Loading ...

Play interactive tourEdit tour

Analysis Report CPA accountant COVID_19 pandemic relief (20,000$).exe

Overview

General Information

Sample Name:CPA accountant COVID_19 pandemic relief (20,000$).exe
MD5:1918fa86b99fda35462ec060e9c419bb
SHA1:3d393d15044bd193851297bdc94c38f44a6e1fd2
SHA256:a34bd4c266e3891796816854e78d62384dcf36a8f456476e69d0dacf109d1737

Most interesting Screenshot:

Detection

NetWire
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: NetWire
Sigma detected: Scheduled temp file as task from temp location
Yara detected Netwire RAT
Contains functionality to steal Chrome passwords or cookies
Injects a PE file into a foreign processes
Injects files into Windows application
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains functionality locales information (e.g. system language)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
File is packed with WinRar
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Starts Microsoft Word (often done to prevent that the user detects that something wrong)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • CPA accountant COVID_19 pandemic relief (20,000$).exe (PID: 912 cmdline: 'C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exe' MD5: 1918FA86B99FDA35462EC060E9C419BB)
    • service.exe (PID: 5440 cmdline: 'C:\Users\user\Desktop\service.exe' MD5: A69B9CF282C900D55CD7452E039DAF41)
      • schtasks.exe (PID: 5540 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HRgFfvmwT' /XML 'C:\Users\user\AppData\Local\Temp\tmpDFEE.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 2872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • service.exe (PID: 4312 cmdline: C:\Users\user\Desktop\service.exe MD5: A69B9CF282C900D55CD7452E039DAF41)
      • service.exe (PID: 4160 cmdline: C:\Users\user\Desktop\service.exe MD5: A69B9CF282C900D55CD7452E039DAF41)
    • WINWORD.EXE (PID: 5412 cmdline: 'C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE' /n 'C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).docx' /o '' MD5: EFDE23ECDF60D334C31AF2A041439360)
  • service.exe (PID: 5652 cmdline: 'C:\Users\user\Desktop\service.exe' MD5: A69B9CF282C900D55CD7452E039DAF41)
    • schtasks.exe (PID: 5664 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HRgFfvmwT' /XML 'C:\Users\user\AppData\Local\Temp\tmp1B51.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • service.exe (PID: 5808 cmdline: C:\Users\user\Desktop\service.exe MD5: A69B9CF282C900D55CD7452E039DAF41)
  • service.exe (PID: 5820 cmdline: 'C:\Users\user\Desktop\service.exe' MD5: A69B9CF282C900D55CD7452E039DAF41)
    • schtasks.exe (PID: 5956 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HRgFfvmwT' /XML 'C:\Users\user\AppData\Local\Temp\tmp3C47.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • service.exe (PID: 4220 cmdline: C:\Users\user\Desktop\service.exe MD5: A69B9CF282C900D55CD7452E039DAF41)
    • service.exe (PID: 460 cmdline: C:\Users\user\Desktop\service.exe MD5: A69B9CF282C900D55CD7452E039DAF41)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.1194106024.0000000000400000.00000040.00000001.sdmpMAL_unspecified_Jan18_1Detects unspecified malware sampleFlorian Roth
  • 0x231a8:$s1: User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
  • 0x2280b:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1
  • 0x232b1:$s3: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
  • 0x2286e:$s4: start /b "" cmd /c del "%%~f0"&exit /b
  • 0x232e5:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
  • 0x23072:$s6: %s\%s.bat
  • 0x22830:$s7: DEL /s "%s" >nul 2>&1
00000007.00000002.1194106024.0000000000400000.00000040.00000001.sdmpSuspicious_BAT_StringsDetects a string also used in Netwire RAT auxilliaryFlorian Roth
  • 0x2280b:$s1: ping 192.0.2.2 -n 1
00000007.00000002.1194106024.0000000000400000.00000040.00000001.sdmpMalicious_BAT_StringsDetects a string also used in Netwire RAT auxilliaryFlorian Roth
  • 0x22847:$s1: call :deleteSelf&exit /b
00000007.00000002.1194106024.0000000000400000.00000040.00000001.sdmpJoeSecurity_NetwireYara detected Netwire RATJoe Security
    00000007.00000002.1194106024.0000000000400000.00000040.00000001.sdmpnetwiredetect netwire in memoryJPCERT/CC Incident Response Group
    • 0x2280b:$ping: ping 192.0.2.2
    • 0x232b1:$log: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
    Click to see the 43 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    17.2.service.exe.400000.0.raw.unpackMAL_unspecified_Jan18_1Detects unspecified malware sampleFlorian Roth
    • 0x231a8:$s1: User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    • 0x2280b:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1
    • 0x232b1:$s3: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
    • 0x2286e:$s4: start /b "" cmd /c del "%%~f0"&exit /b
    • 0x232e5:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
    • 0x23072:$s6: %s\%s.bat
    • 0x22830:$s7: DEL /s "%s" >nul 2>&1
    17.2.service.exe.400000.0.raw.unpackSuspicious_BAT_StringsDetects a string also used in Netwire RAT auxilliaryFlorian Roth
    • 0x2280b:$s1: ping 192.0.2.2 -n 1
    17.2.service.exe.400000.0.raw.unpackMalicious_BAT_StringsDetects a string also used in Netwire RAT auxilliaryFlorian Roth
    • 0x22847:$s1: call :deleteSelf&exit /b
    17.2.service.exe.400000.0.raw.unpackJoeSecurity_NetwireYara detected Netwire RATJoe Security
      17.2.service.exe.400000.0.raw.unpacknetwiredetect netwire in memoryJPCERT/CC Incident Response Group
      • 0x22580:$v1: HostId-%Rand%
      • 0x2280b:$ping: ping 192.0.2.2
      • 0x232b1:$log: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
      Click to see the 25 entries

