| File name: | $RLNWDPB.exe |
| Full analysis: | https://app.any.run/tasks/609a7815-cac3-4c88-ac1d-b6095574f785 |
| Verdict: | Malicious activity |
| Analysis date: | January 31, 2025, 14:18:49 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections |
| MD5: | 810858208CFCB941DCB6B8362ADDCFB0 |
| SHA1: | F53A477512E776F5F7D6A47D2B90DA1C76189CA3 |
| SHA256: | DEAF92E2C3EA58901DBF7CF42A74C73A11B638E91BA5AF8CB368DA0BEE6E3EE9 |
| SSDEEP: | 24576:u8VuNP2EZIrrR5eGQ3Ma3jQtDxdlW58PsGfhloCNyorX0Rg:vVuNP2WIrrneL3j3jQtDHlW58UGjoCND |
MALICIOUS
Writes a file to the Word startup folder
- $RLNWDPB.exe (PID: 6512)
Reads the value of a key from the registry (SCRIPT)
- WINWORD.EXE (PID: 3428)
SUSPICIOUS
Executable content was dropped or overwritten
- $RLNWDPB.exe (PID: 6512)
Creates a software uninstall entry
- $RLNWDPB.exe (PID: 6512)
Creates FileSystem object to access computer's file system (SCRIPT)
- EXCEL.EXE (PID: 6232)
Checks whether a specific file exists (SCRIPT)
- EXCEL.EXE (PID: 6232)
INFO
Creates files or folders in the user directory
- $RLNWDPB.exe (PID: 6512)
Creates files in the program directory
- $RLNWDPB.exe (PID: 6512)
Checks supported languages
- $RLNWDPB.exe (PID: 6512)
Create files in a temporary directory
- $RLNWDPB.exe (PID: 6512)
Reads the computer name
- $RLNWDPB.exe (PID: 6512)
Manual execution by a user
- EXCEL.EXE (PID: 4544)
- WINWORD.EXE (PID: 3428)
- EXCEL.EXE (PID: 6232)
- EXCEL.EXE (PID: 6228)
Application launched itself
- msedge.exe (PID: 5076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2021:09:25 21:57:46+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 27136 |
| InitializedDataSize: | 186880 |
| UninitializedDataSize: | 2048 |
| EntryPoint: | 0x352d |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
160
Monitored processes
26
Malicious processes
1
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2260 | "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 16.0.16026.20146 Modules
| |||||||||||||||
| 2444 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4128 --field-trial-handle=2432,i,10863052931435165632,13470197287782494468,262144 --variations-seed-version /prefetch:2 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 3428 | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\admin\AppData\Roaming\Microsoft\Templates\Debate.dotm" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 16.0.16026.20146 Modules
| |||||||||||||||
| 3920 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3328 --field-trial-handle=2432,i,10863052931435165632,13470197287782494468,262144 --variations-seed-version /prefetch:1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 4544 | "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\admin\AppData\Roaming\Microsoft\Templates\Debate.xltm" | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 16.0.16026.20146 Modules
| |||||||||||||||
| 5032 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4728 --field-trial-handle=2432,i,10863052931435165632,13470197287782494468,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 5076 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://paperlessdebate.com/ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | WINWORD.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 5212 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3744 --field-trial-handle=2432,i,10863052931435165632,13470197287782494468,262144 --variations-seed-version /prefetch:1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 6172 | "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "92ED3268-A83B-4319-916F-958B5D639435" "A2248265-133E-41F9-B5ED-6B6CF5244AB0" "3428" | C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64. Version: 0.12.2.0 Modules
| |||||||||||||||
| 6228 | "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\admin\AppData\Roaming\Microsoft\Templates\Debate.xltm" | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 16.0.16026.20146 Modules
| |||||||||||||||
Total events
24 807
Read events
24 011
Write events
734
Delete events
62
Modification events
| (PID) Process: | (6512) $RLNWDPB.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Verbatim |
| Operation: | write | Name: | DisplayName |
Value: Verbatim | |||
| (PID) Process: | (6512) $RLNWDPB.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Verbatim |
| Operation: | write | Name: | Publisher |
Value: Ashtar Communications | |||
| (PID) Process: | (6512) $RLNWDPB.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Verbatim |
| Operation: | write | Name: | HelpLink |
Value: https://paperlessdebate.com | |||
| (PID) Process: | (6512) $RLNWDPB.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Verbatim |
