Analysis
-
max time kernel
75s -
max time network
83s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 17:09
Static task
static1
Behavioral task
behavioral1
Sample
re-yang-win.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
re-yang-win.exe
Resource
win10v2004-20241007-en
General
-
Target
re-yang-win.exe
-
Size
44.2MB
-
MD5
77b7d74832aadde63f80721f094ca67d
-
SHA1
4802f835da9e939aef08be0a841b3be8ee947489
-
SHA256
08a04b950c6031066e2e4ad246b25baef1c48c6227a75060e4ca6cbf440a629b
-
SHA512
835ced24cd77e84862506a026375ed21570f98abcaf590420720b78098fe210f1056258ccd56ed7a569eef4cd6be71eb871ff1d34006037e57fd0a0ceeb85d00
-
SSDEEP
393216:f1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYfi:fMguj8Q4VfvLqFTrYw3WLXPhid+Vl
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
re-yang-win.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation re-yang-win.exe -
Clipboard Data 1 TTPs 64 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Processes:
powershell.execmd.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exepowershell.execmd.execmd.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exepowershell.exepowershell.execmd.execmd.exepowershell.exepowershell.execmd.exepowershell.exepowershell.exepowershell.execmd.exepowershell.execmd.execmd.execmd.execmd.execmd.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exepowershell.exepowershell.exepowershell.execmd.exepowershell.execmd.execmd.exepowershell.execmd.execmd.execmd.exepowershell.execmd.exepowershell.execmd.execmd.execmd.exepowershell.exepowershell.execmd.exepowershell.exepowershell.execmd.execmd.exepowershell.execmd.exepid Process 4484 powershell.exe 4000 cmd.exe 2496 powershell.exe 4324 powershell.exe 1700 powershell.exe 4700 powershell.exe 5104 cmd.exe 1132 powershell.exe 4520 cmd.exe 4020 cmd.exe 1272 powershell.exe 3612 powershell.exe 4304 powershell.exe 1272 powershell.exe 464 powershell.exe 2852 cmd.exe 4156 powershell.exe 3836 powershell.exe 1256 cmd.exe 2572 cmd.exe 4540 powershell.exe 2796 powershell.exe 5112 cmd.exe 180 powershell.exe 2676 powershell.exe 3244 powershell.exe 4152 cmd.exe 2852 powershell.exe 3664 cmd.exe 4060 cmd.exe 3264 cmd.exe 5020 cmd.exe 440 cmd.exe 1224 powershell.exe 3792 powershell.exe 3252 powershell.exe 3776 powershell.exe 2964 cmd.exe 4772 powershell.exe 5040 powershell.exe 3604 powershell.exe 3676 cmd.exe 524 powershell.exe 724 cmd.exe 1904 cmd.exe 2272 powershell.exe 1084 cmd.exe 860 cmd.exe 3644 cmd.exe 3360 powershell.exe 1376 cmd.exe 4024 powershell.exe 3428 cmd.exe 3804 cmd.exe 1528 cmd.exe 4272 powershell.exe 3284 powershell.exe 2252 cmd.exe 1700 powershell.exe 4348 powershell.exe 2180 cmd.exe 1900 cmd.exe 2880 powershell.exe 1868 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
re-yang-win.exepid Process 4932 re-yang-win.exe 4932 re-yang-win.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs
Processes:
flow ioc 25 raw.githubusercontent.com 31 raw.githubusercontent.com 21 raw.githubusercontent.com 17 raw.githubusercontent.com 20 raw.githubusercontent.com 26 raw.githubusercontent.com 33 raw.githubusercontent.com 14 raw.githubusercontent.com 19 raw.githubusercontent.com 27 raw.githubusercontent.com 30 raw.githubusercontent.com 37 discord.com 11 raw.githubusercontent.com 32 raw.githubusercontent.com 36 discord.com 18 raw.githubusercontent.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 40 api.ipify.org 41 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 4176 powershell.exe 4176 powershell.exe 4156 powershell.exe 4156 powershell.exe 3604 powershell.exe 3604 powershell.exe 1700 powershell.exe 1700 powershell.exe 1224 powershell.exe 1224 powershell.exe 180 powershell.exe 180 powershell.exe 3792 powershell.exe 3792 powershell.exe 4784 powershell.exe 4784 powershell.exe 4348 powershell.exe 4348 powershell.exe 2676 powershell.exe 2676 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 3284 powershell.exe 3284 powershell.exe 3284 powershell.exe 3244 powershell.exe 3244 powershell.exe 2272 powershell.exe 2272 powershell.exe 1272 powershell.exe 1272 powershell.exe 3612 powershell.exe 3612 powershell.exe 212 powershell.exe 212 powershell.exe 4304 powershell.exe 4304 powershell.exe 3252 powershell.exe 3252 powershell.exe 2852 powershell.exe 2852 powershell.exe 2496 powershell.exe 2496 powershell.exe 4024 powershell.exe 4024 powershell.exe 2628 powershell.exe 2628 powershell.exe 1272 powershell.exe 1272 powershell.exe 1656 powershell.exe 1656 powershell.exe 4588 powershell.exe 4588 powershell.exe 1700 powershell.exe 1700 powershell.exe 464 powershell.exe 464 powershell.exe 4152 powershell.exe 4152 powershell.exe 3360 powershell.exe 3360 powershell.exe 4324 powershell.exe 4324 powershell.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 4176 powershell.exe Token: SeDebugPrivilege 4156 powershell.exe Token: SeDebugPrivilege 3604 powershell.exe Token: SeDebugPrivilege 1700 powershell.exe Token: SeDebugPrivilege 1224 powershell.exe Token: SeDebugPrivilege 180 powershell.exe Token: SeDebugPrivilege 3792 powershell.exe Token: SeDebugPrivilege 4784 powershell.exe Token: SeDebugPrivilege 4348 powershell.exe Token: SeDebugPrivilege 2676 powershell.exe Token: SeDebugPrivilege 4272 powershell.exe Token: SeDebugPrivilege 3284 powershell.exe Token: SeDebugPrivilege 3244 powershell.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeDebugPrivilege 1272 powershell.exe Token: SeDebugPrivilege 3612 powershell.exe Token: SeDebugPrivilege 212 powershell.exe Token: SeDebugPrivilege 4304 powershell.exe Token: SeDebugPrivilege 3252 powershell.exe Token: SeDebugPrivilege 2852 powershell.exe Token: SeDebugPrivilege 2496 powershell.exe Token: SeDebugPrivilege 4024 powershell.exe Token: SeDebugPrivilege 2628 powershell.exe Token: SeDebugPrivilege 1272 powershell.exe Token: SeDebugPrivilege 1656 powershell.exe Token: SeDebugPrivilege 4588 powershell.exe Token: SeDebugPrivilege 1700 powershell.exe Token: SeDebugPrivilege 464 powershell.exe Token: SeDebugPrivilege 4152 powershell.exe Token: SeDebugPrivilege 3360 powershell.exe Token: SeDebugPrivilege 4324 powershell.exe Token: SeDebugPrivilege 4348 powershell.exe Token: SeDebugPrivilege 1020 powershell.exe Token: SeDebugPrivilege 4540 powershell.exe Token: SeDebugPrivilege 4700 powershell.exe Token: SeDebugPrivilege 3776 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 4484 powershell.exe Token: SeDebugPrivilege 4772 powershell.exe Token: SeDebugPrivilege 524 powershell.exe Token: SeDebugPrivilege 3836 powershell.exe Token: SeDebugPrivilege 5040 powershell.exe Token: SeDebugPrivilege 1132 powershell.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 3696 powershell.exe Token: SeDebugPrivilege 2880 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
re-yang-win.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 4932 wrote to memory of 2724 4932 re-yang-win.exe 88 PID 4932 wrote to memory of 2724 4932 re-yang-win.exe 88 PID 2724 wrote to memory of 4176 2724 cmd.exe 89 PID 2724 wrote to memory of 4176 2724 cmd.exe 89 PID 4932 wrote to memory of 1376 4932 re-yang-win.exe 90 PID 4932 wrote to memory of 1376 4932 re-yang-win.exe 90 PID 1376 wrote to memory of 4156 1376 cmd.exe 91 PID 1376 wrote to memory of 4156 1376 cmd.exe 91 PID 4932 wrote to memory of 3264 4932 re-yang-win.exe 94 PID 4932 wrote to memory of 3264 4932 re-yang-win.exe 94 PID 3264 wrote to memory of 3604 3264 cmd.exe 95 PID 3264 wrote to memory of 3604 3264 cmd.exe 95 PID 4932 wrote to memory of 396 4932 re-yang-win.exe 100 PID 4932 wrote to memory of 396 4932 re-yang-win.exe 100 PID 396 wrote to memory of 1700 396 cmd.exe 101 PID 396 wrote to memory of 1700 396 cmd.exe 101 PID 4932 wrote to memory of 2672 4932 re-yang-win.exe 102 PID 4932 wrote to memory of 2672 4932 re-yang-win.exe 102 PID 2672 wrote to memory of 1224 2672 cmd.exe 103 PID 2672 wrote to memory of 1224 2672 cmd.exe 103 PID 4932 wrote to memory of 1868 4932 re-yang-win.exe 104 PID 4932 wrote to memory of 1868 4932 re-yang-win.exe 104 PID 1868 wrote to memory of 180 1868 cmd.exe 105 PID 1868 wrote to memory of 180 1868 cmd.exe 105 PID 4932 wrote to memory of 976 4932 re-yang-win.exe 108 PID 4932 wrote to memory of 976 4932 re-yang-win.exe 108 PID 976 wrote to memory of 3792 976 cmd.exe 109 PID 976 wrote to memory of 3792 976 cmd.exe 109 PID 4932 wrote to memory of 4324 4932 re-yang-win.exe 110 PID 4932 wrote to memory of 4324 4932 re-yang-win.exe 110 PID 4324 wrote to memory of 4784 4324 cmd.exe 111 PID 4324 wrote to memory of 4784 4324 cmd.exe 111 PID 4932 wrote to memory of 4020 4932 re-yang-win.exe 112 PID 4932 wrote to memory of 4020 4932 re-yang-win.exe 112 PID 4020 wrote to memory of 4348 4020 cmd.exe 113 PID 4020 wrote to memory of 4348 4020 cmd.exe 113 PID 4932 wrote to memory of 