Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1a#U77e5.exe

Overview

General Information

Sample Name:1a#U77e5.exe
Analysis ID:679126
MD5:3f2202e24ad0a66c08f88a18dd7b5fb4
SHA1:62df51eb1351279afa4dbe5920758d6974427ac9
SHA256:eb94cd39cde6a5270181d6e6788c69a2a90ab2b27f9236c8382e810e4dfead1d
Tags:exe
Infos:

Detection

CobaltStrike
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected CobaltStrike
C2 URLs / IPs found in malware configuration
Potentially malicious time measurement code found
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality for execution timing, often used to detect debuggers
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 1a#U77e5.exe (PID: 5296 cmdline: "C:\Users\user\Desktop\1a#U77e5.exe" MD5: 3F2202E24AD0A66C08F88A18DD7B5FB4)
    • ????????????.exe (PID: 3016 cmdline: C:\Windows\Temp\????????????.exe 9gb3vbgeng MD5: 84E3D79DA5E503374E61A17351781C14)
      • conhost.exe (PID: 5860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5788 cmdline: cmd.exe /c start ?????????????????????.docx MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 2164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • WINWORD.EXE (PID: 5308 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\?????????????????????.docx" /o " MD5: 0B9AB9B9C4DE429473D6450D4297A123)
  • cleanup

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTPS"], "Port": 1443, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "124.221.206.154,/submit.php", "HttpPostUri": "/submit.jsp", "Malleable_C2_Instructions": [], "SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 0, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.706923007.000000C0002D6000.00000004.00001000.00020000.00000000.sdmpCobaltbaltstrike_Beacon_EncodedDetects CobaltStrike payloadsAvast Threat Intel Team
  • 0x0:$s10: TVpBUlVIieVIgewgAAAAS
00000003.00000002.705984762.000000C000174000.00000004.00001000.00020000.00000000.sdmpCobaltbaltstrike_Beacon_EncodedDetects CobaltStrike payloadsAvast Threat Intel Team
  • 0x10:$s10: TVpBUlVIieVIgewgAAAAS
00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmpHKTL_Meterpreter_inMemoryDetects Meterpreter in-memorynetbiosX, Florian Roth
  • 0x3b3ae:$xs1: WS2_32.dll
  • 0x3b8a1:$xs2: ReflectiveLoader
00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmpTrojan_Raw_Generic_4unknownFireEye
  • 0x17b4b:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 0F F3 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ...
  • 0x16f0e:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmpCobaltStrike_Sleep_Decoder_IndicatorDetects CobaltStrike sleep_mask decoderyara@s3c.za.net
  • 0x10a48:$sleep_decoder: 48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 4C 8B 51 08 41 8B F0 48 8B EA 48 8B D9 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9
Click to see the 48 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
3.2.????????????.exe.25bf8a60000.2.raw.unpackHKTL_Meterpreter_inMemoryDetects Meterpreter in-memorynetbiosX, Florian Roth
  • 0x3a3ae:$xs1: WS2_32.dll
  • 0x3a8a1:$xs2: ReflectiveLoader
3.2.????????????.exe.25bf8a60000.2.raw.unpackReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
  • 0x3a8a1:$x1: ReflectiveLoader
3.2.????????????.exe.25bf8a60000.2.raw.unpackCobaltbaltstrike_Beacon_x64Detects CobaltStrike payloadsAvast Threat Intel Team
  • 0x0:$h01: 4D 5A 41 52 55 48 89 E5 48 81 EC 20 00 00 00 48 8D 1D EA FF FF FF 48 89
  • 0x3aa30:$h13: 2E 2F 2E 2F 2E 2C 2E 26 2E 2C 2E 2F 2E 2C 2B 8D 2E
3.2.????????????.exe.25bf8a60000.2.raw.unpackCobaltStrike_Sleep_Decoder_IndicatorDetects CobaltStrike sleep_mask decoderyara@s3c.za.net
  • 0xfe48:$sleep_decoder: 48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 4C 8B 51 08 41 8B F0 48 8B EA 48 8B D9 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9
3.2.????????????.exe.25bf8a60000.2.raw.unpackCobaltStrike_C2_Encoded_XOR_Config_IndicatorDetects CobaltStrike C2 encoded profile configurationyara@s3c.za.net
  • 0x3aa30:$s046: 2E 2F 2E 2F 2E 2C 2E 26 2E 2C 2E 2F 2E 2C 2B 8D 2E 2D 2E 2C 2E 2A 2E 2E C4 4E 2E 2A 2E 2C 2E 2A 2E 3E 2E 2E 2E 2B 2E 2F 2E 2C 2E 2E
Click to see the 59 entries

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 1a#U77e5.exeVirustotal: Detection: 61%Perma Link
Source: 1a#U77e5.exeMetadefender: Detection: 22%Perma Link
Source: 1a#U77e5.exeReversingLabs: Detection: 76%
Antivirus / Scanner detection for submitted sample
Source: 1a#U77e5.exeAvira: detected
Antivirus detection for URL or domain
Source: https://124.221.206.154:1443/ubmit.phpnAvira URL Cloud: Label: malware
Source: https://124.221.206.154:1443/ubmit.phpAvira URL Cloud: Label: malware
Source: https://124.221.206.154/n-USAvira URL Cloud: Label: malware
Source: https://124.221.206.154:1443/Avira URL Cloud: Label: malware
Source: https://124.221.206.154/WAvira URL Cloud: Label: malware
Source: https://124.221.206.154:1443/submit.phpoAvira URL Cloud: Label: malware
Source: https://124.221.206.154:1443/submit.phpwAvira URL Cloud: Label: malware
Source: https://124.221.206.154:1443/submit.phpyAvira URL Cloud: Label: malware
Source: https://124.221.206.154/-Avira URL Cloud: Label: malware
Source: https://124.221.206.154:1443/submit.phpxAvira URL Cloud: Label: malware
Source: 124.221.206.154Avira URL Cloud: Label: malware
Source: https://124.221.206.154:1443/0;Avira URL Cloud: Label: malware
Source: https://124.221.206.154:1443/submit.phpIAvira URL Cloud: Label: malware
Source: https://124.221.206.154:1443/submit.phpQAvira URL Cloud: Label: malware
Source: https://124.221.206.154:1443/submit.phpcAvira URL Cloud: Label: malware
Source: https://124.221.206.154:1443/submit.phpeAvira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Windows\Temp\????????????.exeAvira: detection malicious, Label: HEUR/AGEN.1211767
Multi AV Scanner detection for dropped file
Source: C:\Windows\Temp\????????????.exeMetadefender: Detection: 25%Perma Link
Source: C:\Windows\Temp\????????????.exeReversingLabs: Detection: 61%
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 1443, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "124.221.206.154,/submit.php", "HttpPostUri": "/submit.jsp", "Malleable_C2_Instructions": [], "SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 0, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}
Source: 1a#U77e5.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\Temp\????????????.exeCode function: 4x nop then sub rbx, qword ptr [rax+18h]
Source: C:\Windows\Temp\????????????.exeCode function: 4x nop then mov r8, 0000800000000000h

Networking

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractorURLs: 124.221.206.154
Source: Joe Sandbox ViewASN Name: JCN-AS-KRUlsanJung-AngBroadcastingNetworkKR JCN-AS-KRUlsanJung-AngBroadcastingNetworkKR
Source: global trafficTCP traffic: 192.168.2.5:49755 -> 124.221.206.154:1443
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: unknownTCP traffic detected without corresponding DNS query: 124.221.206.154
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: ????????????.exe, 00000003.00000003.463998398.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.507141900.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154/
Source: ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.446429982.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.468267152.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.450683931.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.524018797.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.519760880.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515437734.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.463998398.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.507141900.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154/-
Source: ????????????.exe, 00000003.00000002.707682885.0000025BF36AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154/W
Source: ????????????.exe, 00000003.00000003.446429982.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.450683931.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.463998398.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154/n-US
Source: ????????????.exe, 00000003.00000003.680436999.0000025BF36DA000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.450674237.0000025BF36D1000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645708761.0000025BF36CD000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546244712.0000025BF36CD000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472618349.0000025BF36D1000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.446429982.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515410872.0000025BF36D1000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707824461.0000025BF36CD000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.507054004.0000025BF36D1000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565779330.0000025BF36CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/
Source: ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/(
Source: ????????????.exe, 00000003.00000003.595821118.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/0;
Source: ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.630445997.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.468267152.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.625692730.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.698330034.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.519760880.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515437734.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.595821118.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.507141900.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/9.0;
Source: ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.630445997.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645791258.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/a
Source: ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/e
Source: ????????????.exe, 00000003.00000002.707682885.0000025BF36AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/l
Source: ????????????.exe, 00000003.00000003.507141900.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/submit.php
Source: ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.630445997.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645791258.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.468267152.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.625692730.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.463998398.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.595821118.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/submit.php-
Source: ????????????.exe, 00000003.00000002.707682885.0000025BF36AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/submit.php154:1443/N
Source: ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.468267152.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.524018797.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.519760880.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515437734.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.507141900.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/submit.php3
Source: ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.630445997.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645791258.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.625692730.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.698330034.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.595821118.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/submit.php?
Source: ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/submit.phpG
Source: ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.524018797.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.698330034.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.519760880.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515437734.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/submit.phpI
Source: ????????????.exe, 00000003.00000002.707570619.0000025BF3699000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/submit.phpParameters
Source: ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.446429982.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.468267152.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.450683931.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.463998398.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.507141900.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/submit.phpQ
Source: ????????????.exe, 00000003.00000002.707570619.0000025BF3699000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/submit.phpa19e716f260s
Source: ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.630445997.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645791258.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.625692730.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.524018797.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.698330034.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.519760880.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515437734.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.595821118.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/submit.phpc
Source: ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.446429982.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.630445997.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645791258.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.468267152.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.625692730.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.450683931.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.524018797.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/submit.phpe
Source: ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.630445997.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645791258.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.468267152.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.625692730.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.450683931.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.698330034.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.463998398.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.595821118.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/submit.phpo
Source: ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/submit.phpw
Source: ????????????.exe, 00000003.00000002.707682885.0000025BF36AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/submit.phpx
Source: ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645791258.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.524018797.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.698330034.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.519760880.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515437734.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.507141900.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/submit.phpy
Source: ????????????.exe, 00000003.00000002.707570619.0000025BF3699000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/ubmit.php
Source: ????????????.exe, 00000003.00000002.707570619.0000025BF3699000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/ubmit.phpn
Source: ????????????.exe, 00000003.00000002.707570619.0000025BF3699000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://124.221.206.154:1443/ubmit.phpra
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://api.aadrm.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://api.aadrm.com/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://api.cortana.ai
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://api.diagnostics.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://api.office.net
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://api.onedrive.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://apis.live.net/v5.0/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://augloop.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://augloop.office.com/v2
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://cdn.entity.
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://clients.config.office.net/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://config.edge.skype.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://cortana.ai
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://cortana.ai/api
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://cr.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://dataservice.o365filtering.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://dev.cortana.ai
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://devnull.onenote.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://directory.services.
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://enrichment.osi.office.net/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://graph.ppe.windows.net
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://graph.ppe.windows.net/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://graph.windows.net
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://graph.windows.net/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://invites.office.com/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://lifecycle.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://login.microsoftonline.com/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://login.windows.local
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://management.azure.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://management.azure.com/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://messaging.action.office.com/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://messaging.engagement.office.com/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://messaging.office.com/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://ncus.contentsync.
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://ncus.pagecontentsync.
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://officeapps.live.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://onedrive.live.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://onedrive.live.com/embed?
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://osi.office.net
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://otelrules.azureedge.net
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://outlook.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://outlook.office.com/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://outlook.office365.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://outlook.office365.com/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://pages.store.office.com/review/query
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://powerlift.acompli.net
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://roaming.edog.
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://settings.outlook.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://shell.suite.office.com:1443
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://staging.cortana.ai
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://store.office.de/addinstemplate
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://tasks.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://webshell.suite.office.com
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://wus2.contentsync.
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://wus2.pagecontentsync.
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drString found in binary or memory: https://www.odwebp.svc.ms

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects CobaltStrike sleep_mask decoder Author: yara@s3c.za.net
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects CobaltStrike sleep_mask decoder Author: yara@s3c.za.net
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPEMatched rule: Detects CobaltStrike sleep_mask decoder Author: yara@s3c.za.net
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPEMatched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPEMatched rule: Detects CobaltStrike sleep_mask decoder Author: yara@s3c.za.net
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPEMatched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 Author: FireEye
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects CobaltStrike sleep_mask decoder Author: yara@s3c.za.net
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects CobaltStrike sleep_mask decoder Author: yara@s3c.za.net
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects CobaltStrike sleep_mask decoder Author: yara@s3c.za.net
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
Source: Process Memory Space: ????????????.exe PID: 3016, type: MEMORYSTRMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPEMatched rule: Cobaltbaltstrike_Beacon_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Sleep_Decoder_Indicator date = 2021-07-19, author = yara@s3c.za.net, description = Detects CobaltStrike sleep_mask decoder
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_CobaltStrike_SleepMask_Jul22 date = 2022-07-04, author = CodeX, description = Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, score = , reference = https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPEMatched rule: Cobaltbaltstrike_Beacon_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Sleep_Decoder_Indicator date = 2021-07-19, author = yara@s3c.za.net, description = Detects CobaltStrike sleep_mask decoder
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_CobaltStrike_SleepMask_Jul22 date = 2022-07-04, author = CodeX, description = Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, score = , reference = https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPEMatched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPEMatched rule: Cobaltbaltstrike_Beacon_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Sleep_Decoder_Indicator date = 2021-07-19, author = yara@s3c.za.net, description = Detects CobaltStrike sleep_mask decoder
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPEMatched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPEMatched rule: Cobaltbaltstrike_Beacon_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Sleep_Decoder_Indicator date = 2021-07-19, author = yara@s3c.za.net, description = Detects CobaltStrike sleep_mask decoder
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000003.00000002.706923007.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Beacon_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000003.00000002.705984762.000000C000174000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Beacon_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Sleep_Decoder_Indicator date = 2021-07-19, author = yara@s3c.za.net, description = Detects CobaltStrike sleep_mask decoder
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: HKTL_CobaltStrike_SleepMask_Jul22 date = 2022-07-04, author = CodeX, description = Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, score = , reference = https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000003.00000002.706488711.000000C00023E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Beacon_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Beacon_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Sleep_Decoder_Indicator date = 2021-07-19, author = yara@s3c.za.net, description = Detects CobaltStrike sleep_mask decoder
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: HKTL_CobaltStrike_SleepMask_Jul22 date = 2022-07-04, author = CodeX, description = Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, score = , reference = https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Beacon_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Sleep_Decoder_Indicator date = 2021-07-19, author = yara@s3c.za.net, description = Detects CobaltStrike sleep_mask decoder
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: HKTL_CobaltStrike_SleepMask_Jul22 date = 2022-07-04, author = CodeX, description = Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, score = , reference = https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: Process Memory Space: ????????????.exe PID: 3016, type: MEMORYSTRMatched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: ????????????.exe PID: 3016, type: MEMORYSTRMatched rule: Cobaltbaltstrike_Beacon_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: Process Memory Space: ????????????.exe PID: 3016, type: MEMORYSTRMatched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
Source: Process Memory Space: ????????????.exe PID: 3016, type: MEMORYSTRMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_01318900
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_013121C0
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0131C9C0
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0130B8E0
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0130ACE0
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_01334F00
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_01324F60
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_01345B60
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0131B3A0
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_01304780
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_01304BE0
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0131B7E0
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_01315BE0
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0131C200
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0132E600
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_01311665
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_01308240
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_01322240
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_01303EA0
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0130A2C0
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_01324AC0
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8A88FE0
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8A747D0
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8A7A0B4
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8A87060
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8A86190
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8A7B9E8
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8A879D0
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8A6916C
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8A80144
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8A752C0
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8A7C2CC
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8A8533C
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8A6EC30
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8A7CC10
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8A86D77
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8A69680
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8A7AE74
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8ACACB4
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8ACD810
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8AC53D0
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8AD7C60
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8ACC5E8
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8AD85D0
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8ACCD54
Source: C:\Windows\Temp\????????????.exeCode function: String function: 01332C40 appears 247 times
Source: C:\Windows\Temp\????????????.exeCode function: String function: 01330BA0 appears 191 times
Source: C:\Windows\Temp\????????????.exeCode function: String function: 013323C0 appears 39 times
Source: C:\Windows\System32\cmd.exeSection loaded: sfc.dll
Source: 1a#U77e5.exeStatic PE information: Number of sections : 14 > 10
Source: ????????????.exe.0.drStatic PE information: Number of sections : 13 > 10
Source: 1a#U77e5.exeStatic PE information: Section: /19 ZLIB complexity 0.9987782579787234
Source: 1a#U77e5.exeStatic PE information: Section: /32 ZLIB complexity 0.9890455163043478
Source: 1a#U77e5.exeStatic PE information: Section: /65 ZLIB complexity 0.9983048349056604
Source: 1a#U77e5.exeStatic PE information: Section: /78 ZLIB complexity 0.9892698688271605
Source: ????????????.exe.0.drStatic PE information: Section: /19 ZLIB complexity 0.9949880125661376
Source: ????????????.exe.0.drStatic PE information: Section: /32 ZLIB complexity 0.9894425675675675
Source: ????????????.exe.0.drStatic PE information: Section: /65 ZLIB complexity 0.9975082694986073
Source: ????????????.exe.0.drStatic PE information: Section: /78 ZLIB complexity 0.9895907315340909
Source: 1a#U77e5.exeVirustotal: Detection: 61%
Source: 1a#U77e5.exeMetadefender: Detection: 22%
Source: 1a#U77e5.exeReversingLabs: Detection: 76%
Source: 1a#U77e5.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\1a#U77e5.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Users\user\Desktop\1a#U77e5.exe "C:\Users\user\Desktop\1a#U77e5.exe"
Source: C:\Users\user\Desktop\1a#U77e5.exeProcess created: C:\Windows\Temp\????????????.exe C:\Windows\Temp\????????????.exe 9gb3vbgeng
Source: C:\Windows\Temp\????????????.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1a#U77e5.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start ?????????????????????.docx
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\?????????????????????.docx" /o "
Source: C:\Users\user\Desktop\1a#U77e5.exeProcess created: C:\Windows\Temp\????????????.exe C:\Windows\Temp\????????????.exe 9gb3vbgeng
Source: C:\Users\user\Desktop\1a#U77e5.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start ?????????????????????.docx
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\?????????????????????.docx" /o "
Source: C:\Windows\Temp\????????????.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
Source: ?????????????????????.LNK.7.drLNK file: ..\..\..\..\..\Desktop\.docx
Source: C:\Users\user\Desktop\1a#U77e5.exeFile created: C:\Users\user\Desktop\?????????????????????.docxJump to behavior
Source: C:\Users\user\Desktop\1a#U77e5.exeFile created: C:\Windows\Temp\????????????.exeJump to behavior
Source: classification engineClassification label: mal100.troj.evad.winEXE@10/8@0/1
Source: C:\Windows\System32\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2164:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5860:120:WilError_01
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Source: 1a#U77e5.exeStatic file information: File size 4732928 > 1048576
Source: 1a#U77e5.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x33da00
Source: 1a#U77e5.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8A920EC push 0000006Ah; retf
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8ABA71E push cs; retf
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8AD60DB push ebp; iretd
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8AD6124 push ebp; iretd
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8AD60FB push ebp; iretd
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8ABA35D push edi; iretd
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8ABBD58 push ebp; iretd
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8ADAE68 push ebp; iretd
Source: 1a#U77e5.exeStatic PE information: section name: /4
Source: 1a#U77e5.exeStatic PE information: section name: /19
Source: 1a#U77e5.exeStatic PE information: section name: /32
Source: 1a#U77e5.exeStatic PE information: section name: /46
Source: 1a#U77e5.exeStatic PE information: section name: /65
Source: 1a#U77e5.exeStatic PE information: section name: /78
Source: 1a#U77e5.exeStatic PE information: section name: /90
Source: 1a#U77e5.exeStatic PE information: section name: .symtab
Source: ????????????.exe.0.drStatic PE information: section name: /4
Source: ????????????.exe.0.drStatic PE information: section name: /19
Source: ????????????.exe.0.drStatic PE information: section name: /32
Source: ????????????.exe.0.drStatic PE information: section name: /46
Source: ????????????.exe.0.drStatic PE information: section name: /65
Source: ????????????.exe.0.drStatic PE information: section name: /78
Source: ????????????.exe.0.drStatic PE information: section name: /90
Source: ????????????.exe.0.drStatic PE information: section name: .symtab
Source: C:\Users\user\Desktop\1a#U77e5.exeFile created: C:\Windows\Temp\????????????.exeJump to dropped file
Source: C:\Users\user\Desktop\1a#U77e5.exeFile created: C:\Windows\Temp\????????????.exeJump to dropped file
Source: C:\Users\user\Desktop\1a#U77e5.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\1a#U77e5.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\Temp\????????????.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\Temp\????????????.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Source: C:\Windows\Temp\????????????.exe TID: 2264Thread sleep time: -1800000s >= -30000s
Source: C:\Windows\Temp\????????????.exeLast function: Thread delayed
Source: C:\Windows\Temp\????????????.exeLast function: Thread delayed
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_013582C0 rdtscp
Source: C:\Windows\Temp\????????????.exeThread delayed: delay time: 60000
Source: 1a#U77e5.exe, 00000000.00000002.441267582.0000027D4128C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllMM]
Source: ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.446429982.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW

Anti Debugging

barindex
Potentially malicious time measurement code found
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_013582C0 Start: 013582C9 End: 013582DF
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_013582C0 rdtscp
Source: C:\Users\user\Desktop\1a#U77e5.exeProcess created: C:\Windows\Temp\????????????.exe C:\Windows\Temp\????????????.exe 9gb3vbgeng
Source: C:\Users\user\Desktop\1a#U77e5.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start ?????????????????????.docx
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\?????????????????????.docx" /o "
Source: C:\Windows\Temp\????????????.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Windows\Temp\????????????.exeCode function: 3_2_0000025BF8AC3B5C GetUserNameA,strrchr,_snprintf,

Remote Access Functionality

barindex
Yara detected CobaltStrike
Source: Yara matchFile source: 3.2.????????????.exe.25bf8a60000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.????????????.exe.c000294000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.????????????.exe.c000294000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.????????????.exe.25bf8a60000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ????????????.exe PID: 3016, type: MEMORYSTR

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		11
Masquerading		OS Credential Dumping111
Security Software Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		11
Virtualization/Sandbox Evasion		LSASS Memory11
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
Non-Standard Port		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager1
Account Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
Application Layer Protocol		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Deobfuscate/Decode Files or Information		NTDS1
System Owner/User Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script3
Obfuscated Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
Software Packing		Cached Domain Credentials3
System Information Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items1
DLL Side-Loading		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679126 Sample: 1a#U77e5.exe Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 26 Malicious sample detected (through community Yara rule) 2->26 28 Antivirus detection for URL or domain 2->28 30 Antivirus / Scanner detection for submitted sample 2->30 32 3 other signatures 2->32 7 1a#U77e5.exe 2 2->7         started        process3 file4 22 C:\Windows\Temp\????????????.exe, PE32+ 7->22 dropped 10 ????????????.exe 1 7->10         started        14 cmd.exe 5 2 7->14         started        process5 dnsIp6 24 124.221.206.154, 1443, 49755, 49763 JCN-AS-KRUlsanJung-AngBroadcastingNetworkKR China 10->24 34 Antivirus detection for dropped file 10->34 36 Multi AV Scanner detection for dropped file 10->36 38 Potentially malicious time measurement code found 10->38 16 conhost.exe 10->16         started        18 WINWORD.EXE 248 35 14->18         started        20 conhost.exe 14->20         started        signatures7 process8

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
1a#U77e5.exe61%VirustotalBrowse
1a#U77e5.exe23%MetadefenderBrowse
1a#U77e5.exe77%ReversingLabsWin64.Trojan.CobaltStrike
1a#U77e5.exe100%AviraTR/CobaltStrike.fyzok

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\Temp\????????????.exe100%AviraHEUR/AGEN.1211767
C:\Windows\Temp\????????????.exe26%MetadefenderBrowse
C:\Windows\Temp\????????????.exe62%ReversingLabsWin64.Downloader.Gobalt

