Windows Analysis Report
1a#U77e5.exe

Overview

General Information

Sample Name: 1a#U77e5.exe
Analysis ID: 679126
MD5: 3f2202e24ad0a66c08f88a18dd7b5fb4
SHA1: 62df51eb1351279afa4dbe5920758d6974427ac9
SHA256: eb94cd39cde6a5270181d6e6788c69a2a90ab2b27f9236c8382e810e4dfead1d
Tags: exe
Infos:

Detection

CobaltStrike
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected CobaltStrike
C2 URLs / IPs found in malware configuration
Potentially malicious time measurement code found
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality for execution timing, often used to detect debuggers
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 1a#U77e5.exe Virustotal: Detection: 61% Perma Link
Source: 1a#U77e5.exe Metadefender: Detection: 22% Perma Link
Source: 1a#U77e5.exe ReversingLabs: Detection: 76%
Antivirus / Scanner detection for submitted sample
Source: 1a#U77e5.exe Avira: detected
Antivirus detection for URL or domain
Source: https://124.221.206.154:1443/ubmit.phpn Avira URL Cloud: Label: malware
Source: https://124.221.206.154:1443/ubmit.php Avira URL Cloud: Label: malware
Source: https://124.221.206.154/n-US Avira URL Cloud: Label: malware
Source: https://124.221.206.154:1443/ Avira URL Cloud: Label: malware
Source: https://124.221.206.154/W Avira URL Cloud: Label: malware
Source: https://124.221.206.154:1443/submit.phpo Avira URL Cloud: Label: malware
Source: https://124.221.206.154:1443/submit.phpw Avira URL Cloud: Label: malware
Source: https://124.221.206.154:1443/submit.phpy Avira URL Cloud: Label: malware
Source: https://124.221.206.154/- Avira URL Cloud: Label: malware
Source: https://124.221.206.154:1443/submit.phpx Avira URL Cloud: Label: malware
Source: 124.221.206.154 Avira URL Cloud: Label: malware
Source: https://124.221.206.154:1443/0; Avira URL Cloud: Label: malware
Source: https://124.221.206.154:1443/submit.phpI Avira URL Cloud: Label: malware
Source: https://124.221.206.154:1443/submit.phpQ Avira URL Cloud: Label: malware
Source: https://124.221.206.154:1443/submit.phpc Avira URL Cloud: Label: malware
Source: https://124.221.206.154:1443/submit.phpe Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Windows\Temp\????????????.exe Avira: detection malicious, Label: HEUR/AGEN.1211767
Multi AV Scanner detection for dropped file
Source: C:\Windows\Temp\????????????.exe Metadefender: Detection: 25% Perma Link
Source: C:\Windows\Temp\????????????.exe ReversingLabs: Detection: 61%
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 1443, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "124.221.206.154,/submit.php", "HttpPostUri": "/submit.jsp", "Malleable_C2_Instructions": [], "SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 0, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}
Source: 1a#U77e5.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Temp\????????????.exe Code function: 4x nop then sub rbx, qword ptr [rax+18h] 3_2_0131B1A0
Source: C:\Windows\Temp\????????????.exe Code function: 4x nop then mov r8, 0000800000000000h 3_2_01324AC0

