get hashmaliciousBrowse
                                                                                                                                              • 1.26.48.158
                                                                                                                                              r7QEABnuNrGet hashmaliciousBrowse
                                                                                                                                              • 60.220.236.188
                                                                                                                                              tjymRNVgJ6Get hashmaliciousBrowse
                                                                                                                                              • 220.195.246.255
                                                                                                                                              AwjWWxuUd4Get hashmaliciousBrowse
                                                                                                                                              • 61.163.153.172
                                                                                                                                              xLzr2Gi7QyGet hashmaliciousBrowse
                                                                                                                                              • 171.38.147.8
                                                                                                                                              N9vBk22I3tGet hashmaliciousBrowse
                                                                                                                                              • 36.250.158.240
                                                                                                                                              5VOJ8ukAacGet hashmaliciousBrowse
                                                                                                                                              • 42.85.18.210
                                                                                                                                              Hghb5EDDCjGet hashmaliciousBrowse
                                                                                                                                              • 1.26.211.67
                                                                                                                                              Gc32HooE4yGet hashmaliciousBrowse
                                                                                                                                              • 123.147.2.68
                                                                                                                                              pEZ9B3KxARGet hashmaliciousBrowse
                                                                                                                                              • 42.7.155.74
                                                                                                                                              sC3c1VtMjAGet hashmaliciousBrowse
                                                                                                                                              • 115.57.30.12
                                                                                                                                              CJyYKe5BWdGet hashmaliciousBrowse
                                                                                                                                              • 42.86.230.58
                                                                                                                                              Todz6ncn8nGet hashmaliciousBrowse
                                                                                                                                              • 202.110.70.222
                                                                                                                                              4mp5IYDycpGet hashmaliciousBrowse
                                                                                                                                              • 218.56.145.13

                                                                                                                                              JA3 Fingerprints

                                                                                                                                              No context

                                                                                                                                              Dropped Files

                                                                                                                                              No context

                                                                                                                                              Created / dropped Files

                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):148061
                                                                                                                                              Entropy (8bit):5.358147023528658
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:1536:PcQW/gxgB5BQguwN/Q9DQe+zQTk4F77nXmvid3XxVETLKz61:O1Q9DQe+zuXYr
                                                                                                                                              MD5:FC031BF22CE6E9FCF3BBCD4645CC9CAA
                                                                                                                                              SHA1:3ECABDA5BEB7E8F758F225F03AF3E2FE32FADAD6
                                                                                                                                              SHA-256:542DAFFD4B4486F72BA534DA409FC90F7696E509FB24A87801778D045C792E4D
                                                                                                                                              SHA-512:AAE4BCF5B25CF638EE21FFCD481003D5157297DE8CFE7A81EA0FB20ADE9CC81FF296E8A63119FA9C4B12B959AB9D9E0E5B7B291DA18EFDDD4BE2AD40E31AC557
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:low
                                                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-08-05T07:52:31">.. Build: 16.0.15601.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\???????.LNK

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 5 15:52:21 2022, mtime=Fri Aug 5 15:52:32 2022, atime=Fri Aug 5 15:52:32 2022, length=23552, window=hide
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):1127
                                                                                                                                              Entropy (8bit):4.789260694079556
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:12:8DsbhU9i6CHiLPNGX1Dwq+WAiucUy+o/ypa0Fb5b5Dyb0W4t2Y+xIBjKZm:8Dzopw0Oy+oKxJ5DyZ7aB6m
                                                                                                                                              MD5:3392F754CE250939539B340C618EE80F
                                                                                                                                              SHA1:96A237267FBD787C190689590FBD96EE1CAB8D3A
                                                                                                                                              SHA-256:0CB29152EEE395876B8ADB547B63CB737568A6F4471C9E8DFE25A8A55708FADA
                                                                                                                                              SHA-512:958ADCD9B0A49310864197CA38CE0D6E154A4B8E6CE4CD8DAFCB133DD815F82867B7CB2DA4ECF59B6677B89F9673C6091934D61B19E0C0303B1967BDDF04CE47
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:low
                                                                                                                                              Preview:L..................F.... ...w.....].~....p.|.....\...........................P.O. .:i.....+00.../C:\...................x.1......Ng...Users.d......L...U......................:......B..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....T.1.....hT....user..>.......NM..U.......S.......................a.l.f.o.n.s.....~.1......U....Desktop.h.......NM..U.......Y..............>.......U.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....b.2..\...U.. .839F~1.XLS..H.......U...U....../..........................m.uh....h.gh...x.l.s...........$.......$...5...........Z...............>.S......C:\Users\user\Desktop\???????.xls..C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.D.e.s.k.t.o.p.\..m.uh....h.gh...x.l.s.......".....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\..m.uh....h.gh...x.l.s.........:..,.LB.)...Aw...`.......X.......445817...........!a..%.H.VZAj.....s.........W...!a..%.H.VZAj.....s.........W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.

                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                              Category:modified
                                                                                                                                              Size (bytes):65
                                                                                                                                              Entropy (8bit):4.125194930303051
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:bDuMJlWb6lmMCLb6lv:bCNsW0
                                                                                                                                              MD5:C542BE0A3F696F4BD179F109E96EA1EF
                                                                                                                                              SHA1:429D43CAA9F2FAB8F03016524B779816F71696B1
                                                                                                                                              SHA-256:F0B490700453792AB1B1C015A8CD5A55E0ED0B310DB560C8BCE2E7A0BEEF62B6
                                                                                                                                              SHA-512:2734D51FBDDB322C8FB605054AC112C4079A3998ADDCC3723C65B4BD7C5D4A4A6EF4497376BBBF70DD5009B0A8EAF8D811A3D1114E3DD6823DF134DF38E417A1
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:low
                                                                                                                                              Preview:[folders]..Templates.LNK=0..???????.LNK=0..[xls]..???????.LNK=0..

                                                                                                                                              C:\Users\user\Desktop\???????.xls

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\Desktop\#U8d26#U53f7#U5bc6#U7801#U8868.xls.exe
                                                                                                                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1200, Locale ID: 2052, Author: ma, Last Saved By: Adminis, Create Time/Date: Sun Jul 25 22:22:00 2021, Last Saved Time/Date: Mon Jul 18 16:11:36 2022, Name of Creating Application: WPS Of, Security: 0
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):23552
                                                                                                                                              Entropy (8bit):4.7469238649865835
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:384:dCCCDQS4zTbleoPE8KI0fXb6HTsRQSO0JXGzfW6JjLuJj1zusAp7xOGz4uv8YXFh:dCCCDQS4zTbleoPE8KI0fXb0sGz4ud1G
                                                                                                                                              MD5:F5A8F916C2B8117DBF1CC1EA3319C8DA
                                                                                                                                              SHA1:B8E4B9E1247C54ED45BBA90CD2F1AAEDC0713372
                                                                                                                                              SHA-256:11E29E4983EAB5BBC95B11B06C8AD11A7375017B99B10FDE72F2669E5288E6BE
                                                                                                                                              SHA-512:05F5189A4F09A442D07D9440156B4F18C67284130D545C79CD701C72AF6A5B030DF1FD7C83F46D934749EB28AEF32936216AE4EB96D19129A5B3743B562F3DD8
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:low
                                                                                                                                              Preview:......................>...................................(.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................+....................................................................................................................... ...!..."...#...$...%...&...'...........*...,...............................................................................................................................................................................................................................................................................................................................

                                                                                                                                              Static File Info

                                                                                                                                              General

                                                                                                                                              File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                              Entropy (8bit):7.991293672325191
                                                                                                                                              TrID:
                                                                                                                                              • Win64 Executable (generic) (12005/4) 74.95%
                                                                                                                                              • Generic Win/DOS Executable (2004/3) 12.51%
                                                                                                                                              • DOS Executable Generic (2002/1) 12.50%
                                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                                                                                                                              File name:#U8d26#U53f7#U5bc6#U7801#U8868.xls.exe
                                                                                                                                              File size:1553920
                                                                                                                                              MD5:2d2e2831ae6351fbee7810bfc0d10955
                                                                                                                                              SHA1:52a95894b8551743058a1bfe56e38919f43819c4
                                                                                                                                              SHA256:ffeb7d694c82c2dfa5344d082b61386561202ccde69fc11257916b0da515c922
                                                                                                                                              SHA512:239d6ad7b0654146b8c5c08a9b2f07a770cfb0ddabbbcad03109f82b0e78494f80097a98de7d55487f90f41ac25e09f028b12f60c5fc30863d1c871dfbff8eb5
                                                                                                                                              SSDEEP:24576:GW4sP/ippqFg0wSEn/v3KY1EoylYBAOL3jiVFToMK/GoFabCWx5h/xz1iWnmTlT:7xIqFPEH6YWooYBAOL3GVFTs/DFiCMNq
                                                                                                                                              TLSH:CB7533D17703E012D5B611702AA38B36556FFC2BEE38574AAF11BF2F1D317A68858A42
                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........DL.......#...... .......09. TP..@9...@...............................Q............... ............................