| Operation: | write | Name: | URLUpdateInfo |
Value: https://paperlessdebate.com | |||
| (PID) Process: | (6512) $RLNWDPB.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Verbatim |
| Operation: | write | Name: | URLInfoAbout |
Value: https://paperlessdebate.com | |||
| (PID) Process: | (6512) $RLNWDPB.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Verbatim |
| Operation: | write | Name: | DisplayVersion |
Value: 6.0.0 | |||
| (PID) Process: | (6512) $RLNWDPB.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Verbatim |
| Operation: | write | Name: | UninstallString |
Value: "C:\Program Files\Verbatim\UninstallVerbatim.exe" | |||
| (PID) Process: | (6512) $RLNWDPB.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Verbatim |
| Operation: | write | Name: | NoModify |
Value: 1 | |||
| (PID) Process: | (6512) $RLNWDPB.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Verbatim |
| Operation: | write | Name: | NoRepair |
Value: 1 | |||
| (PID) Process: | (3428) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | na" |
Value: 6E612200640D00000100000000000000FDCA3724EB73DB0100000000 | |||
Executable files
10
Suspicious files
94
Text files
25
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6512 | $RLNWDPB.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Verbatim\Verbatim Flow.lnk | binary | |
MD5:7303621E83798312F65DB7C9C2D799E9 | SHA256:A66B0BED2CC5DA6BC9F2D5544ACDE40AEC440A1BDF7877D8FC4D7E04BD5BF05D | |||
| 6512 | $RLNWDPB.exe | C:\Users\admin\Desktop\Verbatim.lnk | binary | |
MD5:68A90276DA9C6B2C49A024AC441CBA54 | SHA256:3E28B326E983DE00BC23FC4E38D9C25F2339A0E224EBDE61D758A62810DFE2B0 | |||
| 6512 | $RLNWDPB.exe | C:\Users\admin\AppData\Roaming\Microsoft\Word\STARTUP\DebateStartup.dotm | document | |
MD5:B17CB4956D3E2B243BF49C1BA11AF9BF | SHA256:BFEE4D8020BE124E9260387B439C8494EB8E9100BF175E4290A146C0A10AD51E | |||
| 6512 | $RLNWDPB.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Verbatim\Verbatim.lnk | binary | |
MD5:BB27213A87D102EE9F556EB1423D22ED | SHA256:39E7F8963DD8880B7883E87499C6EF53B62B230C669A6E66FC1FC33095BE3AC4 | |||
| 6512 | $RLNWDPB.exe | C:\Users\admin\AppData\Local\Temp\nsn9138.tmp\nsProcess.dll | executable | |
MD5:05450FACE243B3A7472407B999B03A72 | SHA256:95FE9D92512FF2318CC2520311EF9145B2CEE01209AB0E1B6E45C7CE1D4D0E89 | |||
| 6512 | $RLNWDPB.exe | C:\Program Files\Verbatim\CHANGELOG.md | text | |
MD5:A146905F371454AB40A9F118A0BFC3EB | SHA256:39DE7948A14AAF31BB3722BA0C4B35222EE2AD25A7A40741FC8CB70F8201A1BB | |||
| 6512 | $RLNWDPB.exe | C:\Program Files\Verbatim\UninstallVerbatim.exe | executable | |
MD5:89370EBD875C377FB35CD501B468A09C | SHA256:7089EC93147CD2C3F6E7DC3F4F9539C52F8BAE702292E48BC122826DB021F1E4 | |||
| 6512 | $RLNWDPB.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Verbatim\Uninstall Verbatim.lnk | binary | |
MD5:62315525450CD6A7C3C6185F2C9BF175 | SHA256:C35351A7E13DAC8D474C5D7ACA1848900C9902769820612B532412D18625D504 | |||
| 6512 | $RLNWDPB.exe | C:\Users\admin\AppData\Roaming\Microsoft\Templates\Debate.xltm | document | |
MD5:C19949E3E142E90853021A211D637656 | SHA256:0EFBCD3D76010E9D789279BF07BF4731E1399B3DE3F3B703E8101BB0FADA16E4 | |||
| 6512 | $RLNWDPB.exe | C:\Program Files\Verbatim\Verbatim.lnk | binary | |
MD5:29359CF1C8166E11B3C0AC3D7DA9AB4E | SHA256:AC86FDA4B4F325B78F54878CB66BFA92F32B1530B0530B73A0BF5BFC2EBBACA0 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
60
DNS requests
49
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | whitelisted |
6612 | backgroundTaskHost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D | unknown | — | — | whitelisted |
6096 | SIHClient.exe | GET | 200 | 2.16.253.202:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
6096 | SIHClient.exe | GET | 200 | 2.16.253.202:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
3428 | WINWORD.EXE | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.16.164.112:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | 2.16.164.112:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 2.21.65.153:443 | — | Akamai International B.V. | NL | unknown |
4712 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
3296 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 2.21.65.154:443 | — | Akamai International B.V. | NL | unknown |
— | — | 2.19.106.8:443 | go.microsoft.com | AKAMAI-AS | DE | whitelisted |
— | — | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 20.190.160.14:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
www.bing.com |
| whitelisted |
fp.msedge.net |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
Threats
Process | Message |
|---|---|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|