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 124.221.206.154
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: JCN-AS-KRUlsanJung-AngBroadcastingNetworkKR JCN-AS-KRUlsanJung-AngBroadcastingNetworkKR
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49755 -> 124.221.206.154:1443
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknown TCP traffic detected without corresponding DNS query: 124.221.206.154
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: ????????????.exe, 00000003.00000003.463998398.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.507141900.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154/
Source: ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.446429982.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.468267152.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.450683931.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.524018797.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.519760880.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515437734.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.463998398.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.507141900.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154/-
Source: ????????????.exe, 00000003.00000002.707682885.0000025BF36AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154/W
Source: ????????????.exe, 00000003.00000003.446429982.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.450683931.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.463998398.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154/n-US
Source: ????????????.exe, 00000003.00000003.680436999.0000025BF36DA000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.450674237.0000025BF36D1000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645708761.0000025BF36CD000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546244712.0000025BF36CD000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472618349.0000025BF36D1000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.446429982.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515410872.0000025BF36D1000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707824461.0000025BF36CD000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.507054004.0000025BF36D1000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565779330.0000025BF36CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/
Source: ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/(
Source: ????????????.exe, 00000003.00000003.595821118.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/0;
Source: ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.630445997.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.468267152.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.625692730.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.698330034.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.519760880.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515437734.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.595821118.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.507141900.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/9.0;
Source: ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.630445997.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645791258.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/a
Source: ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/e
Source: ????????????.exe, 00000003.00000002.707682885.0000025BF36AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/l
Source: ????????????.exe, 00000003.00000003.507141900.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/submit.php
Source: ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.630445997.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645791258.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.468267152.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.625692730.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.463998398.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.595821118.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/submit.php-
Source: ????????????.exe, 00000003.00000002.707682885.0000025BF36AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/submit.php154:1443/N
Source: ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.468267152.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.524018797.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.519760880.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515437734.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.507141900.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/submit.php3
Source: ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.630445997.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645791258.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.625692730.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.698330034.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.595821118.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/submit.php?
Source: ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/submit.phpG
Source: ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.524018797.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.698330034.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.519760880.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515437734.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/submit.phpI
Source: ????????????.exe, 00000003.00000002.707570619.0000025BF3699000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/submit.phpParameters
Source: ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.446429982.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.468267152.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.450683931.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.463998398.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.507141900.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/submit.phpQ
Source: ????????????.exe, 00000003.00000002.707570619.0000025BF3699000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/submit.phpa19e716f260s
Source: ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.630445997.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645791258.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.625692730.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.524018797.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.698330034.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.519760880.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515437734.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.595821118.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/submit.phpc
Source: ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.446429982.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.630445997.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645791258.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.468267152.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.625692730.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.450683931.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.524018797.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/submit.phpe
Source: ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.630445997.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645791258.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.468267152.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.625692730.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.450683931.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.698330034.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.463998398.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.595821118.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/submit.phpo
Source: ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/submit.phpw
Source: ????????????.exe, 00000003.00000002.707682885.0000025BF36AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/submit.phpx
Source: ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645791258.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.524018797.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.698330034.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.519760880.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515437734.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.507141900.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/submit.phpy
Source: ????????????.exe, 00000003.00000002.707570619.0000025BF3699000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/ubmit.php
Source: ????????????.exe, 00000003.00000002.707570619.0000025BF3699000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/ubmit.phpn
Source: ????????????.exe, 00000003.00000002.707570619.0000025BF3699000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://124.221.206.154:1443/ubmit.phpra
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://api.aadrm.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://api.aadrm.com/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://api.cortana.ai
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://api.diagnostics.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://api.office.net
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://api.onedrive.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://augloop.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://augloop.office.com/v2
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://cdn.entity.
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://clients.config.office.net/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://config.edge.skype.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://cortana.ai
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://cortana.ai/api
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://cr.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://dev.cortana.ai
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://devnull.onenote.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://directory.services.
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://enrichment.osi.office.net/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://graph.ppe.windows.net
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://graph.windows.net
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://graph.windows.net/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://invites.office.com/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://lifecycle.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://login.microsoftonline.com/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://login.windows.local
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://management.azure.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://management.azure.com/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://messaging.action.office.com/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://messaging.engagement.office.com/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://messaging.lifecycle.office.com/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://messaging.office.com/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://ncus.contentsync.
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://officeapps.live.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://onedrive.live.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://osi.office.net
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://otelrules.azureedge.net
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://outlook.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://outlook.office.com/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://outlook.office365.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://outlook.office365.com/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://pages.store.office.com/review/query
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://powerlift.acompli.net
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://roaming.edog.
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://settings.outlook.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://staging.cortana.ai
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://tasks.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://webshell.suite.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://wus2.contentsync.
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr String found in binary or memory: https://www.odwebp.svc.ms

