Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: http://weather.service.msn.com/data.aspx |
Source: ????????????.exe, 00000003.00000003.463998398.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.507141900.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154/ |
Source: ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.446429982.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.468267152.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.450683931.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.524018797.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.519760880.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515437734.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.463998398.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.507141900.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154/- |
Source: ????????????.exe, 00000003.00000002.707682885.0000025BF36AC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154/W |
Source: ????????????.exe, 00000003.00000003.446429982.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.450683931.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.463998398.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154/n-US |
Source: ????????????.exe, 00000003.00000003.680436999.0000025BF36DA000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.450674237.0000025BF36D1000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645708761.0000025BF36CD000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546244712.0000025BF36CD000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472618349.0000025BF36D1000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.446429982.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515410872.0000025BF36D1000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707824461.0000025BF36CD000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.507054004.0000025BF36D1000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565779330.0000025BF36CD000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/ |
Source: ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/( |
Source: ????????????.exe, 00000003.00000003.595821118.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/0; |
Source: ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.630445997.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.468267152.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.625692730.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.698330034.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.519760880.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515437734.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.595821118.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.507141900.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/9.0; |
Source: ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.630445997.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645791258.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/a |
Source: ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/e |
Source: ????????????.exe, 00000003.00000002.707682885.0000025BF36AC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/l |
Source: ????????????.exe, 00000003.00000003.507141900.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/submit.php |
Source: ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.630445997.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645791258.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.468267152.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.625692730.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.463998398.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.595821118.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/submit.php- |
Source: ????????????.exe, 00000003.00000002.707682885.0000025BF36AC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/submit.php154:1443/N |
Source: ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.468267152.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.524018797.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.519760880.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515437734.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.507141900.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/submit.php3 |
Source: ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.630445997.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645791258.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.625692730.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.698330034.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.595821118.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/submit.php? |
Source: ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/submit.phpG |
Source: ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.524018797.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.698330034.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.519760880.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515437734.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/submit.phpI |
Source: ????????????.exe, 00000003.00000002.707570619.0000025BF3699000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/submit.phpParameters |
Source: ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.446429982.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.468267152.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.450683931.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.463998398.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.507141900.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/submit.phpQ |
Source: ????????????.exe, 00000003.00000002.707570619.0000025BF3699000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/submit.phpa19e716f260s |
Source: ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.630445997.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645791258.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.625692730.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.524018797.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.698330034.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.519760880.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515437734.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.595821118.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/submit.phpc |
Source: ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.446429982.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.630445997.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645791258.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.468267152.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.625692730.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.450683931.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.524018797.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/submit.phpe |
Source: ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.630445997.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645791258.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.468267152.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.625692730.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.450683931.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.698330034.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.463998398.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.595821118.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/submit.phpo |
Source: ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/submit.phpw |
Source: ????????????.exe, 00000003.00000002.707682885.0000025BF36AC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/submit.phpx |
Source: ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645791258.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.524018797.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.698330034.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.519760880.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515437734.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.507141900.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/submit.phpy |
Source: ????????????.exe, 00000003.00000002.707570619.0000025BF3699000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/ubmit.php |
Source: ????????????.exe, 00000003.00000002.707570619.0000025BF3699000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/ubmit.phpn |
Source: ????????????.exe, 00000003.00000002.707570619.0000025BF3699000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://124.221.206.154:1443/ubmit.phpra |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://addinsinstallation.store.office.com/app/download |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://addinslicensing.store.office.com/apps/remove |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://addinslicensing.store.office.com/commerce/query |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://analysis.windows.net/powerbi/api |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://api.aadrm.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://api.aadrm.com/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://api.addins.omex.office.net/appinfo/query |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://api.addins.omex.office.net/appstate/query |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://api.addins.store.office.com/addinstemplate |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://api.addins.store.office.com/app/query |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://api.cortana.ai |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://api.diagnostics.office.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://api.diagnosticssdf.office.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://api.microsoftstream.com/api/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://api.office.net |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://api.onedrive.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://api.powerbi.com/beta/myorg/imports |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://apis.live.net/v5.0/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://arc.msn.com/v4/api/selection |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://augloop.office.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://augloop.office.com/v2 |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://autodiscover-s.outlook.com/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://cdn.entity. |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://client-office365-tas.msedge.net/ab |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://clients.config.office.net/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://clients.config.office.net/user/v1.0/ios |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://clients.config.office.net/user/v1.0/mac |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://config.edge.skype.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://config.edge.skype.com/config/v1/Office |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://config.edge.skype.com/config/v2/Office |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://cortana.ai |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://cortana.ai/api |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://cr.office.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://dataservice.o365filtering.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://dataservice.o365filtering.com/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://dev.cortana.ai |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://dev0-api.acompli.net/autodetect |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://devnull.onenote.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://directory.services. |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://ecs.office.com/config/v2/Office |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://enrichment.osi.office.net/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1 |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1 |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1 |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1 |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1 |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://entitlement.diagnostics.office.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://entitlement.diagnosticssdf.office.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://globaldisco.crm.dynamics.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://graph.ppe.windows.net |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://graph.ppe.windows.net/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://graph.windows.net |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://graph.windows.net/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1 |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1 |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1 |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1 |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon? |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://incidents.diagnostics.office.