                                                                                                                                              File Icon

                                                                                                                                              Icon Hash:74e4c4e4c4d4c4c4

                                                                                                                                              Static PE Info

                                                                                                                                              General

                                                                                                                                              Entrypoint:0x905420
                                                                                                                                              Entrypoint Section:UPX1
                                                                                                                                              Digitally signed:false
                                                                                                                                              Imagebase:0x400000
                                                                                                                                              Subsystem:windows gui
                                                                                                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                                                                                                                                              DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                              Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                                                                              TLS Callbacks:
                                                                                                                                              CLR (.Net) Version:
                                                                                                                                              OS Version Major:6
                                                                                                                                              OS Version Minor:1
                                                                                                                                              File Version Major:6
                                                                                                                                              File Version Minor:1
                                                                                                                                              Subsystem Version Major:6
                                                                                                                                              Subsystem Version Minor:1
                                                                                                                                              Import Hash:6ed4f5f04d62b18d96b26d6db7c18840

                                                                                                                                              Entrypoint Preview

                                                                                                                                              Instruction
                                                                                                                                              push ebx
                                                                                                                                              push esi
                                                                                                                                              push edi
                                                                                                                                              push ebp
                                                                                                                                              dec eax
                                                                                                                                              lea esi, dword ptr [FFE8EBFAh]
                                                                                                                                              dec eax
                                                                                                                                              lea edi, dword ptr [esi-00393025h]
                                                                                                                                              push edi
                                                                                                                                              mov eax, 005034F4h
                                                                                                                                              push eax
                                                                                                                                              dec eax
                                                                                                                                              mov ecx, esp
                                                                                                                                              dec eax
                                                                                                                                              mov edx, edi
                                                                                                                                              dec eax
                                                                                                                                              mov edi, esi
                                                                                                                                              mov esi, 001713F4h
                                                                                                                                              push ebp
                                                                                                                                              dec eax
                                                                                                                                              mov ebp, esp
                                                                                                                                              inc esp
                                                                                                                                              mov ecx, dword ptr [ecx]
                                                                                                                                              dec ecx
                                                                                                                                              mov eax, edx
                                                                                                                                              dec eax
                                                                                                                                              mov edx, esi
                                                                                                                                              dec eax
                                                                                                                                              lea esi, dword ptr [edi+02h]
                                                                                                                                              push esi
                                                                                                                                              mov al, byte ptr [edi]
                                                                                                                                              dec edx
                                                                                                                                              mov cl, al
                                                                                                                                              and al, 07h
                                                                                                                                              shr cl, 00000003h
                                                                                                                                              dec eax
                                                                                                                                              mov ebx, FFFFFD00h
                                                                                                                                              dec eax
                                                                                                                                              shl ebx, cl
                                                                                                                                              mov cl, al
                                                                                                                                              dec eax
                                                                                                                                              lea ebx, dword ptr [esp+ebx*2-00000E78h]
                                                                                                                                              dec eax
                                                                                                                                              and ebx, FFFFFFC0h
                                                                                                                                              push 00000000h
                                                                                                                                              dec eax
                                                                                                                                              cmp esp, ebx
                                                                                                                                              jne 00007F1D1076980Bh
                                                                                                                                              push ebx
                                                                                                                                              dec eax
                                                                                                                                              lea edi, dword ptr [ebx+08h]
                                                                                                                                              mov cl, byte ptr [esi-01h]
                                                                                                                                              dec edx
                                                                                                                                              mov byte ptr [edi+02h], al
                                                                                                                                              mov al, cl
                                                                                                                                              shr cl, 00000004h
                                                                                                                                              mov byte ptr [edi+01h], cl
                                                                                                                                              and al, 0Fh
                                                                                                                                              mov byte ptr [edi], al
                                                                                                                                              dec eax
                                                                                                                                              lea ecx, dword ptr [edi-04h]
                                                                                                                                              push eax
                                                                                                                                              inc ecx
                                                                                                                                              push edi
                                                                                                                                              dec eax
                                                                                                                                              lea eax, dword ptr [edi+04h]
                                                                                                                                              inc ebp
                                                                                                                                              xor edi, edi
                                                                                                                                              inc ecx
                                                                                                                                              push esi
                                                                                                                                              inc ecx
                                                                                                                                              mov esi, 00000001h
                                                                                                                                              inc ecx
                                                                                                                                              push ebp
                                                                                                                                              inc ebp
                                                                                                                                              xor ebp, ebp
                                                                                                                                              inc ecx
                                                                                                                                              push esp
                                                                                                                                              push ebp
                                                                                                                                              push ebx
                                                                                                                                              dec eax
                                                                                                                                              mov dword ptr [esp-10h], ecx
                                                                                                                                              dec eax
                                                                                                                                              mov dword ptr [esp-28h], eax
                                                                                                                                              mov eax, 00000001h
                                                                                                                                              dec eax
                                                                                                                                              mov dword ptr [esp-08h], esi
                                                                                                                                              dec esp
                                                                                                                                              mov dword ptr [esp-18h], eax
                                                                                                                                              mov ebx, eax
                                                                                                                                              inc esp
                                                                                                                                              mov dword ptr [esp-1Ch], ecx
                                                                                                                                              movzx ecx, byte ptr [edi+02h]
                                                                                                                                              shl ebx, cl
                                                                                                                                              mov ecx, ebx
                                                                                                                                              dec eax
                                                                                                                                              mov ebx, dword ptr [esp+38h]

                                                                                                                                              Data Directories

                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x50f3200x9c.rsrc
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x5060000x9320.rsrc
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                              Sections

                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                              UPX00x10000x3930000x0unknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                              UPX10x3940000x1720000x172000False0.9995077597128378data7.99986627038318IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                              .rsrc0x5060000xa0000x9400False0.43911000844594594data5.674111167289192IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                              Resources

                                                                                                                                              NameRVASizeTypeLanguageCountry
                                                                                                                                              RT_ICON0x5062e40x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                              RT_ICON0x5064100x2e8dataEnglishUnited States
                                                                                                                                              RT_ICON0x5066fc0x668dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 248, next used block 65280EnglishUnited States
                                                                                                                                              RT_ICON0x506d680x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                              RT_ICON0x5072d40x8a8dataEnglishUnited States
                                                                                                                                              RT_ICON0x507b800xea8dataEnglishUnited States
                                                                                                                                              RT_ICON0x508a2c0x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                              RT_ICON0x508e980x10a8dataEnglishUnited States
                                                                                                                                              RT_ICON0x509f440x25a8dataEnglishUnited States
                                                                                                                                              RT_ICON0x50c4f00x2885PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                                                              RT_GROUP_ICON0x50ed7c0x92dataEnglishUnited States
                                                                                                                                              RT_VERSION0x50ee140x300dataEnglishUnited States
                                                                                                                                              RT_MANIFEST0x50f1180x207XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                                                                                                                                              Imports

                                                                                                                                              DLLImport
                                                                                                                                              KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect

                                                                                                                                              Possible Origin

                                                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                                                              EnglishUnited States

                                                                                                                                              Network Behavior

                                                                                                                                              Network Port Distribution

                                                                                                                                              TCP Packets

                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                              Aug 5, 2022 09:52:21.419822931 CEST4973780192.168.2.527.0.135.13
                                                                                                                                              Aug 5, 2022 09:52:24.538278103 CEST4973780192.168.2.527.0.135.13
                                                                                                                                              Aug 5, 2022 09:52:24.785228968 CEST804973727.0.135.13192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:24.785429955 CEST4973780192.168.2.527.0.135.13
                                                                                                                                              Aug 5, 2022 09:52:24.789292097 CEST4973780192.168.2.527.0.135.13
                                                                                                                                              Aug 5, 2022 09:52:25.036046982 CEST804973727.0.135.13192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:25.036730051 CEST804973727.0.135.13192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:25.036756992 CEST804973727.0.135.13192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:25.036781073 CEST804973727.0.135.13192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:25.036819935 CEST804973727.0.135.13192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:25.036844969 CEST804973727.0.135.13192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:25.036866903 CEST804973727.0.135.13192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:25.036870003 CEST4973780192.168.2.527.0.135.13
                                                                                                                                              Aug 5, 2022 09:52:25.036890030 CEST804973727.0.135.13192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:25.036912918 CEST804973727.0.135.13192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:25.036921978 CEST4973780192.168.2.527.0.135.13
                                                                                                                                              Aug 5, 2022 09:52:25.036936998 CEST804973727.0.135.13192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:25.036961079 CEST804973727.0.135.13192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:25.036973953 CEST4973780192.168.2.527.0.135.13
                                                                                                                                              Aug 5, 2022 09:52:25.037055969 CEST4973780192.168.2.527.0.135.13
                                                                                                                                              Aug 5, 2022 09:52:25.283895969 CEST804973727.0.135.13192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:25.283956051 CEST804973727.0.135.13192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:25.283998013 CEST804973727.0.135.13192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:25.284045935 CEST804973727.0.135.13192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:25.284099102 CEST804973727.0.135.13192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:25.284156084 CEST804973727.0.135.13192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:25.284203053 CEST804973727.0.135.13192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:25.284224033 CEST4973780192.168.2.527.0.135.13
                                                                                                                                              Aug 5, 2022 09:52:25.284257889 CEST804973727.0.135.13192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:25.284290075 CEST4973780192.168.2.527.0.135.13
                                                                                                                                              Aug 5, 2022 09:52:25.284334898 CEST4973780192.168.2.527.0.135.13
                                                                                                                                              Aug 5, 2022 09:52:30.042006969 CEST804973727.0.135.13192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:30.042123079 CEST4973780192.168.2.527.0.135.13
                                                                                                                                              Aug 5, 2022 09:52:31.032546043 CEST4973780192.168.2.527.0.135.13

                                                                                                                                              UDP Packets

                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                              Aug 5, 2022 09:52:27.284778118 CEST5382153192.168.2.58.8.8.8
                                                                                                                                              Aug 5, 2022 09:52:27.340873003 CEST53538218.8.8.8192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:27.376110077 CEST6135653192.168.2.58.8.8.8
                                                                                                                                              Aug 5, 2022 09:52:27.434125900 CEST53613568.8.8.8192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:27.453694105 CEST5966153192.168.2.58.8.8.8
                                                                                                                                              Aug 5, 2022 09:52:27.511209011 CEST53596618.8.8.8192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:27.543205976 CEST5727853192.168.2.58.8.8.8
                                                                                                                                              Aug 5, 2022 09:52:27.595329046 CEST53572788.8.8.8192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:27.624944925 CEST5375753192.168.2.58.8.8.8
                                                                                                                                              Aug 5, 2022 09:52:27.682616949 CEST53537578.8.8.8192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:27.720825911 CEST5432253192.168.2.58.8.8.8
                                                                                                                                              Aug 5, 2022 09:52:27.782706022 CEST53543228.8.8.8192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:27.831644058 CEST6270453192.168.2.58.8.8.8
                                                                                                                                              Aug 5, 2022 09:52:27.885870934 CEST53627048.8.8.8192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:27.958754063 CEST5393453192.168.2.58.8.8.8
                                                                                                                                              Aug 5, 2022 09:52:28.013510942 CEST53539348.8.8.8192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:28.044615984 CEST6371253192.168.2.58.8.8.8
                                                                                                                                              Aug 5, 2022 09:52:28.100229979 CEST53637128.8.8.8192.168.2.5
                                                                                                                                              Aug 5, 2022 09:52:28.113236904 CEST6318753192.168.2.58.8.8.8
                                                                                                                                              Aug 5, 2022 09:52:28.165755033 CEST53631878.8.8.8192.168.2.5

                                                                                                                                              DNS Queries

                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                              Aug 5, 2022 09:52:27.284778118 CEST192.168.2.58.8.8.80xbe52Standard query (0)jquery-min.usA (IP address)IN (0x0001)
                                                                                                                                              Aug 5, 2022 09:52:27.376110077 CEST192.168.2.58.8.8.80x6f97Standard query (0)jquery-min.usA (IP address)IN (0x0001)
                                                                                                                                              Aug 5, 2022 09:52:27.453694105 CEST192.168.2.58.8.8.80xe9b3Standard query (0)jquery-min.usA (IP address)IN (0x0001)
                                                                                                                                              Aug 5, 2022 09:52:27.543205976 CEST192.168.2.58.8.8.80xae71Standard query (0)jquery-min.usA (IP address)IN (0x0001)
                                                                                                                                              Aug 5, 2022 09:52:27.624944925 CEST192.168.2.58.8.8.80xbbaaStandard query (0)jquery-min.usA (IP address)IN (0x0001)
                                                                                                                                              Aug 5, 2022 09:52:27.720825911 CEST192.168.2.58.8.8.80x4118Standard query (0)jquery-min.usA (IP address)IN (0x0001)
                                                                                                                                              Aug 5, 2022 09:52:27.831644058 CEST192.168.2.58.8.8.80x8553Standard query (0)jquery-min.usA (IP address)IN (0x0001)
                                                                                                                                              Aug 5, 2022 09:52:27.958754063 CEST192.168.2.58.8.8.80x9791Standard query (0)jquery-min.usA (IP address)IN (0x0001)
                                                                                                                                              Aug 5, 2022 09:52:28.044615984 CEST192.168.2.58.8.8.80x8928Standard query (0)jquery-min.usA (IP address)IN (0x0001)
                                                                                                                                              Aug 5, 2022 09:52:28.113236904 CEST192.168.2.58.8.8.80x7bd3Standard query (0)jquery-min.usA (IP address)IN (0x0001)

                                                                                                                                              DNS Answers

                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                              Aug 5, 2022 09:52:27.340873003 CEST8.8.8.8192.168.2.50xbe52Server failure (2)jquery-min.usnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Aug 5, 2022 09:52:27.434125900 CEST8.8.8.8192.168.2.50x6f97Server failure (2)jquery-min.usnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Aug 5, 2022 09:52:27.511209011 CEST8.8.8.8192.168.2.50xe9b3Server failure (2)jquery-min.usnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Aug 5, 2022 09:52:27.595329046 CEST8.8.8.8192.168.2.50xae71Server failure (2)jquery-min.usnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Aug 5, 2022 09:52:27.682616949 CEST8.8.8.8192.168.2.50xbbaaServer failure (2)jquery-min.usnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Aug 5, 2022 09:52:27.782706022 CEST8.8.8.8192.168.2.50x4118Server failure (2)jquery-min.usnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Aug 5, 2022 09:52:27.885870934 CEST8.8.8.8192.168.2.50x8553Server failure (2)jquery-min.usnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Aug 5, 2022 09:52:28.013510942 CEST8.8.8.8192.168.2.50x9791Server failure (2)jquery-min.usnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Aug 5, 2022 09:52:28.100229979 CEST8.8.8.8192.168.2.50x8928Server failure (2)jquery-min.usnonenoneA (IP address)IN (0x0001)
                                                                                                                                              Aug 5, 2022 09:52:28.165755033 CEST8.8.8.8192.168.2.50x7bd3Server failure (2)jquery-min.usnonenoneA (IP address)IN (0x0001)

                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                              • 27.0.135.13