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects CobaltStrike sleep_mask decoder Author: yara@s3c.za.net
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects CobaltStrike sleep_mask decoder Author: yara@s3c.za.net
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE Matched rule: Detects CobaltStrike sleep_mask decoder Author: yara@s3c.za.net
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE Matched rule: Detects CobaltStrike sleep_mask decoder Author: yara@s3c.za.net
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Trojan_Raw_Generic_4 Author: FireEye
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects CobaltStrike sleep_mask decoder Author: yara@s3c.za.net
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects CobaltStrike sleep_mask decoder Author: yara@s3c.za.net
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects CobaltStrike sleep_mask decoder Author: yara@s3c.za.net
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Rule for beacon reflective loader Author: unknown
Source: Process Memory Space: ????????????.exe PID: 3016, type: MEMORYSTR Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Yara signature match
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE Matched rule: Cobaltbaltstrike_Beacon_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Sleep_Decoder_Indicator date = 2021-07-19, author = yara@s3c.za.net, description = Detects CobaltStrike sleep_mask decoder
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_CobaltStrike_SleepMask_Jul22 date = 2022-07-04, author = CodeX, description = Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, score = , reference = https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE Matched rule: Cobaltbaltstrike_Beacon_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Sleep_Decoder_Indicator date = 2021-07-19, author = yara@s3c.za.net, description = Detects CobaltStrike sleep_mask decoder
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_CobaltStrike_SleepMask_Jul22 date = 2022-07-04, author = CodeX, description = Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, score = , reference = https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE Matched rule: Cobaltbaltstrike_Beacon_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Sleep_Decoder_Indicator date = 2021-07-19, author = yara@s3c.za.net, description = Detects CobaltStrike sleep_mask decoder
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE Matched rule: Cobaltbaltstrike_Beacon_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Sleep_Decoder_Indicator date = 2021-07-19, author = yara@s3c.za.net, description = Detects CobaltStrike sleep_mask decoder
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000003.00000002.706923007.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Cobaltbaltstrike_Beacon_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000003.00000002.705984762.000000C000174000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Cobaltbaltstrike_Beacon_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Trojan_Raw_Generic_4 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike_Sleep_Decoder_Indicator date = 2021-07-19, author = yara@s3c.za.net, description = Detects CobaltStrike sleep_mask decoder
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: HKTL_CobaltStrike_SleepMask_Jul22 date = 2022-07-04, author = CodeX, description = Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, score = , reference = https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000003.00000002.706488711.000000C00023E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Cobaltbaltstrike_Beacon_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Cobaltbaltstrike_Beacon_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike_Sleep_Decoder_Indicator date = 2021-07-19, author = yara@s3c.za.net, description = Detects CobaltStrike sleep_mask decoder
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: HKTL_CobaltStrike_SleepMask_Jul22 date = 2022-07-04, author = CodeX, description = Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, score = , reference = https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Cobaltbaltstrike_Beacon_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike_Sleep_Decoder_Indicator date = 2021-07-19, author = yara@s3c.za.net, description = Detects CobaltStrike sleep_mask decoder
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: HKTL_CobaltStrike_SleepMask_Jul22 date = 2022-07-04, author = CodeX, description = Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, score = , reference = https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: Process Memory Space: ????????????.exe PID: 3016, type: MEMORYSTR Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: ????????????.exe PID: 3016, type: MEMORYSTR Matched rule: Cobaltbaltstrike_Beacon_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: Process Memory Space: ????????????.exe PID: 3016, type: MEMORYSTR Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
Source: Process Memory Space: ????????????.exe PID: 3016, type: MEMORYSTR Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_01318900 3_2_01318900
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_013121C0 3_2_013121C0
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0131C9C0 3_2_0131C9C0
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0130B8E0 3_2_0130B8E0
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0130ACE0 3_2_0130ACE0
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_01334F00 3_2_01334F00
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_01324F60 3_2_01324F60
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_01345B60 3_2_01345B60
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0131B3A0 3_2_0131B3A0
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_01304780 3_2_01304780
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_01304BE0 3_2_01304BE0
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0131B7E0 3_2_0131B7E0
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_01315BE0 3_2_01315BE0
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0131C200 3_2_0131C200
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0132E600 3_2_0132E600
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_01311665 3_2_01311665
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_01308240 3_2_01308240
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_01322240 3_2_01322240
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_01303EA0 3_2_01303EA0
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0130A2C0 3_2_0130A2C0
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_01324AC0 3_2_01324AC0
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8A88FE0 3_2_0000025BF8A88FE0
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8A747D0 3_2_0000025BF8A747D0
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8A7A0B4 3_2_0000025BF8A7A0B4
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8A87060 3_2_0000025BF8A87060
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8A86190 3_2_0000025BF8A86190
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8A7B9E8 3_2_0000025BF8A7B9E8
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8A879D0 3_2_0000025BF8A879D0
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8A6916C 3_2_0000025BF8A6916C
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8A80144 3_2_0000025BF8A80144
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8A752C0 3_2_0000025BF8A752C0
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8A7C2CC 3_2_0000025BF8A7C2CC
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8A8533C 3_2_0000025BF8A8533C
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8A6EC30 3_2_0000025BF8A6EC30
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8A7CC10 3_2_0000025BF8A7CC10
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8A86D77 3_2_0000025BF8A86D77
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8A69680 3_2_0000025BF8A69680