      Sigma Overview


      System Summary:

      barindex
      Sigma detected: NetWireShow sources
      Source: Registry Key setAuthor: Joe Security: Data: Details: HostId-OoUsya, EventID: 13, Image: C:\Users\user\Desktop\service.exe, ProcessId: 4160, TargetObject: HKEY_CURRENT_USER\Software\NetWire\HostId
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HRgFfvmwT' /XML 'C:\Users\user\AppData\Local\Temp\tmpDFEE.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HRgFfvmwT' /XML 'C:\Users\user\AppData\Local\Temp\tmpDFEE.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\service.exe' , ParentImage: C:\Users\user\Desktop\service.exe, ParentProcessId: 5440, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HRgFfvmwT' /XML 'C:\Users\user\AppData\Local\Temp\tmpDFEE.tmp', ProcessId: 5540

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\Desktop\service.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\HRgFfvmwT.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: CPA accountant COVID_19 pandemic relief (20,000$).exeJoe Sandbox ML: detected
      Source: 7.2.service.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
      Source: 17.2.service.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
      Source: 11.2.service.exe.400000.0.unpackAvira: Label: TR/Spy.Gen

      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeCode function: 0_2_01282816 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_01282816
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeCode function: 0_2_0129C562 FindFirstFileExA,0_2_0129C562
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeCode function: 0_2_0128ECFC SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0128ECFC

      Source: global trafficTCP traffic: 192.168.2.5:49747 -> 38.132.124.156:1199
      Source: unknownTCP traffic detected without corresponding DNS query: 38.132.124.156
      Source: unknownTCP traffic detected without corresponding DNS query: 38.132.124.156
      Source: unknownTCP traffic detected without corresponding DNS query: 38.132.124.156
      Source: unknownTCP traffic detected without corresponding DNS query: 38.132.124.156
      Source: unknownTCP traffic detected without corresponding DNS query: 38.132.124.156
      Source: unknownTCP traffic detected without corresponding DNS query: 38.132.124.156
      Source: unknownTCP traffic detected without corresponding DNS query: 38.132.124.156
      Source: unknownTCP traffic detected without corresponding DNS query: 38.132.124.156
      Source: unknownTCP traffic detected without corresponding DNS query: 38.132.124.156
      Source: unknownTCP traffic detected without corresponding DNS query: 38.132.124.156
      Source: unknownTCP traffic detected without corresponding DNS query: 38.132.124.156
      Source: unknownTCP traffic detected without corresponding DNS query: 38.132.124.156
      Source: unknownTCP traffic detected without corresponding DNS query: 38.132.124.156
      Source: unknownTCP traffic detected without corresponding DNS query: 38.132.124.156
      Source: unknownTCP traffic detected without corresponding DNS query: 38.132.124.156
      Source: unknownTCP traffic detected without corresponding DNS query: 38.132.124.156
      Source: C:\Users\user\Desktop\service.exeCode function: 7_2_00405FBE recv,7_2_00405FBE
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: http://weather.service.msn.com/data.aspx
      Source: service.exeString found in binary or memory: http://www.yandex.com
      Source: service.exe, 00000002.00000002.786050180.0000000003500000.00000004.00000001.sdmp, service.exe, 00000007.00000002.1194106024.0000000000400000.00000040.00000001.sdmp, service.exe, 00000008.00000002.835305105.0000000002CB0000.00000004.00000001.sdmp, service.exe, 0000000B.00000002.1194112439.0000000000400000.00000040.00000001.sdmp, service.exe, 0000000D.00000002.864352144.0000000002930000.00000004.00000001.sdmp, service.exe, 00000011.00000002.1194121055.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.yandex.comsocks=
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://analysis.windows.net/powerbi/api
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://api.aadrm.com/
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://api.diagnostics.office.com
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://api.diagnosticssdf.office.com
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://api.microsoftstream.com/api/
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://api.onedrive.com
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://apis.live.net/v5.0/
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://arc.msn.com/v4/api/selection
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://augloop.office.com
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://cdn.entity.
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://clients.config.office.net/
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://config.edge.skype.com
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/documentvirality/prod/index.html
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/progressui/index.html
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://cr.office.com
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://dataservice.o365filtering.com
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://dataservice.o365filtering.com/
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://devnull.onenote.com
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://directory.services.
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://ecs.office.com/config/v2/Office
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://entitlement.diagnostics.office.com
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://globaldisco.crm.dynamics.com
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://graph.ppe.windows.net
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://graph.ppe.windows.net/
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://graph.windows.net
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://graph.windows.net/
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://incidents.diagnostics.office.com
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://lifecycle.office.com
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://login.microsoftonline.com/
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://login.microsoftonline.com/common
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://login.windows.local
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://management.azure.com
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://management.azure.com/
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://messaging.office.com/
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://ncus-000.contentsync.
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://ncus-000.pagecontentsync.
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://officeapps.live.com
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://officeci.azurewebsites.net/api/
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://onedrive.live.com
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://onedrive.live.com/embed?
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://powerlift.acompli.net
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://retailer.osi.office.net/appstate/query
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://settings.outlook.com
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://shell.suite.office.com:1443
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://skyapi.live.net/Activity/
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://store.office.cn/addinstemplate
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://store.office.com/addinstemplate
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://store.office.de/addinstemplate
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://store.officeppe.com/addinstemplate
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://tasks.office.com
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://templatelogging.office.com/client/log
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://web.microsoftstream.com/video/
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://wus2-000.contentsync.
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://wus2-000.pagecontentsync.
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
      Source: ~WRS{8A44912E-53ED-4C01-B59C-36BE370837B1}.tmp.3.drString found in binary or memory: https://www.irs.gov/newsroom/economic-impact-payments-what-you-need-to-know?mod=article_inline
      Source: ~WRS{8A44912E-53ED-4C01-B59C-36BE370837B1}.tmp.3.drString found in binary or memory: https://www.irs.gov/newsroom/irs-employee-retention-credit-available-for-many-businesses-financially
      Source: ~WRS{8A44912E-53ED-4C01-B59C-36BE370837B1}.tmp.3.drString found in binary or memory: https://www.marketwatch.com/story/coronavirus-stimulus-package-tax-relief-withdraw-100k-from-your-ir
      Source: ~WRS{8A44912E-53ED-4C01-B59C-36BE370837B1}.tmp.3.drString found in binary or memory: https://www.marketwatch.com/story/what-the-family-first-coronavirus-relief-bill-means-for-small-busi
      Source: DA4F0371-CC69-42A3-91EB-B75EA918A6AD.3.drString found in binary or memory: https://www.odwebp.svc.ms
      Source: ~WRS{8A44912E-53ED-4C01-B59C-36BE370837B1}.tmp.3.drString found in binary or memory: https://www.sba.com/funding-a-business/government-small-business-loans/ppp/?mod=article_inline

      Source: service.exe, 00000002.00000002.784185947.000000000158B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000007.00000002.1194106024.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 00000007.00000002.1194106024.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000B.00000002.1194112439.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 0000000B.00000002.1194112439.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 00000008.00000002.835958166.0000000003CF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 00000008.00000002.835305105.0000000002CB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000D.00000002.865103835.0000000003979000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 00000011.00000002.1194121055.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 00000011.00000002.1194121055.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000D.00000002.864352144.0000000002930000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 00000002.00000002.786050180.0000000003500000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 00000002.00000002.787372330.0000000004549000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: Process Memory Space: service.exe PID: 5808, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: Process Memory Space: service.exe PID: 5808, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: Process Memory Space: service.exe PID: 5820, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: Process Memory Space: service.exe PID: 5652, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: Process Memory Space: service.exe PID: 5440, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: Process Memory Space: service.exe PID: 460, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: Process Memory Space: service.exe PID: 460, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: Process Memory Space: service.exe PID: 4160, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: Process Memory Space: service.exe PID: 4160, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 17.2.service.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 17.2.service.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 11.2.service.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 11.2.service.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 7.2.service.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 7.2.service.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 17.2.service.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 17.2.service.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 7.2.service.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 11.2.service.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
      Source: 7.2.service.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: 11.2.service.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeCode function: 0_2_012870580_2_01287058
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeCode function: 0_2_012849480_2_01284948
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeCode function: 0_2_012931E40_2_012931E4
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeCode function: 0_2_012A30640_2_012A3064
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeCode function: 0_2_012970A20_2_012970A2
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeCode function: 0_2_012943620_2_01294362
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeCode function: 0_2_012843C70_2_012843C7
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeCode function: 0_2_0128929D0_2_0128929D
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeCode function: 0_2_0129EAEE0_2_0129EAEE
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeCode function: 0_2_01293AF80_2_01293AF8
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeCode function: 0_2_01284D7F0_2_01284D7F
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeCode function: 0_2_012815950_2_01281595
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeCode function: 0_2_01293F2D0_2_01293F2D
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeCode function: 0_2_01283FAF0_2_01283FAF
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeCode function: 0_2_01289E790_2_01289E79
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeCode function: 0_2_0129E6400_2_0129E640
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeCode function: 0_2_012936E00_2_012936E0
      Source: C:\Users\user\Desktop\service.exeCode function: 2_2_031804002_2_03180400
      Source: C:\Users\user\Desktop\service.exeCode function: 2_2_03182A902_2_03182A90
      Source: C:\Users\user\Desktop\service.exeCode function: 2_2_03180DD12_2_03180DD1
      Source: C:\Users\user\Desktop\service.exeCode function: 2_2_031818D32_2_031818D3
      Source: C:\Users\user\Desktop\service.exeCode function: 2_2_03182B382_2_03182B38
      Source: C:\Users\user\Desktop\service.exeCode function: 7_2_004030477_2_00403047
      Source: C:\Users\user\Desktop\service.exeCode function: 7_2_00414C0E7_2_00414C0E
      Source: C:\Users\user\Desktop\service.exeCode function: 7_2_004034D37_2_004034D3
      Source: C:\Users\user\Desktop\service.exeCode function: 7_2_004168B17_2_004168B1
      Source: C:\Users\user\Desktop\service.exeCode function: 7_2_00415D577_2_00415D57
      Source: C:\Users\user\Desktop\service.exeCode function: 7_2_0040B15E7_2_0040B15E
      Source: C:\Users\user\Desktop\service.exeCode function: 7_2_0040A9C07_2_0040A9C0
      Source: C:\Users\user\Desktop\service.exeCode function: 7_2_004211E07_2_004211E0
      Source: C:\Users\user\Desktop\service.exeCode function: 7_2_004201F07_2_004201F0
      Source: C:\Users\user\Desktop\service.exeCode function: 7_2_00402E687_2_00402E68
      Source: C:\Users\user\Desktop\service.exeCode function: 7_2_004206C07_2_004206C0
      Source: C:\Users\user\Desktop\service.exeCode function: 7_2_0041D2E17_2_0041D2E1
      Source: C:\Users\user\Desktop\service.exeCode function: 7_2_004196FB7_2_004196FB
      Source: C:\Users\user\Desktop\service.exeCode function: 7_2_00402AFC7_2_00402AFC
      Source: C:\Users\user\Desktop\service.exeCode function: 7_2_00420B607_2_00420B60
      Source: C:\Users\user\Desktop\service.exeCode function: 7_2_004153117_2_00415311
      Source: C:\Users\user\Desktop\service.exeCode function: 8_2_02732A908_2_02732A90
      Source: C:\Users\user\Desktop\service.exeCode function: 8_2_0273189A8_2_0273189A
      Source: C:\Users\user\Desktop\service.exeCode function: 8_2_027304008_2_02730400
      Source: C:\Users\user\Desktop\service.exeCode function: 8_2_027318B28_2_027318B2
      Source: C:\Users\user\Desktop\service.exeCode function: 8_2_02732B388_2_02732B38
      Source: C:\Users\user\Desktop\service.exeCode function: 8_2_02731E068_2_02731E06
      Source: C:\Users\user\Desktop\service.exeCode function: 11_2_0040304711_2_00403047
      Source: C:\Users\user\Desktop\service.exeCode function: 11_2_00414C0E11_2_00414C0E
      Source: C:\Users\user\Desktop\service.exeCode function: 11_2_004034D311_2_004034D3
      Source: C:\Users\user\Desktop\service.exeCode function: 11_2_004168B111_2_004168B1
      Source: C:\Users\user\Desktop\service.exeCode function: 11_2_00415D5711_2_00415D57
      Source: C:\Users\user\Desktop\service.exeCode function: 11_2_0040B15E11_2_0040B15E
      Source: C:\Users\user\Desktop\service.exeCode function: 11_2_0040A9C011_2_0040A9C0
      Source: C:\Users\user\Desktop\service.exeCode function: 11_2_004211E011_2_004211E0
      Source: C:\Users\user\Desktop\service.exeCode function: 11_2_004201F011_2_004201F0
      Source: C:\Users\user\Desktop\service.exeCode function: 11_2_00402E6811_2_00402E68
      Source: C:\Users\user\Desktop\service.exeCode function: 11_2_004206C011_2_004206C0
      Source: C:\Users\user\Desktop\service.exeCode function: 11_2_0041D2E111_2_0041D2E1
      Source: C:\Users\user\Desktop\service.exeCode function: 11_2_004196FB11_2_004196FB
      Source: C:\Users\user\Desktop\service.exeCode function: 11_2_00402AFC11_2_00402AFC
      Source: C:\Users\user\Desktop\service.exeCode function: 11_2_00420B6011_2_00420B60
      Source: C:\Users\user\Desktop\service.exeCode function: 11_2_0041531111_2_00415311
      Source: C:\Users\user\Desktop\service.exeCode function: String function: 004081AA appears 220 times
      Source: C:\Users\user\Desktop\service.exeCode function: String function: 0041F9BC appears 64 times
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeCode function: String function: 01291430 appears 44 times
      Source: CPA accountant COVID_19 pandemic relief (20,000$).exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: CPA accountant COVID_19 pandemic relief (20,000$).exeBinary or memory string: OriginalFilename vs CPA accountant COVID_19 pandemic relief (20,000$).exe
      Source: CPA accountant COVID_19 pandemic relief (20,000$).exe, 00000000.00000003.773775452.0000000000086000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWinWord.exeB vs CPA accountant COVID_19 pandemic relief (20,000$).exe
      Source: CPA accountant COVID_19 pandemic relief (20,000$).exe, 00000000.00000002.777708906.00000000012AD000.00000004.00020000.sdmpBinary or memory string: OriginalFilename5NQkonSqvEJ95cM.exe0 vs CPA accountant COVID_19 pandemic relief (20,000$).exe
      Source: CPA accountant COVID_19 pandemic relief (20,000$).exe, 00000000.00000002.776976367.0000000000B20000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs CPA accountant COVID_19 pandemic relief (20,000$).exe
      Source: CPA accountant COVID_19 pandemic relief (20,000$).exe, 00000000.00000002.774938400.0000000000250000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs CPA accountant COVID_19 pandemic relief (20,000$).exe
      Source: CPA accountant COVID_19 pandemic relief (20,000$).exe, 00000000.00000002.777133640.0000000000B80000.00000002.00000001.sdmpBinary or memory string: originalfilename vs CPA accountant COVID_19 pandemic relief (20,000$).exe
      Source: CPA accountant COVID_19 pandemic relief (20,000$).exe, 00000000.00000002.777133640.0000000000B80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs CPA accountant COVID_19 pandemic relief (20,000$).exe
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
      Source: C:\Users\user\Desktop\CPA accountant COVID_19 pandemic relief (20,000$).exeSection loaded: dxgidebug.dllJump to behavior
      Source: 00000007.00000002.1194106024.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000007.00000002.1194106024.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
      Source: 00000007.00000002.1194106024.0000000000400000.00000040.00000001.sdmp, type: MEMORY