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
3.2.????????????.exe.1300000.0.unpack100%AviraHEUR/AGEN.1211767Download File
0.0.1a#U77e5.exe.2a0000.0.unpack100%AviraHEUR/AGEN.1211854Download File
0.2.1a#U77e5.exe.2a0000.0.unpack100%AviraHEUR/AGEN.1211854Download File
3.0.????????????.exe.1300000.0.unpack100%AviraHEUR/AGEN.1211767Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://roaming.edog.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://124.221.206.154:1443/ubmit.phpn100%Avira URL Cloudmalware
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://124.221.206.154:1443/ubmit.php100%Avira URL Cloudmalware
https://124.221.206.154/n-US100%Avira URL Cloudmalware
https://my.microsoftpersonalcontent.com0%Avira URL Cloudsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://124.221.206.154:1443/100%Avira URL Cloudmalware
https://api.aadrm.com0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://124.221.206.154/W100%Avira URL Cloudmalware
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://124.221.206.154:1443/submit.phpo100%Avira URL Cloudmalware
https://ncus.contentsync.0%URL Reputationsafe
https://124.221.206.154:1443/submit.phpw100%Avira URL Cloudmalware
https://124.221.206.154:1443/submit.phpy100%Avira URL Cloudmalware
https://124.221.206.154/-100%Avira URL Cloudmalware
https://124.221.206.154:1443/submit.phpx100%Avira URL Cloudmalware
https://apis.live.net/v5.0/0%URL Reputationsafe
124.221.206.154100%Avira URL Cloudmalware
https://124.221.206.154:1443/0;100%Avira URL Cloudmalware
https://124.221.206.154:1443/submit.phpI100%Avira URL Cloudmalware
https://wus2.contentsync.0%URL Reputationsafe
https://124.221.206.154:1443/submit.phpQ100%Avira URL Cloudmalware
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
https://124.221.206.154:1443/submit.phpc100%Avira URL Cloudmalware
https://124.221.206.154:1443/submit.phpe100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
124.221.206.154true
  • Avira URL Cloud: malware
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.comE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
    		high
    https://login.microsoftonline.com/E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
      		high
      https://shell.suite.office.com:1443E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
        		high
        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
          		high
          https://autodiscover-s.outlook.com/E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
            		high
            https://roaming.edog.E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
            • URL Reputation: safe
            		unknown
            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
              		high
              https://cdn.entity.E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
              • URL Reputation: safe
              		unknown
              https://api.addins.omex.office.net/appinfo/queryE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                		high
                https://clients.config.office.net/user/v1.0/tenantassociationkeyE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                  		high
                  https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                    		high
                    https://powerlift.acompli.netE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://rpsticket.partnerservices.getmicrosoftkey.comE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://lookup.onenote.com/lookup/geolocation/v1E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                      		high
                      https://cortana.aiE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                        		high
                        https://cloudfiles.onenote.com/upload.aspxE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                          		high
                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                            		high
                            https://entitlement.diagnosticssdf.office.comE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                              		high
                              https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                		high
                                https://api.aadrm.com/E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://ofcrecsvcapi-int.azurewebsites.net/E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                  		high
                                  https://124.221.206.154:1443/ubmit.phpn????????????.exe, 00000003.00000002.707570619.0000025BF3699000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://api.microsoftstream.com/api/E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                    		high
                                    https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=ImmersiveE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                      		high
                                      https://cr.office.comE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                        		high
                                        https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;hE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        https://portal.office.com/account/?ref=ClientMeControlE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                          		high
                                          https://graph.ppe.windows.netE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                            		high
                                            https://res.getmicrosoftkey.com/api/redemptioneventsE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://powerlift-frontdesk.acompli.netE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://tasks.office.comE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                              		high
                                              https://officeci.azurewebsites.net/api/E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://sr.outlook.office.net/ws/speech/recognize/assistant/workE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                		high
                                                https://124.221.206.154:1443/ubmit.php????????????.exe, 00000003.00000002.707570619.0000025BF3699000.00000004.00000020.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                https://124.221.206.154/n-US????????????.exe, 00000003.00000003.446429982.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.450683931.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.463998398.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                https://my.microsoftpersonalcontent.comE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://store.office.cn/addinstemplateE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://124.221.206.154:1443/????????????.exe, 00000003.00000003.680436999.0000025BF36DA000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.450674237.0000025BF36D1000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645708761.0000025BF36CD000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546244712.0000025BF36CD000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472618349.0000025BF36D1000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.446429982.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515410872.0000025BF36D1000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707824461.0000025BF36CD000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.507054004.0000025BF36D1000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565779330.0000025BF36CD000.00000004.00000020.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                https://api.aadrm.comE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://outlook.office.com/autosuggest/api/v1/init?cvid=E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                  		high
                                                  https://globaldisco.crm.dynamics.comE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                    		high
                                                    https://messaging.engagement.office.com/E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                      		high
                                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                        		high
                                                        https://dev0-api.acompli.net/autodetectE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://www.odwebp.svc.msE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://api.diagnosticssdf.office.com/v2/feedbackE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                          		high
                                                          https://api.powerbi.com/v1.0/myorg/groupsE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                            		high
                                                            https://web.microsoftstream.com/video/E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                              		high
                                                              https://api.addins.store.officeppe.com/addinstemplateE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://graph.windows.netE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                		high
                                                                https://dataservice.o365filtering.com/E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://124.221.206.154/W????????????.exe, 00000003.00000002.707682885.0000025BF36AC000.00000004.00000020.00020000.00000000.sdmptrue
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                https://officesetup.getmicrosoftkey.comE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://analysis.windows.net/powerbi/apiE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                  		high
                                                                  https://prod-global-autodetect.acompli.net/autodetectE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://outlook.office365.com/autodiscover/autodiscover.jsonE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                    		high
                                                                    https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                      		high
                                                                      https://124.221.206.154:1443/submit.phpo????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.630445997.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645791258.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.468267152.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.625692730.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.450683931.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.698330034.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.463998398.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.595821118.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmptrue
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                        		high
                                                                        https://learningtools.onenote.com/learningtoolsapi/v2.0/GetvoicesE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                          		high
                                                                          https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                            		high
                                                                            https://ncus.contentsync.E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://124.221.206.154:1443/submit.phpw????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmptrue
                                                                            • Avira URL Cloud: malware
                                                                            		unknown
                                                                            https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                              		high
                                                                              https://124.221.206.154:1443/submit.phpy????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645791258.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.524018797.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.698330034.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.519760880.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515437734.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.507141900.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmptrue
                                                                              • Avira URL Cloud: malware
                                                                              		unknown
                                                                              https://124.221.206.154/-????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.446429982.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.468267152.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.450683931.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.524018797.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.519760880.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515437734.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.463998398.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.507141900.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmptrue
                                                                              • Avira URL Cloud: malware
                                                                              		unknown
                                                                              https://124.221.206.154:1443/submit.phpx????????????.exe, 00000003.00000002.707682885.0000025BF36AC000.00000004.00000020.00020000.00000000.sdmptrue
                                                                              • Avira URL Cloud: malware
                                                                              		unknown
                                                                              https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                                		high
                                                                                http://weather.service.msn.com/data.aspxE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                                  		high
                                                                                  https://apis.live.net/v5.0/E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                                    		high
                                                                                    https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                                      		high
                                                                                      https://124.221.206.154:1443/0;????????????.exe, 00000003.00000003.595821118.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown
                                                                                      https://messaging.lifecycle.office.com/E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                                        		high
                                                                                        https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                                          		high
                                                                                          https://124.221.206.154:1443/submit.phpI????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.524018797.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.698330034.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.519760880.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515437734.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                          • Avira URL Cloud: malware
                                                                                          		unknown
                                                                                          https://management.azure.comE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                                            		high
                                                                                            https://outlook.office365.comE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                                              		high
                                                                                              https://wus2.contentsync.E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://incidents.diagnostics.office.comE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                                                		high
                                                                                                https://clients.config.office.net/user/v1.0/iosE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                                                  		high
                                                                                                  https://124.221.206.154:1443/submit.phpQ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.446429982.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.468267152.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.450683931.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.463998398.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.507141900.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                  • Avira URL Cloud: malware
                                                                                                  		unknown
                                                                                                  https://insertmedia.bing.office.net/odc/insertmediaE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                                                    		high
                                                                                                    https://o365auditrealtimeingestion.manage.office.comE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                                                      		high
                                                                                                      https://outlook.office365.com/api/v1.0/me/ActivitiesE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                                                        		high
                                                                                                        https://api.office.netE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                                                          		high
                                                                                                          https://incidents.diagnosticssdf.office.comE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                                                            		high
                                                                                                            https://asgsmsproxyapi.azurewebsites.net/E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://clients.config.office.net/user/v1.0/android/policiesE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                                                              		high
                                                                                                              https://entitlement.diagnostics.office.comE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                                                                		high
                                                                                                                https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                                                                  		high
                                                                                                                  https://substrate.office.com/search/api/v2/initE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                                                                    		high
                                                                                                                    https://124.221.206.154:1443/submit.phpc????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.630445997.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645791258.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.625692730.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.524018797.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.698330034.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.519760880.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.515437734.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.533004895.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.595821118.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                    • Avira URL Cloud: malware
                                                                                                                    		unknown
                                                                                                                    https://outlook.office.com/E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                                                                      		high
                                                                                                                      https://124.221.206.154:1443/submit.phpe????????????.exe, 00000003.00000003.528285189.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.511119713.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.550870441.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.546326792.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.650269287.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.446429982.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000002.707886816.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.459728313.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.455168561.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.581376031.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.555953821.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.561061987.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.630445997.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.565837469.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.645791258.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.468267152.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.472644248.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.625692730.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.680612251.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.450683931.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmp, ????????????.exe, 00000003.00000003.524018797.0000025BF36E3000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                      • Avira URL Cloud: malware
                                                                                                                      		unknown
                                                                                                                      https://storage.live.com/clientlogs/uploadlocationE231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                                                                        		high
                                                                                                                        https://outlook.office365.com/E231148E-230F-4D9C-B6F4-7F66C34B8E20.7.drfalse
                                                                                                                          		high