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://incidents.diagnosticssdf.office.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://inclient.store.office.com/gyro/client |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://inclient.store.office.com/gyro/clientstore |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://invites.office.com/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://lifecycle.office.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://login.microsoftonline.com/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://login.windows.local |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://login.windows.net/common/oauth2/authorize |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1 |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://management.azure.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://management.azure.com/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://messaging.action.office.com/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://messaging.action.office.com/setcampaignaction |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://messaging.action.office.com/setuseraction16 |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://messaging.engagement.office.com/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://messaging.lifecycle.office.com/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16 |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://messaging.office.com/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://metadata.templates.cdn.office.net/client/log |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://my.microsoftpersonalcontent.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://ncus.contentsync. |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://ncus.pagecontentsync. |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://officeapps.live.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://officeci.azurewebsites.net/api/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://officesetup.getmicrosoftkey.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://onedrive.live.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://onedrive.live.com/embed? |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://osi.office.net |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://otelrules.azureedge.net |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://outlook.office.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://outlook.office.com/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid= |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://outlook.office365.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://outlook.office365.com/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://pages.store.office.com/review/query |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13 |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://powerlift-frontdesk.acompli.net |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://powerlift.acompli.net |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://roaming.edog. |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://settings.outlook.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://shell.suite.office.com:1443 |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://skyapi.live.net/Activity/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://staging.cortana.ai |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://store.office.cn/addinstemplate |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://store.office.de/addinstemplate |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://substrate.office.com/search/api/v2/init |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://tasks.office.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://web.microsoftstream.com/video/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/ |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://webshell.suite.office.com |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://wus2.contentsync. |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://wus2.pagecontentsync. |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2 |
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.dr |
String found in binary or memory: https://www.odwebp.svc.ms |
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/ |
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15 |
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Cobaltbaltstrike_Beacon_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc |
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: CobaltStrike_Sleep_Decoder_Indicator date = 2021-07-19, author = yara@s3c.za.net, description = Detects CobaltStrike sleep_mask decoder |
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration |
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher |
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_CobaltStrike_SleepMask_Jul22 date = 2022-07-04, author = CodeX, description = Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, score = , reference = https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs |
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23 |
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17 |
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13 |
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13 |
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/ |
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15 |
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Cobaltbaltstrike_Beacon_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc |
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: CobaltStrike_Sleep_Decoder_Indicator date = 2021-07-19, author = yara@s3c.za.net, description = Detects CobaltStrike sleep_mask decoder |
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration |
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher |
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_CobaltStrike_SleepMask_Jul22 date = 2022-07-04, author = CodeX, description = Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, score = , reference = https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs |
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23 |
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17 |
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13 |
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13 |
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE |
Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/ |
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE |
Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15 |
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE |
Matched rule: Cobaltbaltstrike_Beacon_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc |
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE |
Matched rule: CobaltStrike_Sleep_Decoder_Indicator date = 2021-07-19, author = yara@s3c.za.net, description = Detects CobaltStrike sleep_mask decoder |
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE |
Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration |
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE |
Matched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher |
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23 |
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17 |
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13 |
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13 |
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE |
Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/ |
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE |
Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15 |
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE |
Matched rule: Cobaltbaltstrike_Beacon_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc |
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE |
Matched rule: CobaltStrike_Sleep_Decoder_Indicator date = 2021-07-19, author = yara@s3c.za.net, description = Detects CobaltStrike sleep_mask decoder |
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE |
Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration |
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE |
Matched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher |
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23 |
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17 |
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13 |
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13 |
Source: 00000003.00000002.706923007.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Cobaltbaltstrike_Beacon_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc |
Source: 00000003.00000002.705984762.000000C000174000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Cobaltbaltstrike_Beacon_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc |
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/ |
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Trojan_Raw_Generic_4 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d |
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: CobaltStrike_Sleep_Decoder_Indicator date = 2021-07-19, author = yara@s3c.za.net, description = Detects CobaltStrike sleep_mask decoder |
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: HKTL_CobaltStrike_SleepMask_Jul22 date = 2022-07-04, author = CodeX, description = Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, score = , reference = https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs |
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23 |
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17 |
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13 |
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13 |
Source: 00000003.00000002.706488711.000000C00023E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Cobaltbaltstrike_Beacon_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc |
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/ |
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15 |
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Cobaltbaltstrike_Beacon_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc |
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: CobaltStrike_Sleep_Decoder_Indicator date = 2021-07-19, author = yara@s3c.za.net, description = Detects CobaltStrike sleep_mask decoder |
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration |
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher |
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: HKTL_CobaltStrike_SleepMask_Jul22 date = 2022-07-04, author = CodeX, description = Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, score = , reference = https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs |
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23 |
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17 |
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13 |
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13 |
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/ |
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15 |
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Cobaltbaltstrike_Beacon_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc |
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: CobaltStrike_Sleep_Decoder_Indicator date = 2021-07-19, author = yara@s3c.za.net, description = Detects CobaltStrike sleep_mask decoder |
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration |
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher |
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: HKTL_CobaltStrike_SleepMask_Jul22 date = 2022-07-04, author = CodeX, description = Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, score = , reference = https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs |
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23 |
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17 |
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13 |
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13 |
Source: Process Memory Space: ????????????.exe PID: 3016, type: MEMORYSTR |
Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/ |
Source: Process Memory Space: ????????????.exe PID: 3016, type: MEMORYSTR |
Matched rule: Cobaltbaltstrike_Beacon_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc |
Source: Process Memory Space: ????????????.exe PID: 3016, type: MEMORYSTR |
Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration |
Source: Process Memory Space: ????????????.exe PID: 3016, type: MEMORYSTR |
Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23 |
Source: C:\Users\user\Desktop\1a#U77e5.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\1a#U77e5.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Temp\????????????.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\Temp\????????????.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |