Malware Analysis Report

2025-01-18 04:40

Sample ID 230905-sh76dsge46
Target JC_0b75f86bd7c01f5273a67caa8d0fae6ddba35a6d51d041e51586dec3b1c46c74
SHA256 0b75f86bd7c01f5273a67caa8d0fae6ddba35a6d51d041e51586dec3b1c46c74
Tags
revengerat spam stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b75f86bd7c01f5273a67caa8d0fae6ddba35a6d51d041e51586dec3b1c46c74

Threat Level: Known bad

The file JC_0b75f86bd7c01f5273a67caa8d0fae6ddba35a6d51d041e51586dec3b1c46c74 was found to be: Known bad.

Malicious Activity Summary

revengerat spam stealer trojan

RevengeRAT

RevengeRat Executable

Suspicious use of SetThreadContext

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Uses Volume Shadow Copy WMI provider

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-05 15:08

Signatures

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-09-05 15:08

Reported

2023-09-05 15:11

Platform

win10v2004-20230831-en

Max time kernel

147s

Max time network

147s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Образец.docx" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Образец.docx" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 102.132.60.8.in-addr.arpa udp
US 8.8.8.8:53 254.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

memory/4204-0-0x00007FFA442D0000-0x00007FFA442E0000-memory.dmp

memory/4204-1-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-2-0x00007FFA442D0000-0x00007FFA442E0000-memory.dmp

memory/4204-3-0x00007FFA442D0000-0x00007FFA442E0000-memory.dmp

memory/4204-4-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-6-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-5-0x00007FFA442D0000-0x00007FFA442E0000-memory.dmp

memory/4204-7-0x00007FFA442D0000-0x00007FFA442E0000-memory.dmp

memory/4204-8-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-9-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-10-0x00007FFA421C0000-0x00007FFA421D0000-memory.dmp

memory/4204-11-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-12-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-13-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-14-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-15-0x00007FFA421C0000-0x00007FFA421D0000-memory.dmp

memory/4204-16-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-17-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-18-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-19-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-24-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/4204-32-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-33-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-34-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-35-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-36-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-37-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-38-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-40-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-39-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-41-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-42-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-43-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-44-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-45-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-46-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

memory/4204-47-0x00007FFA84250000-0x00007FFA84445000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-05 15:08

Reported

2023-09-05 15:11

Platform

win7-20230831-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe
PID 1728 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe
PID 1728 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe
PID 1728 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe
PID 1728 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe
PID 1728 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe
PID 1728 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe
PID 1728 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe

"C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe"

C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe

"C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe"

Network

N/A

Files

memory/1728-1-0x00000000744D0000-0x0000000074BBE000-memory.dmp

memory/1728-0-0x0000000000260000-0x0000000000290000-memory.dmp

memory/1728-2-0x0000000004C70000-0x0000000004CB0000-memory.dmp

memory/1728-3-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1728-4-0x0000000000520000-0x000000000052E000-memory.dmp

memory/1728-5-0x0000000000530000-0x0000000000538000-memory.dmp

memory/2400-6-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2400-8-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2400-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2400-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2400-12-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1728-16-0x00000000744D0000-0x0000000074BBE000-memory.dmp

memory/2400-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2400-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2400-18-0x00000000744D0000-0x0000000074BBE000-memory.dmp

memory/2400-19-0x0000000004D00000-0x0000000004D40000-memory.dmp

memory/2400-20-0x00000000744D0000-0x0000000074BBE000-memory.dmp

memory/2400-21-0x0000000004D00000-0x0000000004D40000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-05 15:08

Reported

2023-09-05 15:11

Platform

win10v2004-20230831-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4648 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe
PID 4648 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe
PID 4648 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe
PID 4648 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe
PID 4648 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe
PID 4648 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe
PID 4648 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe

"C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe"

C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe

"C:\Users\Admin\AppData\Local\Temp\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 126.132.60.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/4648-0-0x0000000000930000-0x0000000000960000-memory.dmp

memory/4648-1-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/4648-2-0x0000000005460000-0x0000000005470000-memory.dmp

memory/4648-3-0x0000000002D20000-0x0000000002D21000-memory.dmp

memory/4648-4-0x0000000005A50000-0x0000000005FF4000-memory.dmp

memory/4776-5-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Договор на оказании услуг № 118 от 4 сентября 2023 года.exe.log

MD5 41c37de2b4598f7759f865817dba5f80
SHA1 884ccf344bc2dd409425dc5ace0fd909a5f8cce4
SHA256 427235491a8da3fc8770ed60d30af731835c94585cd08d4d81fca9f703b283bc
SHA512 a8f3c74916623de100e4cf22e05df9cdf541b1e32443aab0434f35fb9c4a7fa950b997ce589b532e65731ae471a1f152cd5c00ea1df4bd7a6b57eb27c93c54bd

memory/4776-8-0x0000000004930000-0x00000000049CC000-memory.dmp

memory/4776-9-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/4648-10-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/4776-11-0x0000000004A00000-0x0000000004A66000-memory.dmp

memory/4776-12-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

memory/4776-13-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/4776-14-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-09-05 15:08

Reported

2023-09-05 15:11

Platform

win7-20230831-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Образец.docx"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Образец.docx"

Network

N/A

Files

memory/2164-0-0x000000002F400000-0x000000002F55D000-memory.dmp

memory/2164-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2164-2-0x000000007137D000-0x0000000071388000-memory.dmp

memory/2164-5-0x000000002F400000-0x000000002F55D000-memory.dmp

memory/2164-6-0x000000007137D000-0x0000000071388000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 e433227bdfe873daa86b2c97abb87eca
SHA1 5ecd2b331b22a9cc21b2674f7b4bc2d7f785f805
SHA256 decd198971727e0ea3c7f0a66409f14001f7f8d27c5faa5135144b7f2bff4af7
SHA512 9ae11e6c1b1d257f8d26a7a5b6f4d4aab4e260cb9d9654066a5c27434215c4eabb1f2c79e1f016bff3141599d777d6524f116f5cdfe76669c92e4726c06e8f9a

memory/2164-26-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2164-27-0x000000007137D000-0x0000000071388000-memory.dmp