                                                                                                                          World Map of Contacted IPs

                                                                                                                          • No. of IPs < 25%
                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                          • 75% < No. of IPs

                                                                                                                          Public IPs

                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                          124.221.206.154
                                                                                                                          		unknownChina
                                                                                                                          		45361JCN-AS-KRUlsanJung-AngBroadcastingNetworkKRtrue

                                                                                                                          General Information

                                                                                                                          Joe Sandbox Version:35.0.0 Citrine
                                                                                                                          Analysis ID:679126
                                                                                                                          Start date and time: 05/08/202209:54:362022-08-05 09:54:36 +02:00
                                                                                                                          Joe Sandbox Product:CloudBasic
                                                                                                                          Overall analysis duration:0h 8m 33s
                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                          Report type:light
                                                                                                                          Sample file name:1a#U77e5.exe
                                                                                                                          Cookbook file name:default.jbs
                                                                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                          Number of analysed new started processes analysed:23
                                                                                                                          Number of new started drivers analysed:0
                                                                                                                          Number of existing processes analysed:0
                                                                                                                          Number of existing drivers analysed:0
                                                                                                                          Number of injected processes analysed:0
                                                                                                                          Technologies:
                                                                                                                          • HCA enabled
                                                                                                                          • EGA enabled
                                                                                                                          • HDC enabled
                                                                                                                          • AMSI enabled
                                                                                                                          Analysis Mode:default
                                                                                                                          Analysis stop reason:Timeout
                                                                                                                          Detection:MAL
                                                                                                                          Classification:mal100.troj.evad.winEXE@10/8@0/1
                                                                                                                          EGA Information:
                                                                                                                          • Successful, ratio: 50%
                                                                                                                          HDC Information:
                                                                                                                          • Successful, ratio: 45.8% (good quality ratio 43%)
                                                                                                                          • Quality average: 68.2%
                                                                                                                          • Quality standard deviation: 27.6%
                                                                                                                          HCA Information:
                                                                                                                          • Successful, ratio: 81%
                                                                                                                          • Number of executed functions: 0
                                                                                                                          • Number of non-executed functions: 0
                                                                                                                          Cookbook Comments:
                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                          • Adjust boot time
                                                                                                                          • Enable AMSI

                                                                                                                          Warnings

                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                          • TCP Packets have been reduced to 100
                                                                                                                          • Excluded IPs from analysis (whitelisted): 52.109.88.191, 52.109.76.33, 52.109.12.21, 20.238.103.94, 20.223.24.244
                                                                                                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, licensing.mp.microsoft.com, rp-consumer-prod-displaycatalog-geomap.trafficmanager.net, store-images.s-microsoft.com, login.live.com, config.officeapps.live.com, sls.update.microsoft.com, nexus.officeapps.live.com, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                          • Execution Graph export aborted for target 1a#U77e5.exe, PID 5296 because there are no executed function
                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                          • Report size getting too big, too many NtCreateFile calls found.

                                                                                                                          Simulations

                                                                                                                          Behavior and APIs

                                                                                                                          TimeTypeDescription
                                                                                                                          09:55:50API Interceptor30x Sleep call for process: ????????????.exe modified

                                                                                                                          Joe Sandbox View / Context

                                                                                                                          IPs

                                                                                                                          No context

                                                                                                                          Domains

                                                                                                                          No context

                                                                                                                          ASNs

                                                                                                                          No context

                                                                                                                          JA3 Fingerprints

                                                                                                                          No context

                                                                                                                          Dropped Files

                                                                                                                          No context

                                                                                                                          Created / dropped Files

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E231148E-230F-4D9C-B6F4-7F66C34B8E20

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                          File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):148061
                                                                                                                          Entropy (8bit):5.35816450806037
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:ncQW/gxgB5BQguwN/Q9DQe+zQTk4F77nXmvid3XxVETLKz61:W1Q9DQe+zuXYr
                                                                                                                          MD5:DD89B24BAA865B152396CB932251EA2F
                                                                                                                          SHA1:D0DB98C4FE2E281C64DF4F44DF5279F34E56DB54
                                                                                                                          SHA-256:E25E7342FAD7C59D3D7E5F224BC370F1541CE3AD01FAF4C922F84F71137AF827
                                                                                                                          SHA-512:E6599769C65FE10E4E70997B37F2A343BB6169C3FD09DB837A51386BE4E5DA019AF389D1AF09DABF60A80FD45F2347F6244930AA4AEBBE31066772D048039880
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-08-05T07:55:52">.. Build: 16.0.15601.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\?????????????????????.LNK

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 5 15:55:47 2022, mtime=Fri Aug 5 15:55:52 2022, atime=Fri Aug 5 15:55:47 2022, length=16768, window=hide
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1231
                                                                                                                          Entropy (8bit):5.014235188340708
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:81t6bU9G6CHihArh3GXqDkDlM8+WABe1OW7EO/ypaZFVW7LVW7KNDyffD4t2Y+x4:81ZArsUkDuPW7EOKqW7hW7ODyR7aB6m
                                                                                                                          MD5:355E58BF021D90BF3CCDCD8503F910A1
                                                                                                                          SHA1:34D3B542D1ABDD5B042B1BF790EEBD705899BFAC
                                                                                                                          SHA-256:F40C4F240348D97AB8EB36F2DAA14F896B297339E8E2581A84AEC5AB20AB7AFD
                                                                                                                          SHA-512:5A17937914179F6E98746DC8D45C82632DA16361A5E126E9403C74AC741E3D69FBF081B14FF1DDB7FDC4948C957ED0FDEBCB9C9B069D84069A21C6A4FB488A1F
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:L..................F.... ...g.5...}-.8.../S.5....A...........................P.O. .:i.....+00.../C:\...................x.1......Ng...Users.d......L...U......................:......B..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....T.1.....hT....user..>.......NM..U.......S.....................`..a.l.f.o.n.s.....~.1......U....Desktop.h.......NM..U.......Y..............>......"Y.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..A...U.. .6ADF~1.DOC..f.......U...U.............................V.sQ.N..V.SP[lQ.S._U\Q..~.[hQ;e2..o`N.v...w..d.o.c.x...........$.......$...5...........h...............>.S......C:\Users\user\Desktop\?????????????????????.docx.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.D.e.s.k.t.o.p.\.sQ.N..V.SP[lQ.S._U\Q..~.[hQ;e2..o`N.v...w..d.o.c.x.......1.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.sQ.N..V.SP[lQ.S._U\Q..~.[hQ;e2..o`N.v...w..d.o.c.x.........:..,.LB.)...Aw...`.......X.......927537...........!a..%.H.VZAj.....s.........W...!a..%.H.VZAj..

