Analysis
-
max time kernel
176s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17/04/2024, 19:21
Static task
static1
Behavioral task
behavioral1
Sample
5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe
Resource
win10v2004-20240412-en
General
-
Target
5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe
-
Size
4.2MB
-
MD5
f454360d3dd334dfca7c586a14a26dd5
-
SHA1
52fa5fad21d38da0254aff907ee0cf7f54123a98
-
SHA256
5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c
-
SHA512
17d29715524640d6e886c4d2fed27a7233531ae18d7b9ca1e4e6fe6b2308c0820a3cb07dfbb6f7f98b33f7de559b9764a191d4adde6b16dc69299bf42e8b4ec5
-
SSDEEP
98304:Lz8muvG4/7oo98xMphVIqHAQJ7eNfIWzS5gC960Xfu6ti9vBy29s:LzvuvT/7/zVIWAQdeNfIWzX0W6tA42S
Malware Config
Signatures
-
Glupteba payload 12 IoCs
resource yara_rule behavioral1/memory/3756-2-0x00000000052A0000-0x0000000005B8B000-memory.dmp family_glupteba behavioral1/memory/3756-3-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral1/memory/3756-4-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral1/memory/3756-5-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral1/memory/3756-6-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral1/memory/3756-8-0x00000000052A0000-0x0000000005B8B000-memory.dmp family_glupteba behavioral1/memory/3756-12-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral1/memory/3756-41-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral1/memory/3756-57-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral1/memory/3756-75-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral1/memory/2388-78-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral1/memory/2388-94-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1848 powershell.exe 1848 powershell.exe 3756 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe 3756 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe 2552 powershell.exe 2552 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1848 powershell.exe Token: SeDebugPrivilege 3756 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Token: SeImpersonatePrivilege 3756 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe Token: SeDebugPrivilege 2552 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3756 wrote to memory of 1848 3756 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe 98 PID 3756 wrote to memory of 1848 3756 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe 98 PID 3756 wrote to memory of 1848 3756 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe 98 PID 2388 wrote to memory of 2552 2388 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe 106 PID 2388 wrote to memory of 2552 2388 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe 106 PID 2388 wrote to memory of 2552 2388 5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe"C:\Users\Admin\AppData\Local\Temp\5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
-
C:\Users\Admin\AppData\Local\Temp\5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe"C:\Users\Admin\AppData\Local\Temp\5f9ecaf3ad52a536277373da967f50d39fc06806126e5cc46a7c69b875f9005c.exe"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82