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8A7AE74 3_2_0000025BF8A7AE74
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8ACACB4 3_2_0000025BF8ACACB4
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8ACD810 3_2_0000025BF8ACD810
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8AC53D0 3_2_0000025BF8AC53D0
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8AD7C60 3_2_0000025BF8AD7C60
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8ACC5E8 3_2_0000025BF8ACC5E8
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8AD85D0 3_2_0000025BF8AD85D0
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8ACCD54 3_2_0000025BF8ACCD54
Found potential string decryption / allocating functions
Source: C:\Windows\Temp\????????????.exe Code function: String function: 01332C40 appears 247 times
Source: C:\Windows\Temp\????????????.exe Code function: String function: 01330BA0 appears 191 times
Source: C:\Windows\Temp\????????????.exe Code function: String function: 013323C0 appears 39 times
Tries to load missing DLLs
Source: C:\Windows\System32\cmd.exe Section loaded: sfc.dll Jump to behavior
PE file contains more sections than normal
Source: 1a#U77e5.exe Static PE information: Number of sections : 14 > 10
Source: ????????????.exe.0.dr Static PE information: Number of sections : 13 > 10
Source: 1a#U77e5.exe Static PE information: Section: /19 ZLIB complexity 0.9987782579787234
Source: 1a#U77e5.exe Static PE information: Section: /32 ZLIB complexity 0.9890455163043478
Source: 1a#U77e5.exe Static PE information: Section: /65 ZLIB complexity 0.9983048349056604
Source: 1a#U77e5.exe Static PE information: Section: /78 ZLIB complexity 0.9892698688271605
Source: ????????????.exe.0.dr Static PE information: Section: /19 ZLIB complexity 0.9949880125661376
Source: ????????????.exe.0.dr Static PE information: Section: /32 ZLIB complexity 0.9894425675675675
Source: ????????????.exe.0.dr Static PE information: Section: /65 ZLIB complexity 0.9975082694986073
Source: ????????????.exe.0.dr Static PE information: Section: /78 ZLIB complexity 0.9895907315340909
Source: 1a#U77e5.exe Virustotal: Detection: 61%
Source: 1a#U77e5.exe Metadefender: Detection: 22%
Source: 1a#U77e5.exe ReversingLabs: Detection: 76%
Source: 1a#U77e5.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\1a#U77e5.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\1a#U77e5.exe "C:\Users\user\Desktop\1a#U77e5.exe"
Source: C:\Users\user\Desktop\1a#U77e5.exe Process created: C:\Windows\Temp\????????????.exe C:\Windows\Temp\????????????.exe 9gb3vbgeng
Source: C:\Windows\Temp\????????????.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1a#U77e5.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c start ?????????????????????.docx
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\?????????????????????.docx" /o "
Source: C:\Users\user\Desktop\1a#U77e5.exe Process created: C:\Windows\Temp\????????????.exe C:\Windows\Temp\????????????.exe 9gb3vbgeng Jump to behavior
Source: C:\Users\user\Desktop\1a#U77e5.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c start ?????????????????????.docx Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\?????????????????????.docx" /o " Jump to behavior
Source: C:\Windows\Temp\????????????.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: ?????????????????????.LNK.7.dr LNK file: ..\..\..\..\..\Desktop\.docx
Source: C:\Users\user\Desktop\1a#U77e5.exe File created: C:\Users\user\Desktop\?????????????????????.docx Jump to behavior
Source: C:\Users\user\Desktop\1a#U77e5.exe File created: C:\Windows\Temp\????????????.exe Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/8@0/1
Source: C:\Windows\System32\cmd.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2164:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5860:120:WilError_01
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: 1a#U77e5.exe Static file information: File size 4732928 > 1048576
Source: 1a#U77e5.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x33da00
Source: 1a#U77e5.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8A920EC push 0000006Ah; retf 3_2_0000025BF8A92104
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8ABA71E push cs; retf 3_2_0000025BF8ABA71F
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8AD60DB push ebp; iretd 3_2_0000025BF8AD60DC
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8AD6124 push ebp; iretd 3_2_0000025BF8AD6125
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8AD60FB push ebp; iretd 3_2_0000025BF8AD60FC
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8ABA35D push edi; iretd 3_2_0000025BF8ABA35E
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8ABBD58 push ebp; iretd 3_2_0000025BF8ABBD59
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8ADAE68 push ebp; iretd 3_2_0000025BF8ADAE6D
PE file contains sections with non-standard names
Source: 1a#U77e5.exe Static PE information: section name: /4
Source: 1a#U77e5.exe Static PE information: section name: /19
Source: 1a#U77e5.exe Static PE information: section name: /32
Source: 1a#U77e5.exe Static PE information: section name: /46
Source: 1a#U77e5.exe Static PE information: section name: /65
Source: 1a#U77e5.exe Static PE information: section name: /78
Source: 1a#U77e5.exe Static PE information: section name: /90
Source: 1a#U77e5.exe Static PE information: section name: .symtab
Source: ????????????.exe.0.dr Static PE information: section name: /4
Source: ????????????.exe.0.dr Static PE information: section name: /19
Source: ????????????.exe.0.dr Static PE information: section name: /32
Source: ????????????.exe.0.dr Static PE information: section name: /46
Source: ????????????.exe.0.dr Static PE information: section name: /65
Source: ????????????.exe.0.dr Static PE information: section name: /78
Source: ????????????.exe.0.dr Static PE information: section name: /90
Source: ????????????.exe.0.dr Static PE information: section name: .symtab
Drops PE files
Source: C:\Users\user\Desktop\1a#U77e5.exe File created: C:\Windows\Temp\????????????.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\1a#U77e5.exe File created: C:\Windows\Temp\????????????.exe Jump to dropped file
Source: C:\Users\user\Desktop\1a#U77e5.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1a#U77e5.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\????????????.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Temp\????????????.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Temp\????????????.exe TID: 2264 Thread sleep time: -1800000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\Temp\????????????.exe Last function: Thread delayed
Source: C:\Windows\Temp\????????????.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_013582C0 rdtscp 3_2_013582C0
Source: C:\Windows\Temp\????????????.exe Thread delayed: delay time: 60000 Jump to behavior
Source: 1a#U77e5.exe, 00000000.00000002.441267582.0000027D4128C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllMM]
Source: ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.446429982.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging
barindex
Potentially malicious time measurement code found
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_013582C0 Start: 013582C9 End: 013582DF 3_2_013582C0
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_013582C0 rdtscp 3_2_013582C0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\1a#U77e5.exe Process created: C:\Windows\Temp\????????????.exe C:\Windows\Temp\????????????.exe 9gb3vbgeng Jump to behavior
Source: C:\Users\user\Desktop\1a#U77e5.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c start ?????????????????????.docx Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\?????????????????????.docx" /o " Jump to behavior
Source: C:\Windows\Temp\????????????.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\Temp\????????????.exe Code function: 3_2_0000025BF8AC3B5C GetUserNameA,strrchr,_snprintf, 3_2_0000025BF8AC3B5C