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):94
                                                                                                                          Entropy (8bit):3.408464248242645
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:bDuMJlWt6lmxWLRt6lv:bCNkRS
                                                                                                                          MD5:113750065807DAD15C00A178EB21FC45
                                                                                                                          SHA1:903505EE9B97E1FA7F39E9B9ECE4DE9B286E9289
                                                                                                                          SHA-256:04AFC953D6AAE679A3ABDBE0FF0B8C144B16D4CCF84959A2793E57F6777AB8DF
                                                                                                                          SHA-512:1F89B0584EEB6381314116748832AF82310053B659721AD6A07041FEAAA8E03E1A0EAF4C5400E1BBBB415B4A678C2C20F788AB8A69A6E2BB06436FB8B7C2DF8B
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:[folders]..Templates.LNK=0..?????????????????????.LNK=0..[misc]..?????????????????????.LNK=0..

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):162
                                                                                                                          Entropy (8bit):2.9237687128468073
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Rl/Zdn98Udk1+lllllzHLl+l/Lcalt13l/9l:RtZT8Uq0ll/Ml/V
                                                                                                                          MD5:8DCBD88C0E65C7ECD29DAE006EE77D62
                                                                                                                          SHA1:EC6B2ADD4B3D90DB15700AC4D17BD605A33C870F
                                                                                                                          SHA-256:B1895309312CB6286E97EE77C39BDF25D76C3298190EADB8DB26D487D2E3C7DF
                                                                                                                          SHA-512:876FAF0B0681079CFA978F84C0BA46318998807C29811E4874D166F66D1E6E241E2237AEB26498E823193885E05BCDA230C357A91B640C35204D031333ECDC2A
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:.pratesh................................................p.r.a.t.e.s.h.....L+....9i.0..............f.........q...5i.1.../........................1i.2..............

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                          File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                          Category:modified
                                                                                                                          Size (bytes):20
                                                                                                                          Entropy (8bit):2.8954618442383215
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:QVNliGn:Q9rn
                                                                                                                          MD5:C4F79900719F08A6F11287E3C7991493
                                                                                                                          SHA1:754325A769BE6ECCC664002CD8F6BDB0D0B8CA4D
                                                                                                                          SHA-256:625CA96CCA65A363CC76429804FF47520B103D2044BA559B11EB02AB7B4D79A8
                                                                                                                          SHA-512:0F3C498BC7680B4C9167F790CC0BE6C889354AF703ABF0547F87B78FEB0BAA9F5220691DF511192B36AD9F3F69E547E6D382833E6BC25CDB4CD2191920970C5F
                                                                                                                          Malicious:false
                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                          Preview:..p.r.a.t.e.s.h.....

                                                                                                                          C:\Users\user\Desktop\?????????????????????.docx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\1a#U77e5.exe
                                                                                                                          File Type:Zip archive data, at least v1.0 to extract
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):16768
                                                                                                                          Entropy (8bit):7.828953909266841
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:aYn7elOjZppldfDmfFPpT83uzRz/4id7miP9jT:aYnKlOjZPldfDMFPG+zRz5p
                                                                                                                          MD5:5F48BBB1AAC3B8D63AAAE3EC114BA340
                                                                                                                          SHA1:31FC3508AF156D67DA4BC6FE8D41206BDA5276EE
                                                                                                                          SHA-256:80596668ABC2C8C42481AD06713039198F08EB11C543061C3F9657A51248D04F
                                                                                                                          SHA-512:F5C3AF4E2269094C5381C512AE2A13C8204A34477DD47DB5D7ED4FC7BC986ECB36B2EF17B0A7470D1CB64404B8035CB7D27563C45E7F8E94FA92CFB9E3F6B9E8
                                                                                                                          Malicious:false
                                                                                                                          Preview:PK.........N.@................docProps/PK.........N.@...j...|.......docProps/app.xml.R.N.0..#..Q...-....'...@..r..Eb[.A..q^Q.Wn;3.x.c.......WF.R..4A-M..a.>7.."M|.....J....~y..g,...'.B.U.`....A.<.:*{..."t.b.{%.....u .......6.g...x...j..9../.......l/...c.>oM...Y..z>.r.`g\.y.,..F.;..qS.UU.dB....8..9M......<......o.|A.}?..R.X..|/z.@~..7.l.s7>.[.MN..T.V.1.,.Y'.....!V.w.m....W....r.fW......W.uVT.:...6[...hY.s.....@.N...|w*.9.2.q....PK.........N.@N..e............docProps/core.xml}..N.1...H.......$..Y$Z.T.J.*.........)\*.K...@j..K.y..q.+..I.A .3..7.x...4..u*3]D...`D&..t.a..vP.<7.......C{..V,r&2..l....\P..c"..9..!h........j...p...>......<..s\..&..R.....i...C...w.6(...`.{...l(...iew.-.X.O.....1nV6.......X..*S.....RT..=....u.S..~.%..hH....I..e.|..Z../.KVf...2....H........Ir.....t1...].~}.]....._.?|.........ySm[.@...B..I.O[l.....k@RZ.0R..K..N5.NT...<.PK.........N.@....'...........docProps/custom.xml...K.0....C.=....mG. .....4..MR.t:.............}.{..E..(..

                                                                                                                          C:\Users\user\Desktop\~$???????????????????.docx

                                                                                                                          Download File
                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):162
                                                                                                                          Entropy (8bit):2.9237687128468073
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Rl/Zdn98Udk1+lllllzHLl+l/Lcalt13l/9l:RtZT8Uq0ll/Ml/V
                                                                                                                          MD5:8DCBD88C0E65C7ECD29DAE006EE77D62
                                                                                                                          SHA1:EC6B2ADD4B3D90DB15700AC4D17BD605A33C870F
                                                                                                                          SHA-256:B1895309312CB6286E97EE77C39BDF25D76C3298190EADB8DB26D487D2E3C7DF
                                                                                                                          SHA-512:876FAF0B0681079CFA978F84C0BA46318998807C29811E4874D166F66D1E6E241E2237AEB26498E823193885E05BCDA230C357A91B640C35204D031333ECDC2A
                                                                                                                          Malicious:false
                                                                                                                          Preview:.pratesh................................................p.r.a.t.e.s.h.....L+....9i.0..............f.........q...5i.1.../........................1i.2..............

                                                                                                                          C:\Windows\Temp\????????????.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\1a#U77e5.exe
                                                                                                                          File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2062848
                                                                                                                          Entropy (8bit):6.989271790744726
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:VLG1BKsKoBqgde0DTIK2u4WXr3R0lgaWPPCwha1w0UHfLBamlNRDz:VLGKTZBermgaWPPCwha14/LR
                                                                                                                          MD5:84E3D79DA5E503374E61A17351781C14
                                                                                                                          SHA1:6C4710E5E6BC0F991C6954E64E76EC8BF796A2E1
                                                                                                                          SHA-256:6254E9F7F9E61A1A80E8A3C01757B8D29C9AC0EB0D596236FC0A2944FD44DFD6
                                                                                                                          SHA-512:B287D405B01AAA7B7C35AE1787395CCE626A4565B28BB74D2AA715D251D580AAB4EEE513D29885728B56F0175CB13238B6DCF0EC228DB83C6AC90CA7EEECC4D8
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                          • Antivirus: Metadefender, Detection: 26%, Browse
                                                                                                                          • Antivirus: ReversingLabs, Detection: 62%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........*..9....."..........Z......`.........@...............................%...........`... ...............................................#.|.............................$..%.................................................. Q..@............................text............................... ..`.rdata...#... ...$..................@..@.data........P...Z...:..............@.../4......'....P......................@..B/19.....=x...`...z..................@..B/32.....,I.......J..................@..B/46.....*....0.......Z..............@..B/65.....-....@.......\..............@..B/78.....I_...."..`...*..............@..B/90.....|r...p#..t..................@..B.idata..|.....#.....................@....reloc...%....$..&..................@..B.symtab..O...0$..P...*.................B........................................................................................