                                                                                                                                              HTTP Packets

                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                              0192.168.2.54973727.0.135.1380C:\Users\user\Desktop\#U8d26#U53f7#U5bc6#U7801#U8868.xls.exe
                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                              Aug 5, 2022 09:52:24.789292097 CEST456OUTGET /%E6%B6%89%E7%96%AB%E8%BD%A8%E8%BF%B9%E6%A3%80%E6%9F%A5%E8%A1%A8.xls HTTP/1.1
                                                                                                                                              Host: 27.0.135.13
                                                                                                                                              User-Agent: Go-http-client/1.1
                                                                                                                                              Accept-Encoding: gzip
                                                                                                                                              Aug 5, 2022 09:52:25.036730051 CEST458INHTTP/1.1 200 OK
                                                                                                                                              Date: Fri, 05 Aug 2022 07:52:24 GMT
                                                                                                                                              Server: Apache/2.4.6 (CentOS)
                                                                                                                                              Last-Modified: Mon, 18 Jul 2022 15:13:28 GMT
                                                                                                                                              ETag: "5c00-5e415cf643743"
                                                                                                                                              Accept-Ranges: bytes
                                                                                                                                              Content-Length: 23552
                                                                                                                                              Content-Type: application/vnd.ms-excel
                                                                                                                                              Data Raw: d0 cf 11 e0 a1 b1 1a e1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3e 00 03 00 fe ff 09 00 06 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 10 00 00 28 00 00 00 01 00 00 00 fe ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd ff ff ff 2b 00 00 00 03 00 00 00 04 00 00 00 05 00 00 00 06 00 00 00 07 00 00 00 08 00 00 00 09 00 00 00 0a 00 00 00 0b 00 00 00 0c 00 00 00 0d 00 00 00 0e 00 00 00 0f 00 00 00 10 00 00 00 11 00 00 00 12 00 00 00 13 00 00 00 14 00 00 00 15 00 00 00 16 00 00 00 17 00 00 00 18 00 00 00 19 00 00 00 1a 00 00 00 1b 00 00 00 1c 00 00 00 1d 00 00 00 1e 00 00 00 1f 00 00 00 20 00 00 00 21 00 00 00 22 00 00 00 23 00 00 00 24 00 00 00 25 00 00 00 26 00 00 00 27 00 00 00 fe ff ff ff fe ff ff ff 2a 00 00 00 2c 00 00 00 fe ff ff ff fe ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 52 00 6f 00 6f 00 74 00 20 00 45 00 6e 00 74 00 72 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 05 00
                                                                                                                                              Data Ascii: >(+ !"#$%&'*,Root Entry
                                                                                                                                              Aug 5, 2022 09:52:25.036756992 CEST459INData Raw: ff ff ff ff ff ff ff ff 02 00 00 00 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 d0 79 63 ac b8 9a d8 01 29 00 00 00 c0 05 00 00 00 00 00 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 00 00 00 00
                                                                                                                                              Data Ascii: Fyc)Workbook|JETExtData
                                                                                                                                              Aug 5, 2022 09:52:25.036781073 CEST460INData Raw: 35 00 90 01 00 00 00 00 86 00 02 01 8b 5b 53 4f 31 00 14 00 dc 00 00 00 08 00 bc 02 00 00 00 00 86 00 02 01 8b 5b 53 4f 31 00 14 00 dc 00 00 00 11 00 90 01 00 00 00 00 86 00 02 01 8b 5b 53 4f 31 00 14 00 dc 00 00 00 13 00 90 01 00 00 00 00 86 00
                                                                                                                                              Data Ascii: 5[SO1[SO1[SO1[SO+""#,##0;""\-#,##05""#,##0;[Red]""\-#,##07""#,##0.00;""\-#,##
                                                                                                                                              Aug 5, 2022 09:52:25.036819935 CEST462INData Raw: 14 00 00 00 00 00 f5 ff 10 00 00 f4 00 00 00 00 00 00 00 00 c0 20 e0 00 14 00 00 00 00 00 01 00 10 00 00 00 00 00 40 20 40 20 00 00 c0 20 e0 00 14 00 0b 00 00 00 f5 ff 10 00 00 00 00 00 00 00 00 00 00 00 c0 20 e0 00 14 00 0c 00 2a 00 f5 ff 10 00
                                                                                                                                              Data Ascii: @ @ *@ @ @ @ / ,@ @ )@ @
                                                                                                                                              Aug 5, 2022 09:52:25.036844969 CEST463INData Raw: 00 00 c0 20 e0 00 14 00 0b 00 00 00 f5 ff 10 00 00 00 00 00 00 00 00 00 00 00 c0 20 e0 00 14 00 0b 00 00 00 f5 ff 10 00 00 00 00 00 00 00 00 00 00 00 c0 20 e0 00 14 00 0b 00 00 00 f5 ff 10 00 00 00 00 00 00 00 00 00 00 00 c0 20 e0 00 14 00 05 00
                                                                                                                                              Data Ascii: @ @ @ @ @ @ 8@ @ x@ @ x@ @ 8@ @
                                                                                                                                              Aug 5, 2022 09:52:25.036866903 CEST465INData Raw: 00 00 3f 3f 3f ff 00 00 00 00 00 00 00 00 0a 00 14 00 02 00 00 00 3f 3f 3f ff 00 00 00 00 00 00 00 00 07 00 14 00 02 00 00 00 3f 3f 3f ff 00 00 00 00 00 00 00 00 08 00 14 00 02 00 00 00 3f 3f 3f ff 00 00 00 00 00 00 00 00 04 00 14 00 02 00 00 00
                                                                                                                                              Data Ascii: ???????????????}},
                                                                                                                                              Aug 5, 2022 09:52:25.036890030 CEST466INData Raw: 00 00 00 00 7d 08 28 00 7d 08 00 00 00 00 00 00 00 00 00 00 00 00 42 00 00 00 01 00 04 00 14 00 02 00 00 00 c5 e0 b3 ff 00 00 00 00 00 00 00 00 7d 08 28 00 7d 08 00 00 00 00 00 00 00 00 00 00 00 00 43 00 00 00 01 00 04 00 14 00 02 00 00 00 a8 d0
                                                                                                                                              Data Ascii: }(}B}(}C}(}M}(}N}(}R}(}S
                                                                                                                                              Aug 5, 2022 09:52:25.036912918 CEST467INData Raw: 36 00 30 00 25 00 20 00 2d 00 20 00 3a 5f 03 8c 87 65 57 5b 9c 98 72 82 20 00 31 00 92 08 32 00 92 08 00 00 00 00 00 00 00 00 00 00 01 04 20 ff 0e 00 36 00 30 00 25 00 20 00 2d 00 20 00 3a 5f 03 8c 87 65 57 5b 9c 98 72 82 20 00 31 00 00 00 00 00
                                                                                                                                              Data Ascii: 60% - :_eW[r 12 60% - :_eW[r 1)h 3h 3!*60% - :_eW[r 42,60% - :_eW[r 4+Q
                                                                                                                                              Aug 5, 2022 09:52:25.036936998 CEST469INData Raw: 00 3a 5f 03 8c 87 65 57 5b 9c 98 72 82 20 00 34 00 00 00 00 00 93 02 21 00 3c 00 0e 00 01 32 00 30 00 25 00 20 00 2d 00 20 00 3a 5f 03 8c 87 65 57 5b 9c 98 72 82 20 00 34 00 92 08 32 00 92 08 00 00 00 00 00 00 00 00 00 00 01 04 2a ff 0e 00 32 00
                                                                                                                                              Data Ascii: :_eW[r 4!<20% - :_eW[r 42*20% - :_eW[r 4!=40% - :_eW[r 42+40% - :_eW[r 4>:_eW[r 5&
                                                                                                                                              Aug 5, 2022 09:52:25.036961079 CEST470INData Raw: bb c3 bd 4b 57 7c 4f 48 94 84 88 b2 04 77 fc 39 16 fe b5 ed 8f 3f ba 8a b6 64 84 63 ec 81 7c 22 b6 50 c7 8f a4 4c b7 2a 15 11 40 33 12 97 59 8a 13 f8 36 66 3c 46 12 5e f9 a4 12 72 74 02 7a 63 5a d9 a8 56 9b 95 18 91 c4 f7 12 14 83 da db e3 31 09
                                                                                                                                              Data Ascii: KW|OHw9?dc|"PL*@3Y6f<F^rtzcZV1]SHJ)^BR#C{:~U\#k_.'NFS*WqVo44m9eVof+64L}/Zx|-e
                                                                                                                                              Aug 5, 2022 09:52:25.283895969 CEST472INData Raw: 7e b3 50 bb e4 b7 b2 46 38 bb 83 c6 0b 55 7e 90 5b ce 5a 68 1a 17 eb 4a ed 69 7d 71 61 de 30 b0 d1 03 20 8f 1e 9c e5 ce 68 76 e7 20 52 78 53 59 29 d2 23 58 14 c1 7f ab 28 98 13 32 bf 23 c8 2f 42 e2 e0 3c 37 21 31 e2 d3 59 7a 29 60 70 3c 23 c9 88
                                                                                                                                              Data Ascii: ~PF8U~[ZhJi}qa0 hv RxSY)#X(2#/B<7!1Yz)`p<#P"R`+~qR%JqjlQ<A|rBa,2~#CE5r5f<Su-"z<G~V1Z*C=i !}Z8bk%Td5/+jy


                                                                                                                                              Statistics

                                                                                                                                              CPU Usage

                                                                                                                                              Click to jump to process

                                                                                                                                              Memory Usage

                                                                                                                                              Click to jump to process

                                                                                                                                              High Level Behavior Distribution

                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                              Behavior

                                                                                                                                              Click to jump to process

                                                                                                                                              System Behavior

                                                                                                                                              General

                                                                                                                                              Target ID:0
                                                                                                                                              Start time:09:52:20
                                                                                                                                              Start date:05/08/2022
                                                                                                                                              Path:C:\Users\user\Desktop\#U8d26#U53f7#U5bc6#U7801#U8868.xls.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:"C:\Users\user\Desktop\#U8d26#U53f7#U5bc6#U7801#U8868.xls.exe"
                                                                                                                                              Imagebase:0x400000
                                                                                                                                              File size:1553920 bytes
                                                                                                                                              MD5 hash:2D2E2831AE6351FBEE7810BFC0D10955
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: Cobaltbaltstrike_RAW_Payload_https_stager_x64, Description: Detects CobaltStrike payloads, Source: 00000000.00000002.449971931.000000C0001CE000.00000004.00001000.00020000.00000000.sdmp, Author: Avast Threat Intel Team
                                                                                                                                              • Rule: Cobaltbaltstrike_Payload_Encoded, Description: Detects CobaltStrike payloads, Source: 00000000.00000002.449971931.000000C0001CE000.00000004.00001000.00020000.00000000.sdmp, Author: Avast Threat Intel Team
                                                                                                                                              • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.449971931.000000C0001CE000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.449971931.000000C0001CE000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.449971931.000000C0001CE000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                              • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.449971931.000000C0001CE000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                              • Rule: Cobaltbaltstrike_Payload_Encoded, Description: Detects CobaltStrike payloads, Source: 00000000.00000002.450050616.000000C0001D4000.00000004.00001000.00020000.00000000.sdmp, Author: Avast Threat Intel Team
                                                                                                                                              • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.450050616.000000C0001D4000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: Cobaltbaltstrike_RAW_Payload_https_stager_x64, Description: Detects CobaltStrike payloads, Source: 00000000.00000002.447338281.0000000026E30000.00000040.00001000.00020000.00000000.sdmp, Author: Avast Threat Intel Team
                                                                                                                                              • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.447338281.0000000026E30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.447338281.0000000026E30000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                              • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.447338281.0000000026E30000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                              Reputation:low

                                                                                                                                              General

                                                                                                                                              Target ID:1
                                                                                                                                              Start time:09:52:25
                                                                                                                                              Start date:05/08/2022
                                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:c:\windows\system32\cmd.exe /C start ???????.xls
                                                                                                                                              Imagebase:0x7ff602050000
                                                                                                                                              File size:273920 bytes
                                                                                                                                              MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Target ID:2
                                                                                                                                              Start time:09:52:25
                                                                                                                                              Start date:05/08/2022
                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                              Imagebase:0x7ff77f440000
                                                                                                                                              File size:625664 bytes
                                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Target ID:3
                                                                                                                                              Start time:09:52:29
                                                                                                                                              Start date:05/08/2022
                                                                                                                                              Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde
                                                                                                                                              Imagebase:0xfc0000
                                                                                                                                              File size:27110184 bytes
                                                                                                                                              MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              Disassembly

                                                                                                                                              Reset < >

                                                                                                                                                Execution Graph

                                                                                                                                                Execution Coverage:8.3%
                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                Signature Coverage:37.5%
                                                                                                                                                Total number of Nodes:8
                                                                                                                                                Total number of Limit Nodes:0
                                                                                                                                                execution_graph 556 26e30000 559 26e300d2 556->559 560 26e300df LoadLibraryA InternetOpenA 559->560 561 26e3019f 560->561 564 26e3010c InternetConnectA 561->564 565 26e301a4 564->565 568 26e3012b HttpOpenRequestA 565->568 569 26e30152 568->569

                                                                                                                                                Callgraph

                                                                                                                                                Executed Functions

                                                                                                                                                Function 26E3010C Relevance: 1.7, APIs: 1, Instructions: 241networkCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 23 26e3010c-26e301a4 InternetConnectA call 26e3012b 26 26e301a9-26e301ac 23->26 27 26e30213-26e30217 26->27 28 26e301ae 26->28 31 26e30281-26e30283 27->31 32 26e30219 27->32 29 26e301b0-26e301b7 28->29 30 26e30229-26e3022d 28->30 33 26e30225 29->33 34 26e301b9-26e301fe 29->34 39 26e3022f-26e30233 30->39 40 26e3029c-26e3029d 30->40 37 26e302f5 31->37 38 26e30285-26e30287 31->38 35 26e3021a-26e30222 32->35 36 26e30288-26e3028f 32->36 33->30 44 26e30200-26e30204 34->44 45 26e3023a-26e3023b 34->45 47 26e30294-26e30298 35->47 48 26e30224 35->48 46 26e302f6-26e302fc 36->46 49 26e30291-26e30293 36->49 37->46 38->36 41 26e30235-26e30239 39->41 42 26e30314-26e30318 40->42 43 26e3029f 40->43 41->45 57 26e3031a-26e3031b 42->57 53 26e302a0-26e302ad 43->53 54 26e302ce 43->54 44->41 55 26e30206-26e3020c 44->55 51 26e3027a-26e3027b 45->51 52 26e3023d-26e30245 45->52 56 26e302ff-26e30313 46->56 47->40 48->33 49->47 61 26e3027e 51->61 63 26e302e3-26e302e4 51->63 58 26e30248-26e3024d 52->58 59 26e302bc 52->59 60 26e302b0-26e302b6 53->60 65 26e302d2-26e302d8 54->65 55->61 62 26e3020e-26e3020f 55->62 56->42 64 26e3031d-26e30320 57->64 58->60 68 26e3024f-26e30265 58->68 70 26e302bd 59->70 71 26e302ec-26e302f4 59->71 60->64 69 26e302b8 60->69 72 26e30280 61->72 73 26e302ba-26e302bb 61->73 62->27 66 26e302e6 63->66 67 26e3034f-26e30352 63->67 74 26e30322-26e3032e 64->74 75 26e302da 65->75 76 26e3034d-26e3034e 65->76 78 26e302e8 66->78 79 26e30354-26e30371 67->79 77 26e302db-26e302e2 68->77 80 26e30267-26e3026b 68->80 69->73 70->71 81 26e302bf-26e302c3 70->81 71->37 72->31 73->59 73->74 82 26e30331-26e30346 74->82 75->77 76->67 77->63 83 26e302e9 78->83 90 26e30373-26e3037b 79->90 91 26e30329-26e3032a 79->91 80->65 84 26e3026d 80->84 81->56 85 26e302c5-26e302cd 81->85 82->76 83->57 86 26e302eb 83->86 84->78 88 26e3026f-26e30274 84->88 85->54 86->71 88->83 92 26e30276 88->92 90->79 93 26e3037d-26e30387 90->93 91->82 92->51
                                                                                                                                                APIs
                                                                                                                                                • InternetConnectA.WININET(00000003,00000003,00000002,00000001), ref: 26E30127
                                                                                                                                                  • Part of subcall function 26E3012B: HttpOpenRequestA.WININET(00000000,00000000,84C03200,00000000), ref: 26E30146
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.447338281.0000000026E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 26E30000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_26e30000_#U8d26#U53f7#U5bc6#U7801#U8868.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ConnectHttpInternetOpenRequest
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1341064763-0
                                                                                                                                                • Opcode ID: 4b5e488f00d0a0747ae5bd5a09a4fe3805bdc8e1b05bc720544e18237e5e69de
                                                                                                                                                • Instruction ID: 6639e0aafba04e57c2894f9d395a2abf13a59b2886c36b35b1ac94172ba5eda3
                                                                                                                                                • Opcode Fuzzy Hash: 4b5e488f00d0a0747ae5bd5a09a4fe3805bdc8e1b05bc720544e18237e5e69de
                                                                                                                                                • Instruction Fuzzy Hash: E571BD31D693D54AD7169F78D75AA757FD6EF12308F2810AEE1C18B0A3C260E522C78A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 26E300D2 Relevance: 7.3, APIs: 2, Strings: 1, Instructions: 2043librarynetworkCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryA.KERNELBASE ref: 26E300ED
                                                                                                                                                • InternetOpenA.WININET(00000000,00000000), ref: 26E30105
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.447338281.0000000026E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 26E30000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_26e30000_#U8d26#U53f7#U5bc6#U7801#U8868.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: InternetLibraryLoadOpen
                                                                                                                                                • String ID: wini
                                                                                                                                                • API String ID: 2559873147-1606035523
                                                                                                                                                • Opcode ID: c4e598ee00361e645494ae8fc795bcad1464ec46a927fb28b021ee2119b284d8
                                                                                                                                                • Instruction ID: a82a0c68e6088d205b158bfe11119781282cd65c60cb7cb3c2086790915e14c6
                                                                                                                                                • Opcode Fuzzy Hash: c4e598ee00361e645494ae8fc795bcad1464ec46a927fb28b021ee2119b284d8
                                                                                                                                                • Instruction Fuzzy Hash: 55F0E561E6C6D812E20D6A686C1AD3B6B8AC31210DB0581AFF186E25D7CC504E26C0D6
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 26E3012B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99networkCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 9 26e3012b-26e30151 HttpOpenRequestA 10 26e30152-26e3018e 9->10 13 26e30331-26e30352 10->13 14 26e30194-26e30197 10->14 19 26e30354-26e30371 13->19 15 26e30329-26e3032a 14->15 16 26e3019d 14->16 15->13 16->10 19->15 21 26e30373-26e3037b 19->21 21->19 22 26e3037d-26e30387 21->22
                                                                                                                                                APIs
                                                                                                                                                • HttpOpenRequestA.WININET(00000000,00000000,84C03200,00000000), ref: 26E30146
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.447338281.0000000026E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 26E30000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_26e30000_#U8d26#U53f7#U5bc6#U7801#U8868.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: HttpOpenRequest
                                                                                                                                                • String ID: U.;
                                                                                                                                                • API String ID: 1984915467-4213443877
                                                                                                                                                • Opcode ID: ab09341529980e95ac1e803047b3985bc20a26ea9b837d55d995e7e224907264
                                                                                                                                                • Instruction ID: 9c2bcee45efa332a90a12fc7b41f853fcebdb33e50452757c199dcebf83cabe0
                                                                                                                                                • Opcode Fuzzy Hash: ab09341529980e95ac1e803047b3985bc20a26ea9b837d55d995e7e224907264
                                                                                                                                                • Instruction Fuzzy Hash: AA119D6074894D1BF21C819E7C6AB3621CAD3C8729F20813FB54EC33D6DC68CC92805A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Non-executed Functions

                                                                                                                                                Function 004323C0 Relevance: 8.9, Strings: 7, Instructions: 113COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                C-Code - Quality: 57%
                                                                                                                                                			E004323C0(void* __ebx, void* __edx, long long* __rdx, void* __rsi, long long __rbp) {
				char _v8;
				long long _v16;
				long long _v24;
				char _v48;
				intOrPtr _v64;
				char _v72;
				long long _v80;
				long long _v88;
				long long _v96;
				void* _v104;
				long long _v120;
				long long _v144;
				long long _v152;
				long long _v160;
				long long _v168;
				void* _t50;
				void* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				void* _t73;
				long long _t85;
				long long _t90;
				intOrPtr _t94;
				long long _t100;
				long long _t101;
				long long _t105;
				long long _t107;
				long long* _t108;
				void* _t113;
				long long* _t114;

				L0:
				while(1) {
					L0:
					_t111 = __rbp;
					_t108 = __rdx;
					_t70 = __edx;
					_t68 = __ebx;
					if( &_v48 <=  *((intOrPtr*)( *((intOrPtr*)( *[gs:0x28])) + 0x10))) {
						goto L7;
					}
					L1:
					_t114 = _t113 - 0xb0;
					_v8 = __rbp;
					_t111 =  &_v8;
					_v104 = 0;
					 *_t114 =  *0x886130;
					_v168 = 0xffffffff;
					_v160 = 0xfffffffe;
					_v152 = 0xffffffff;
					_v144 =  &_v104;
					asm("xorps xmm0, xmm0");
					asm("movups [esp+0x28], xmm0");
					_v120 = 2;
					E00432A40( &_v8);
					_t85 =  *((intOrPtr*)( *((intOrPtr*)( *[gs:0x28])) + 0x30));
					_v24 = _t85;
					_t105 = _t85 + 0x310;
					_v16 = _t105;
					 *_t114 = _t105;
					L0040AB50(__edx,  &_v8);
					 *((long long*)(_v24 + 0x318)) = _v104;
					 *_t114 = _v16;
					L0040AD40( &_v8);
					asm("xorps xmm0, xmm0");
					asm("movups [esp+0x68], xmm0");
					asm("movups [esp+0x78], xmm0");
					asm("movups [esp+0x88], xmm0");
					 *_t114 =  *0x886040;
					_v168 =  &_v72;
					_t90 =  &_v72;
					_v160 = _t90;
					_v152 = 0x30;
					_t50 = E004328C0(_t111);
					if(_v144 == 0) {
						L6:
						E004647C0();
						_v88 = _t90;
						L004373F0( *_t114, _t111);
						 *_t114 =  &M006BEE8C;
						_v168 = 0x24;
						L00437DA0(_t68, _t69, _t71, _t72, _t73, _t111);
						 *_t114 = _v88;
						L00437AB0(_t68, _t69, _t71, _t72, _t73, _t111);
						L00437480(L00437690(_t68, _t69, _t70, _t71, _t72, _t73, _t111), _t68, _t111);
						 *_t114 = "VirtualQuery for stack base failedadding nil Certificate to CertPoolbad scalar length: %d, expected %dchacha20: wrong HChaCha20 key sizeconnection doesn\'t support Ed25519crypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing public modulusdoaddtimer: P already set in timerexpected an RSA public key, got %TforEachP: sched.safePointWait != 0http2: aborting request body writehttp: connection has been hijackedhttp: persistConn.readLoop exitinghttp: read on closed response bodyillegal base64 data at input byte invalid padding bits in BIT STRINGmspan.ensureSwept: m is not lockedout of memory allocating allArenasreflect.FuncOf: too many argumentsreflect: ChanDir of non-chan type reflect: Field index out of boundsreflect: Field of non-struct type reflect: Method index out of rangereflect: string index out of rangeruntime.SetFinalizer: cannot pass runtime: g is running but p is notruntime: unexpected return pc for schedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]stream error: stream ID %d; %v; %vtimeout waiting for client prefacetls: malformed key_share extensiontoo many references: cannot spliceunexpected runtime.netpoll error: unsupported authentication method x509: Ed25519 verification failurex509: unhandled critical extension%d response missing Location header\'_\' must separate successive digits1776356839400250464677810668945312588817841970012523233890533447265625CONTINUATION frame with stream ID 0chacha20: output smaller than inputcrypto/md5: invalid hash state sizedynamic table size update too largeed25519: cannot sign hashed messageencoding/hex: odd length hex stringfile type does not support deadlinefindfunc: bad findfunctab entry idxfindrunnable: netpoll with spinningflate: corrupt input before offset greyobject: obj not pointer-alignedhpack: invalid Huffman-encoded datahttp: server closed idle connectionmheap.freeSpanLocked - invalid freemime: bogus characters after %%: %qmime: invalid RFC 2047 encoded-wordnetwork dropped connection on resetno such multicast network interfacepersistentalloc: align is too largepidleput: P has non-empty run queuereflect.MakeSlice of non-slice typeruntime: close polldesc w/o unblockruntime: createevent failed; errno=runtime: inconsistent read deadlinesuperfluous leading zeros in lengthtls: invalid or missing PSK binderstls: server selected an invalid PSKtls: too many non-advancing recordstoo many Questions to pack (>65535)traceback did not unwind completelytransform: short destination buffertransport endpoint is not connectedx509: decryption password incorrectx509: wrong Ed25519 public key size LastStreamID=%v ErrCode=%v Debug=%q) is larger than maximum page size (0123456789abcdefghijklmnopqrstuvwxyz444089209850062616169452667236328125Go pointer stored into non-Go memoryIA5String contains invalid characterMStats vs MemStatsType size mismatchTime.UnmarshalBinary: invalid lengthUnable to determine system directoryaccessing a corrupted shared librarychacha20: wrong HChaCha20 nonce sizecompressed name in SRV resource datacrypto/cipher: input not full blockscrypto/rand: argument to Int is <= 0crypto/sha1: invalid hash state sizecrypto/sha512: invalid hash functionexpected an ECDSA public key, got %Thttp: no Location header in responsehttp: unexpected EOF reading trailermalformed MIME header initial line: no acceptable authentication methodsreflect: NumField of non-struct typeruntime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime: wrong goroutine in newstackstrings.Builder.Grow: negative countsyntax error scanning complex numbertls: server did not send a key shareuncaching span but s.allocCount == 0unsupported SSLv2 handshake receivedx509: zero or negative DSA parameter) is smaller than minimum page size (2220446049250313080847263336181640625_cgo_notify_runtime_init_done missingall goroutines are asleep - deadlock!bytes.Buffer: truncation out of rangec:\\windows\\system32\\cmd.exe /C start cannot exec a shared library directlychacha20poly1305: plaintext too largecipher: message authentication failedcrypto/cipher: incorrect GCM tag sizecrypto/cipher: invalid buffer overlapcrypto/rsa: public exponent too largecrypto/rsa: public exponent too smallcrypto/rsa: unsupported hash functioncrypto: Size of unknown hash functionexplicitly tagged member didn\'t matchfailed to reserve page summary memoryinternal error: unknown network type reflect.Value.Bytes of non-byte slicereflect.Value.Bytes of non-rune slicereflect: Bits of non-arithmetic Type reflect: IsVariadic of non-func type reflect: NumField of non-struct type reflect: funcLayout of non-func type runtime: allocation size out of rangeruntime: failed mSpanList.insertBack setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextpsubtle: slices have different lengthstls: unsupported certificate key (%T)too many Additionals to pack (>65535)too many Authorities to pack (>65535)unexpected CONTINUATION for stream %dvalue too large for defined data typex509: RSA key missing NULL parameters1110223024625156540423631668090820312555511151231257827021181583404541015625Unable to determine system directory: addtimer called with initialized timerarg size to reflect.call more than 1GBcan not access a needed shared librarychacha20poly1305: ciphertext too largeconcurrent map iteration and map writecrypto/sha256: invalid hash state sizecrypto/sha512: invalid hash state sizeencoding alphabet is not 64-bytes longexpected an Ed25519 public key, got %Tfailed to parse Location header %q: %vgcBgMarkWorker: blackening not enabledindex out of range [%x] with length %yinsufficient data for base length typeinternal error: unknown signature typeinternal error: unknown string type %dmakechan: invalid channel element typemime: expected slash after first tokennet/http: invalid header field name %qruntime: blocked read on free polldescruntime: sudog with non-false isSelecttime: missing Location in call to Datetls: client sent unexpected early datatls: failed to sign ECDHE parameters: tls: internal error: unsupported curvetls: invalid ClientKeyExchange messagetls: invalid ServerKeyExchange messagetls: missing ServerKeyExchange messagetls: server selected unsupported curvetls: server selected unsupported grouptls: unsupported signing key type (%T)unsupported signature algorithm: %#04xx509: cannot validate certificate for x509: empty name constraints extensionx509: trailing data after X.509 key-id because it doesn\'t contain any IP SANs2006-01-02 15:04:05.999999999 -0700 MST277555756156289135105907917022705078125PowerRegisterSuspendResumeNotification";
						_v168 = 0x22;
						L00435CF0(_t111);
						goto L7;
					}
					L2:
					_t94 = _v64;
					_t107 = _t94 + 0x4000;
					_v96 = _t107;
					_t108 =  *((intOrPtr*)( *[gs:0x28]));
					_t101 =  *((intOrPtr*)(_t108 + 8));
					_v80 = _t101;
					if(_t107 > _t101 || _t101 - _t107 > 0x4000000) {
						L5:
						L004373F0(_t50, _t111);
						 *_t114 =  &M006B84D3;
						_v168 = 0x13;
						L00437DA0(_t68, _t69, _t71, _t72, _t73, _t111);
						 *_t114 = _v96;
						L00437C30(_t68, _t69, _t71, _t72, _t73, _t111);
						 *_t114 =  &M006B3E02;
						_v168 = 1;
						L00437DA0(_t68, _t69, _t71, _t72, _t73, _t111);
						 *_t114 = _v80;
						L00437C30(_t68, _t69, _t71, _t72, _t73, _t111);
						 *_t114 = 0x6b3e3c;
						_v168 = 2;
						L00437480(L00437DA0(_t68, _t69, _t71, _t72, _t73, _t111), _t68, _t111);
						_t90 =  &M006B5D29;
						 *_t114 = _t90;
						_v168 = 0xc;
						L00435CF0(_t111);
						goto L6;
					}
					L4:
					 *_t108 = _t107;
					_t100 = _t94 + 0x5380;
					 *((long long*)(_t108 + 0x10)) = _t100;
					 *((long long*)(_t108 + 0x18)) = _t100;
					return E004625A0(_t50);
					L8:
					L7:
					E00460C50(_t108, _t111);
				}
			}


































                                                                                                                                                0x004323c0
                                                                                                                                                0x004323c0
                                                                                                                                                0x004323c0
                                                                                                                                                0x004323c0
                                                                                                                                                0x004323c0
                                                                                                                                                0x004323c0
                                                                                                                                                0x004323c0
                                                                                                                                                0x004323d9
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004323df
                                                                                                                                                0x004323df
                                                                                                                                                0x004323e6
                                                                                                                                                0x004323ee
                                                                                                                                                0x004323f6
                                                                                                                                                0x00432406
                                                                                                                                                0x0043240a
                                                                                                                                                0x00432413
                                                                                                                                                0x0043241c
                                                                                                                                                0x0043242a
                                                                                                                                                0x0043242f
                                                                                                                                                0x00432432
                                                                                                                                                0x00432437
                                                                                                                                                0x00432440
                                                                                                                                                0x00432455
                                                                                                                                                0x00432459
                                                                                                                                                0x00432463
                                                                                                                                                0x0043246a
                                                                                                                                                0x00432472
                                                                                                                                                0x00432476
                                                                                                                                                0x00432488
                                                                                                                                                0x00432497
                                                                                                                                                0x0043249b
                                                                                                                                                0x004324a0
                                                                                                                                                0x004324a3
                                                                                                                                                0x004324a8
                                                                                                                                                0x004324ad
                                                                                                                                                0x004324bc
                                                                                                                                                0x004324c5
                                                                                                                                                0x004324ca
                                                                                                                                                0x004324cf
                                                                                                                                                0x004324d4
                                                                                                                                                0x004324dd
                                                                                                                                                0x004324e8
                                                                                                                                                0x004325d9
                                                                                                                                                0x004325d9
                                                                                                                                                0x004325e1
                                                                                                                                                0x004325e6
                                                                                                                                                0x004325f2
                                                                                                                                                0x004325f6
                                                                                                                                                0x004325ff
                                                                                                                                                0x00432609
                                                                                                                                                0x0043260d
                                                                                                                                                0x00432617
                                                                                                                                                0x00432623
                                                                                                                                                0x00432627
                                                                                                                                                0x00432630
                                                                                                                                                0x00000000
                                                                                                                                                0x00432630
                                                                                                                                                0x004324ee
                                                                                                                                                0x004324ee
                                                                                                                                                0x004324f3
                                                                                                                                                0x004324fa
                                                                                                                                                0x00432508
                                                                                                                                                0x0043250f
                                                                                                                                                0x00432513
                                                                                                                                                0x0043251b
                                                                                                                                                0x0043254f
                                                                                                                                                0x0043254f
                                                                                                                                                0x0043255b
                                                                                                                                                0x0043255f
                                                                                                                                                0x00432568
                                                                                                                                                0x00432572
                                                                                                                                                0x00432576
                                                                                                                                                0x00432582
                                                                                                                                                0x00432586
                                                                                                                                                0x0043258f
                                                                                                                                                0x00432599
                                                                                                                                                0x0043259d
                                                                                                                                                0x004325a9
                                                                                                                                                0x004325ad
                                                                                                                                                0x004325bb
                                                                                                                                                0x004325c0
                                                                                                                                                0x004325c7
                                                                                                                                                0x004325cb
                                                                                                                                                0x004325d4
                                                                                                                                                0x00000000
                                                                                                                                                0x004325d4
                                                                                                                                                0x00432529
                                                                                                                                                0x00432529
                                                                                                                                                0x0043252c
                                                                                                                                                0x00432532
                                                                                                                                                0x00432536
                                                                                                                                                0x0043254e
                                                                                                                                                0x00000000
                                                                                                                                                0x00432636
                                                                                                                                                0x00432636
                                                                                                                                                0x00432636

                                                                                                                                                Strings
                                                                                                                                                • 0, xrefs: 004324D4
                                                                                                                                                • runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtoo many open filesunexpected g statusunknown Go type: %vunknown certificateunknown cipher typeunknown status codeunknown wait , xrefs: 00432554
                                                                                                                                                • bad g0 stackbad recoveryc ap trafficc hs trafficcaller errorcan't happencas64 failedchan receiveclose notifycontent-typecontext.TODOdumping heapend tracegcentersyscallgcpacertracegetaddrinfowhost is downhttp2debug=1http2debug=2illegal seekinvalid baseinvalid , xrefs: 004325C0
                                                                                                                                                • ,-./01456:;<=>?@ABCEFLMNOPSTZ["\, xrefs: 0043257B
                                                                                                                                                • ", xrefs: 00432627
                                                                                                                                                • runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime:, xrefs: 004325EB
                                                                                                                                                • VirtualQuery for stack base failedadding nil Certificate to CertPoolbad scalar length: %d, expected %dchacha20: wrong HChaCha20 key sizeconnection doesn't support Ed25519crypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid bu, xrefs: 0043261C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.444609671.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000000.00000002.444580177.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                • Associated: 00000000.00000002.446730857.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                • Associated: 00000000.00000002.446749198.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                • Associated: 00000000.00000002.446772727.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                • Associated: 00000000.00000002.446784422.0000000000905000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                • Associated: 00000000.00000002.446795005.0000000000906000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_#U8d26#U53f7#U5bc6#U7801#U8868.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: "$,-./01456:;<=>?@ABCEFLMNOPSTZ["\$0$VirtualQuery for stack base failedadding nil Certificate to CertPoolbad scalar length: %d, expected %dchacha20: wrong HChaCha20 key sizeconnection doesn't support Ed25519crypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid bu$bad g0 stackbad recoveryc ap trafficc hs trafficcaller errorcan't happencas64 failedchan receiveclose notifycontent-typecontext.TODOdumping heapend tracegcentersyscallgcpacertracegetaddrinfowhost is downhttp2debug=1http2debug=2illegal seekinvalid baseinvalid $runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime:$runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtoo many open filesunexpected g statusunknown Go type: %vunknown certificateunknown cipher typeunknown status codeunknown wait
                                                                                                                                                • API String ID: 0-1546224530
                                                                                                                                                • Opcode ID: 3ebc666f01cd042580803af1b1ef3f34da406d37b02292a60ba292d26461b255
                                                                                                                                                • Instruction ID: c6c19bbf7ee5e7fe23e2b233dd55d52510df358e13e54c50f3cd7a1f87d34af4
                                                                                                                                                • Opcode Fuzzy Hash: 3ebc666f01cd042580803af1b1ef3f34da406d37b02292a60ba292d26461b255
                                                                                                                                                • Instruction Fuzzy Hash: 91513836108F8585D760AF15F08435EB3A4F789768F509226EADC03BA9EF7CC194CB44
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004420A0 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                C-Code - Quality: 76%
                                                                                                                                                			E004420A0(void* __eax, long long __rbp, long long _a8) {
				char _v8;
				long long _v16;
				long long _v24;
				long long _v32;
				long long _v40;
				long long _v48;
				long long _v56;
				long long _v64;
				long long _v72;
				void* _t62;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				long long _t76;
				long long _t93;
				long long _t96;
				long long _t98;
				void* _t99;
				long long _t100;
				void* _t103;
				long long* _t104;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;
				void* _t113;