Remote Access Functionality
barindex
Yara detected CobaltStrike
Source: Yara match File source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ????????????.exe PID: 3016, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679126 Sample: 1a#U77e5.exe Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 26 Malicious sample detected (through community Yara rule) 2->26 28 Antivirus detection for URL or domain 2->28 30 Antivirus / Scanner detection for submitted sample 2->30 32 3 other signatures 2->32 7 1a#U77e5.exe 2 2->7         started        process3 file4 22 C:\Windows\Temp\????????????.exe, PE32+ 7->22 dropped 10 ????????????.exe 1 7->10         started        14 cmd.exe 5 2 7->14         started        process5 dnsIp6 24 124.221.206.154, 1443, 49755, 49763 JCN-AS-KRUlsanJung-AngBroadcastingNetworkKR China 10->24 34 Antivirus detection for dropped file 10->34 36 Multi AV Scanner detection for dropped file 10->36 38 Potentially malicious time measurement code found 10->38 16 conhost.exe 10->16         started        18 WINWORD.EXE 248 35 14->18         started        20 conhost.exe 14->20         started        signatures7 process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
124.221.206.154
 unknown China
45361 JCN-AS-KRUlsanJung-AngBroadcastingNetworkKR true

Contacted URLs

Name Malicious Antivirus Detection Reputation
124.221.206.154 true
  • Avira URL Cloud: malware
 unknown