                                                                                                                          Static File Info

                                                                                                                          General

                                                                                                                          File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                          Entropy (8bit):6.725931255932212
                                                                                                                          TrID:
                                                                                                                          • Win64 Executable (generic) (12005/4) 74.95%
                                                                                                                          • Generic Win/DOS Executable (2004/3) 12.51%
                                                                                                                          • DOS Executable Generic (2002/1) 12.50%
                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                                                                                                          File name:1a#U77e5.exe
                                                                                                                          File size:4732928
                                                                                                                          MD5:3f2202e24ad0a66c08f88a18dd7b5fb4
                                                                                                                          SHA1:62df51eb1351279afa4dbe5920758d6974427ac9
                                                                                                                          SHA256:eb94cd39cde6a5270181d6e6788c69a2a90ab2b27f9236c8382e810e4dfead1d
                                                                                                                          SHA512:cd87c99ce09a29a5317343e04bb55fd63cd0b98cebcb08793a9b1dd275a9c6ce09c53fb7f901fc6083d8992360d3fbe02438d4143a907be64e7bdca15567bc27
                                                                                                                          SSDEEP:49152:BuZC3FJrb/TWvO90dL3BmAFd4A64nsfJ+WNq3v3MVkOHx3bEnnkY3Xw4g9MUth7A:aC3F0uKUrwUZ0
                                                                                                                          TLSH:2426BF333982B8FADAAD697184242D411D7CB88B172053C7BB4975FE36BA2D44D3C768
                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........F.P....."..........~......@.........@..............................PN...........`... ............................

                                                                                                                          File Icon

                                                                                                                          Icon Hash:554d5c5469694525

                                                                                                                          Static PE Info

                                                                                                                          General

                                                                                                                          Entrypoint:0x45ca40
                                                                                                                          Entrypoint Section:.text
                                                                                                                          Digitally signed:false
                                                                                                                          Imagebase:0x400000
                                                                                                                          Subsystem:windows gui
                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                                                                                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                          Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                                                          TLS Callbacks:
                                                                                                                          CLR (.Net) Version:
                                                                                                                          OS Version Major:6
                                                                                                                          OS Version Minor:1
                                                                                                                          File Version Major:6
                                                                                                                          File Version Minor:1
                                                                                                                          Subsystem Version Major:6
                                                                                                                          Subsystem Version Minor:1
                                                                                                                          Import Hash:9cbefe68f395e67356e2a5d8d1b285c0

                                                                                                                          Entrypoint Preview

                                                                                                                          Instruction
                                                                                                                          jmp 00007FAA8CC452C0h
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          pushfd
                                                                                                                          cld
                                                                                                                          dec eax
                                                                                                                          sub esp, 000000E0h
                                                                                                                          dec eax
                                                                                                                          mov dword ptr [esp], edi
                                                                                                                          dec eax
                                                                                                                          mov dword ptr [esp+08h], esi
                                                                                                                          dec eax
                                                                                                                          mov dword ptr [esp+10h], ebp
                                                                                                                          dec eax
                                                                                                                          mov dword ptr [esp+18h], ebx
                                                                                                                          dec esp
                                                                                                                          mov dword ptr [esp+20h], esp
                                                                                                                          dec esp
                                                                                                                          mov dword ptr [esp+28h], ebp
                                                                                                                          dec esp
                                                                                                                          mov dword ptr [esp+30h], esi
                                                                                                                          dec esp
                                                                                                                          mov dword ptr [esp+38h], edi
                                                                                                                          movups dqword ptr [esp+40h], xmm6
                                                                                                                          movups dqword ptr [esp+50h], xmm7
                                                                                                                          inc esp
                                                                                                                          movups dqword ptr [esp+60h], xmm0
                                                                                                                          inc esp
                                                                                                                          movups dqword ptr [esp+70h], xmm1
                                                                                                                          inc esp
                                                                                                                          movups dqword ptr [esp+00000080h], xmm2
                                                                                                                          inc esp
                                                                                                                          movups dqword ptr [esp+00000090h], xmm3
                                                                                                                          inc esp
                                                                                                                          movups dqword ptr [esp+000000A0h], xmm4
                                                                                                                          inc esp
                                                                                                                          movups dqword ptr [esp+000000B0h], xmm5
                                                                                                                          inc esp
                                                                                                                          movups dqword ptr [esp+000000C0h], xmm6
                                                                                                                          inc esp
                                                                                                                          movups dqword ptr [esp+000000D0h], xmm7
                                                                                                                          dec eax
                                                                                                                          sub esp, 30h
                                                                                                                          dec ecx
                                                                                                                          mov edi, eax
                                                                                                                          dec eax
                                                                                                                          mov edx, dword ptr [00000028h]
                                                                                                                          dec eax
                                                                                                                          cmp edx, 00000000h
                                                                                                                          jne 00007FAA8CC48F4Eh
                                                                                                                          dec eax
                                                                                                                          mov eax, 00000000h
                                                                                                                          jmp 00007FAA8CC48FC5h
                                                                                                                          dec eax
                                                                                                                          mov edx, dword ptr [edx+00000000h]
                                                                                                                          dec eax
                                                                                                                          cmp edx, 00000000h

                                                                                                                          Data Directories

                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x4c60000x47c.idata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x4e20000x2678.rsrc
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x4c70000x2b0a.reloc
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x3cf1400x140.data
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                          Sections

                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                          .text0x10000x8fc6a0x8fe00False0.4675638710903562data6.177951506515494IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                          .rdata0x910000x33d8f00x33da00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                          .data0x3cf0000x720a00x17e00False0.35497791230366493data4.298912004398371IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          /40x4420000x1270x200False0.6171875data5.097874074212899IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                          /190x4430000x1d5780x1d600False0.9987782579787234data7.993303104291631IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                          /320x4610000x5b0b0x5c00False0.9890455163043478data7.917262410977086IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                          /460x4670000x2a0x200False0.091796875data0.7534025800416837IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                          /650x4680000x34e350x35000False0.9983048349056604data7.995735953621072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                          /780x49d0000x1e4010x1e600False0.9892698688271605data7.987159878797264IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                          /900x4bc0000x977c0x9800False0.9757401315789473data7.788382558202588IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                          .idata0x4c60000x47c0x600False0.3313802083333333data3.514698326038637IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          .reloc0x4c70000x2b0a0x2c00False0.3710049715909091data5.397043934669771IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                          .symtab0x4ca0000x17c100x17e00False0.2733045647905759data5.119810305846417IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                          .rsrc0x4e20000x26780x2800False0.43115234375data5.682287008823302IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                          Resources

                                                                                                                          NameRVASizeTypeLanguageCountry
                                                                                                                          RT_ICON0x4e20b80x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4280181209, next used block 4280181211EnglishUnited States
                                                                                                                          RT_GROUP_ICON0x4e46600x14dataEnglishUnited States

                                                                                                                          Imports

                                                                                                                          DLLImport
                                                                                                                          kernel32.dllWriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

                                                                                                                          Possible Origin

                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                          EnglishUnited States