				L0:
				while(1) {
					L0:
					_t101 = __rbp;
					_t43 = __eax;
					if(_t103 <=  *((intOrPtr*)( *((intOrPtr*)( *[gs:0x28])) + 0x10))) {
						goto L11;
					}
					L1:
					_t104 = _t103 - 0x50;
					_v8 = __rbp;
					_t101 =  &_v8;
					_t76 =  *((intOrPtr*)( *[gs:0x28]));
					_t96 =  *((intOrPtr*)(_t76 + 0x30));
					_t98 =  *((intOrPtr*)(_t96 + 0xa0));
					if(_t98 == 0) {
						L10:
						 *_t104 =  &M006B909F;
						_v72 = 0x15;
						L00435CF0(_t101);
						goto L11;
					}
					L2:
					_t93 =  *((intOrPtr*)(_t96 + 0x130));
					if(_t93 == 0) {
						goto L10;
					}
					L3:
					_v16 = _t96;
					_v24 = _t93;
					_v32 = _t98;
					_t100 =  *((intOrPtr*)(_t98 + 0x38));
					_v64 = _t100;
					if(_t100 != _t96 ||  *((intOrPtr*)(_t98 + 0x40)) != _t93 ||  *((intOrPtr*)(_t98 + 4)) != 1) {
						L9:
						_v40 =  *((intOrPtr*)(_t98 + 0x40));
						_t63 =  *((intOrPtr*)(_t98 + 4));
						_v56 = _t96;
						L004373F0(_t43, _t101);
						 *_t104 =  &M006B5ECD;
						_v72 = 0xc;
						L00437DA0(_t62,  *((intOrPtr*)(_t98 + 4)), _t65, _t66, _t67, _t101);
						 *_t104 = _v16;
						L00437D50(_t62,  *((intOrPtr*)(_t98 + 4)), _t65, _t66, _t67, _t99, _t101);
						 *_t104 = 0x6b44df;
						_v72 = 6;
						L00437DA0(_t62,  *((intOrPtr*)(_t98 + 4)), _t65, _t66, _t67, _t101);
						 *_t104 = _v32;
						L00437D50(_t62, _t63, _t65, _t66, _t67, _t99, _t101);
						 *_t104 = 0x6b44eb;
						_v72 = 6;
						L00437DA0(_t62, _t63, _t65, _t66, _t67, _t101);
						 *_t104 = _v64;
						L00437C30(_t62, _t63, _t65, _t66, _t67, _t101);
						 *_t104 =  &M006B55AB;
						_v72 = 0xb;
						L00437DA0(_t62, _t63, _t65, _t66, _t67, _t101);
						 *_t104 = _v24;
						L00437D50(_t62, _t63, _t65, _t66, _t67, _t99, _t101);
						 *_t104 =  &M006B55D7;
						_v72 = 0xb;
						L00437DA0(_t62, _t63, _t65, _t66, _t67, _t101);
						 *_t104 = _v40;
						L00437D50(_t62, _t63, _t65, _t66, _t67, _t99, _t101);
						 *_t104 =  &M006B55E2;
						_v72 = 0xb;
						L00437DA0(_t62, _t63, _t65, _t66, _t67, _t101);
						 *_t104 = _v56;
						L00437AB0(_t62, _t63, _t65, _t66, _t67, _t101);
						L00437480(L00437690(_t62, _t63, _t64, _t65, _t66, _t67, _t101), _t62, _t101);
						 *_t104 = 0x6bab09;
						_v72 = 0x19;
						L00435CF0(_t101);
						goto L10;
					}
					L6:
					if( *0x8d1070 != 0) {
						_v48 = _t76;
						 *_t104 = _t98;
						_t43 = L00455A80(__eax, _t62, _t65, _t66, _t67,  &_v8, _t106, _t107, _t108, _t109, _t110, _t111, _t112, _t113);
						_t76 = _v48;
						_t98 = _v32;
					}
					 *((long long*)( *((intOrPtr*)(_t76 + 0x30)) + 0xa0)) = 0;
					 *((long long*)( *((intOrPtr*)(_t76 + 0x30)) + 0x130)) = 0;
					 *((long long*)(_t98 + 0x38)) = 0;
					 *((intOrPtr*)(_t98 + 4)) = 0;
					_a8 = _t98;
					return _t43;
					L12:
					L11:
					E00460C50(_t98, _t101);
				}
			}

































                                                                                                                                                0x004420a0
                                                                                                                                                0x004420a0
                                                                                                                                                0x004420a0
                                                                                                                                                0x004420a0
                                                                                                                                                0x004420a0
                                                                                                                                                0x004420b4
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004420ba
                                                                                                                                                0x004420ba
                                                                                                                                                0x004420be
                                                                                                                                                0x004420c3
                                                                                                                                                0x004420d1
                                                                                                                                                0x004420d8
                                                                                                                                                0x004420dc
                                                                                                                                                0x004420e6
                                                                                                                                                0x004422a8
                                                                                                                                                0x004422af
                                                                                                                                                0x004422b3
                                                                                                                                                0x004422bc
                                                                                                                                                0x00000000
                                                                                                                                                0x004422bc
                                                                                                                                                0x004420ec
                                                                                                                                                0x004420ec
                                                                                                                                                0x004420f6
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004420fc
                                                                                                                                                0x004420fc
                                                                                                                                                0x00442101
                                                                                                                                                0x00442106
                                                                                                                                                0x0044210c
                                                                                                                                                0x00442110
                                                                                                                                                0x00442118
                                                                                                                                                0x00442185
                                                                                                                                                0x00442189
                                                                                                                                                0x0044218e
                                                                                                                                                0x00442191
                                                                                                                                                0x00442196
                                                                                                                                                0x004421a2
                                                                                                                                                0x004421a6
                                                                                                                                                0x004421af
                                                                                                                                                0x004421b9
                                                                                                                                                0x004421bd
                                                                                                                                                0x004421c9
                                                                                                                                                0x004421cd
                                                                                                                                                0x004421d6
                                                                                                                                                0x004421e0
                                                                                                                                                0x004421e4
                                                                                                                                                0x004421f0
                                                                                                                                                0x004421f4
                                                                                                                                                0x004421fd
                                                                                                                                                0x00442207
                                                                                                                                                0x0044220b
                                                                                                                                                0x00442217
                                                                                                                                                0x0044221b
                                                                                                                                                0x00442224
                                                                                                                                                0x0044222e
                                                                                                                                                0x00442232
                                                                                                                                                0x0044223e
                                                                                                                                                0x00442242
                                                                                                                                                0x0044224b
                                                                                                                                                0x00442255
                                                                                                                                                0x00442259
                                                                                                                                                0x00442265
                                                                                                                                                0x00442269
                                                                                                                                                0x00442272
                                                                                                                                                0x0044227c
                                                                                                                                                0x00442280
                                                                                                                                                0x0044228a
                                                                                                                                                0x00442296
                                                                                                                                                0x0044229a
                                                                                                                                                0x004422a3
                                                                                                                                                0x00000000
                                                                                                                                                0x004422a3
                                                                                                                                                0x00442126
                                                                                                                                                0x0044212d
                                                                                                                                                0x0044216b
                                                                                                                                                0x00442170
                                                                                                                                                0x00442174
                                                                                                                                                0x00442179
                                                                                                                                                0x0044217e
                                                                                                                                                0x0044217e
                                                                                                                                                0x00442133
                                                                                                                                                0x00442142
                                                                                                                                                0x0044214d
                                                                                                                                                0x00442155
                                                                                                                                                0x0044215c
                                                                                                                                                0x0044216a
                                                                                                                                                0x00000000
                                                                                                                                                0x004422c2
                                                                                                                                                0x004422c2
                                                                                                                                                0x004422c2

                                                                                                                                                Strings
                                                                                                                                                • releasep: m=remote errorruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptservices.exeshort buffertransmitfileunknown portwirep: p->m= != sweepgen MB) workers= called from flushedWork heap_marked= idlethreads= in host name is nil, not nStackRoots, xrefs: 0044219B
                                                                                                                                                • releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptionunknown , xrefs: 004422A8
                                                                                                                                                • m->p= next= p->m= prev= span= varp=% util(...), i = , not , val 390625<-chanAcceptAnswerArabicAugustBasic BrahmiCANCELCarianChakmaCommonCookieCopticExpectFormatFridayGOAWAYGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLockedLycianLydianMondayPA, xrefs: 004421C2
                                                                                                                                                • m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= s.nelems= schedtick= span.list= timerslen=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=Bad GatewayBad RequestClassHESIODCloseHandleCookie.PathCreateF, xrefs: 00442210
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.444609671.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000000.00000002.444580177.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                • Associated: 00000000.00000002.446730857.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                • Associated: 00000000.00000002.446749198.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                • Associated: 00000000.00000002.446772727.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                • Associated: 00000000.00000002.446784422.0000000000905000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                • Associated: 00000000.00000002.446795005.0000000000906000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_#U8d26#U53f7#U5bc6#U7801#U8868.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= s.nelems= schedtick= span.list= timerslen=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=Bad GatewayBad RequestClassHESIODCloseHandleCookie.PathCreateF$ m->p= next= p->m= prev= span= varp=% util(...), i = , not , val 390625<-chanAcceptAnswerArabicAugustBasic BrahmiCANCELCarianChakmaCommonCookieCopticExpectFormatFridayGOAWAYGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLockedLycianLydianMondayPA$releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptionunknown $releasep: m=remote errorruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptservices.exeshort buffertransmitfileunknown portwirep: p->m= != sweepgen MB) workers= called from flushedWork heap_marked= idlethreads= in host name is nil, not nStackRoots
                                                                                                                                                • API String ID: 0-974503857
                                                                                                                                                • Opcode ID: 90727b1dde60214bb74b35a4c85dc9ce6c97419b65dd6c9291f422f54706e6b0
                                                                                                                                                • Instruction ID: b9f45741eb854098d2a123ac5b9e5fafe4934d51dbff68e8306c8536bb41df64
                                                                                                                                                • Opcode Fuzzy Hash: 90727b1dde60214bb74b35a4c85dc9ce6c97419b65dd6c9291f422f54706e6b0
                                                                                                                                                • Instruction Fuzzy Hash: 9F5126B6119F4485DB50AF11F08436EB7A8F788798F51902AEACD47B29DF7DC0A4CB04
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%