                                                                                                                          Network Behavior

                                                                                                                          Network Port Distribution

                                                                                                                          TCP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Aug 5, 2022 09:55:49.280426979 CEST497551443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:55:49.470936060 CEST144349755124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:55:50.056755066 CEST497551443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:55:50.248254061 CEST144349755124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:55:50.846036911 CEST497551443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:55:51.035944939 CEST144349755124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:55:51.151525021 CEST497631443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:55:51.379904985 CEST144349763124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:55:52.049324036 CEST497631443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:55:52.277442932 CEST144349763124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:55:52.846239090 CEST497631443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:55:53.069526911 CEST144349763124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:55:53.273742914 CEST497671443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:55:53.499203920 CEST144349767124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:55:54.049468994 CEST497671443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:55:54.277996063 CEST144349767124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:55:54.846920013 CEST497671443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:55:55.072638988 CEST144349767124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:55:55.255032063 CEST497691443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:55:55.474117041 CEST144349769124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:55:56.049721003 CEST497691443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:55:56.268788099 CEST144349769124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:55:56.846615076 CEST497691443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:55:57.066648006 CEST144349769124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:55:57.245265007 CEST497761443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:55:57.465364933 CEST144349776124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:55:58.065488100 CEST497761443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:55:58.281260014 CEST144349776124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:55:58.846745014 CEST497761443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:55:59.065027952 CEST144349776124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:55:59.198276997 CEST497771443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:55:59.424679041 CEST144349777124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:00.065619946 CEST497771443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:00.291865110 CEST144349777124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:00.862615108 CEST497771443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:01.089356899 CEST144349777124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:01.561662912 CEST497781443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:01.754937887 CEST144349778124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:02.363183022 CEST497781443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:02.557374001 CEST144349778124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:03.065870047 CEST497781443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:03.259234905 CEST144349778124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:03.430304050 CEST497791443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:03.645586967 CEST144349779124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:04.238054037 CEST497791443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:04.453716993 CEST144349779124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:05.050407887 CEST497791443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:05.266046047 CEST144349779124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:05.413183928 CEST497801443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:05.616344929 CEST144349780124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:06.238074064 CEST497801443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:06.441137075 CEST144349780124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:07.050636053 CEST497801443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:07.253810883 CEST144349780124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:07.442192078 CEST497811443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:07.682126999 CEST144349781124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:08.253863096 CEST497811443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:08.493702888 CEST144349781124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:09.066442966 CEST497811443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:09.306078911 CEST144349781124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:09.483295918 CEST497821443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:12.566765070 CEST497821443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:12.794334888 CEST144349782124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:13.363702059 CEST497821443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:25.599271059 CEST497931443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:25.793513060 CEST144349793124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:26.364763021 CEST497931443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:26.559653997 CEST144349793124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:27.067987919 CEST497931443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:27.262059927 CEST144349793124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:27.453006983 CEST498051443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:27.669214964 CEST144349805124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:28.239979029 CEST498051443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:28.455928087 CEST144349805124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:29.052509069 CEST498051443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:29.268527985 CEST144349805124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:29.495060921 CEST498101443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:29.720386982 CEST144349810124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:30.255779982 CEST498101443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:30.481199026 CEST144349810124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:31.068296909 CEST498101443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:31.292104006 CEST144349810124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:31.450253010 CEST498161443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:31.668453932 CEST144349816124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:32.255995035 CEST498161443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:32.475545883 CEST144349816124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:33.068542957 CEST498161443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:33.286715031 CEST144349816124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:33.424062014 CEST498211443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:33.625540972 CEST144349821124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:34.240472078 CEST498211443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:34.441996098 CEST144349821124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:35.053042889 CEST498211443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:35.255081892 CEST144349821124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:35.415158987 CEST498291443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:35.633347034 CEST144349829124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:36.240658045 CEST498291443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:36.458710909 CEST144349829124.221.206.154192.168.2.5
                                                                                                                          Aug 5, 2022 09:56:37.053587914 CEST498291443192.168.2.5124.221.206.154
                                                                                                                          Aug 5, 2022 09:56:37.271845102 CEST144349829124.221.206.154192.168.2.5

                                                                                                                          Statistics

                                                                                                                          Behavior

                                                                                                                          Click to jump to process

                                                                                                                          System Behavior

                                                                                                                          General

                                                                                                                          Target ID:0
                                                                                                                          Start time:09:55:44
                                                                                                                          Start date:05/08/2022
                                                                                                                          Path:C:\Users\user\Desktop\1a#U77e5.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:"C:\Users\user\Desktop\1a#U77e5.exe"
                                                                                                                          Imagebase:0x2a0000
                                                                                                                          File size:4732928 bytes
                                                                                                                          MD5 hash:3F2202E24AD0A66C08F88A18DD7B5FB4
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:low

                                                                                                                          General

                                                                                                                          Target ID:3
                                                                                                                          Start time:09:55:46
                                                                                                                          Start date:05/08/2022
                                                                                                                          Path:C:\Windows\Temp\????????????.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\Temp\????????????.exe 9gb3vbgeng
                                                                                                                          Imagebase:0x1300000
                                                                                                                          File size:2062848 bytes
                                                                                                                          MD5 hash:84E3D79DA5E503374E61A17351781C14
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: Cobaltbaltstrike_Beacon_Encoded, Description: Detects CobaltStrike payloads, Source: 00000003.00000002.706923007.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp, Author: Avast Threat Intel Team
                                                                                                                          • Rule: Cobaltbaltstrike_Beacon_Encoded, Description: Detects CobaltStrike payloads, Source: 00000003.00000002.705984762.000000C000174000.00000004.00001000.00020000.00000000.sdmp, Author: Avast Threat Intel Team
                                                                                                                          • Rule: HKTL_Meterpreter_inMemory, Description: Detects Meterpreter in-memory, Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, Author: netbiosX, Florian Roth
                                                                                                                          • Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, Author: FireEye
                                                                                                                          • Rule: CobaltStrike_Sleep_Decoder_Indicator, Description: Detects CobaltStrike sleep_mask decoder, Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
                                                                                                                          • Rule: HKTL_CobaltStrike_SleepMask_Jul22, Description: Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, Author: CodeX
                                                                                                                          • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000003.00000002.708528999.0000025BF8AB0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: Cobaltbaltstrike_Beacon_Encoded, Description: Detects CobaltStrike payloads, Source: 00000003.00000002.706488711.000000C00023E000.00000004.00001000.00020000.00000000.sdmp, Author: Avast Threat Intel Team
                                                                                                                          • Rule: HKTL_Meterpreter_inMemory, Description: Detects Meterpreter in-memory, Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, Author: netbiosX, Florian Roth
                                                                                                                          • Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                          • Rule: Cobaltbaltstrike_Beacon_x64, Description: Detects CobaltStrike payloads, Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, Author: Avast Threat Intel Team
                                                                                                                          • Rule: CobaltStrike_Sleep_Decoder_Indicator, Description: Detects CobaltStrike sleep_mask decoder, Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
                                                                                                                          • Rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator, Description: Detects CobaltStrike C2 encoded profile configuration, Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
                                                                                                                          • Rule: CobaltStrike_MZ_Launcher, Description: Detects CobaltStrike MZ header ReflectiveLoader launcher, Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
                                                                                                                          • Rule: HKTL_CobaltStrike_SleepMask_Jul22, Description: Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, Author: CodeX
                                                                                                                          • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                          • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                          • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000003.00000002.706659139.000000C000294000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: HKTL_Meterpreter_inMemory, Description: Detects Meterpreter in-memory, Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, Author: netbiosX, Florian Roth
                                                                                                                          • Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                          • Rule: Cobaltbaltstrike_Beacon_x64, Description: Detects CobaltStrike payloads, Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, Author: Avast Threat Intel Team
                                                                                                                          • Rule: CobaltStrike_Sleep_Decoder_Indicator, Description: Detects CobaltStrike sleep_mask decoder, Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
                                                                                                                          • Rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator, Description: Detects CobaltStrike C2 encoded profile configuration, Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
                                                                                                                          • Rule: CobaltStrike_MZ_Launcher, Description: Detects CobaltStrike MZ header ReflectiveLoader launcher, Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
                                                                                                                          • Rule: HKTL_CobaltStrike_SleepMask_Jul22, Description: Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, Author: CodeX
                                                                                                                          • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                          • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                          • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000003.00000002.708356136.0000025BF8A60000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          Antivirus matches:
                                                                                                                          • Detection: 100%, Avira
                                                                                                                          • Detection: 26%, Metadefender, Browse
                                                                                                                          • Detection: 62%, ReversingLabs
                                                                                                                          Reputation:low

                                                                                                                          General

                                                                                                                          Target ID:4
                                                                                                                          Start time:09:55:47
                                                                                                                          Start date:05/08/2022
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff77f440000
                                                                                                                          File size:625664 bytes
                                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high

                                                                                                                          General

                                                                                                                          Target ID:5
                                                                                                                          Start time:09:55:47
                                                                                                                          Start date:05/08/2022
                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:cmd.exe /c start ?????????????????????.docx
                                                                                                                          Imagebase:0x7ff602050000
                                                                                                                          File size:273920 bytes
                                                                                                                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high

                                                                                                                          General

                                                                                                                          Target ID:6
                                                                                                                          Start time:09:55:48
                                                                                                                          Start date:05/08/2022
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff77f440000
                                                                                                                          File size:625664 bytes
                                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high

                                                                                                                          General

                                                                                                                          Target ID:7
                                                                                                                          Start time:09:55:49
                                                                                                                          Start date:05/08/2022
                                                                                                                          Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\?????????????????????.docx" /o "
                                                                                                                          Imagebase:0xb60000
                                                                                                                          File size:1937688 bytes
                                                                                                                          MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high

                                                                                                                          Disassembly

                                                                                                                          No disassembly