1904 4932 re-yang-win.exe 118 PID 4932 wrote to memory of 1904 4932 re-yang-win.exe 118 PID 1904 wrote to memory of 2676 1904 cmd.exe 119 PID 1904 wrote to memory of 2676 1904 cmd.exe 119 PID 4932 wrote to memory of 3852 4932 re-yang-win.exe 120 PID 4932 wrote to memory of 3852 4932 re-yang-win.exe 120 PID 3852 wrote to memory of 4272 3852 cmd.exe 121 PID 3852 wrote to memory of 4272 3852 cmd.exe 121 PID 4932 wrote to memory of 1440 4932 re-yang-win.exe 122 PID 4932 wrote to memory of 1440 4932 re-yang-win.exe 122 PID 1440 wrote to memory of 3284 1440 cmd.exe 123 PID 1440 wrote to memory of 3284 1440 cmd.exe 123 PID 4932 wrote to memory of 3376 4932 re-yang-win.exe 124 PID 4932 wrote to memory of 3376 4932 re-yang-win.exe 124 PID 3376 wrote to memory of 3244 3376 cmd.exe 125 PID 3376 wrote to memory of 3244 3376 cmd.exe 125 PID 4932 wrote to memory of 4520 4932 re-yang-win.exe 126 PID 4932 wrote to memory of 4520 4932 re-yang-win.exe 126 PID 4520 wrote to memory of 2272 4520 cmd.exe 127 PID 4520 wrote to memory of 2272 4520 cmd.exe 127 PID 4932 wrote to memory of 3032 4932 re-yang-win.exe 128 PID 4932 wrote to memory of 3032 4932 re-yang-win.exe 128 PID 3032 wrote to memory of 1272 3032 cmd.exe 129 PID 3032 wrote to memory of 1272 3032 cmd.exe 129 PID 4932 wrote to memory of 1084 4932 re-yang-win.exe 130 PID 4932 wrote to memory of 1084 4932 re-yang-win.exe 130 PID 1084 wrote to memory of 3612 1084 cmd.exe 131 PID 1084 wrote to memory of 3612 1084 cmd.exe 131
Processes
-
C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe"C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:2252 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:4000 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:5020
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:4152 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:724 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2460
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:860 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:3428 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:3676 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:3644 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:3804 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:3664 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:2852 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:2572 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:5112 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3192
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious use of AdjustPrivilegeToken
PID:4348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:2180 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1616
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious use of AdjustPrivilegeToken
PID:4540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:1900 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:4060 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious use of AdjustPrivilegeToken
PID:3776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:1528 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:440 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious use of AdjustPrivilegeToken
PID:4484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:2964 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:5088
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious use of AdjustPrivilegeToken
PID:524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2488
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4820
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:5104 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:5020 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3308
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:1256 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58740e7db6a0d290c198447b1f16d5281
SHA1ab54460bb918f4af8a651317c8b53a8f6bfb70cd
SHA256f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5
SHA512d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD598d55c31ac02b32ac3c147cad3a97ed0
SHA11d72218c5cdd5cfe65187d66833eeaa16fad9368
SHA256b61bac80531f43058953c0747218203b4794908db361ed0a032d79f1168f6bdc
SHA51236e48ab538dc41350ad4cb2a0127a1727db54b136e65f12526ac1648d884e462a28ebf7f7ca85eff37da5e7de9baddac9b28819395e65a7eb3dc83dbdd50f78e
-
C:\Users\Admin\AppData\Local\Temp\pkg-e4HPfM\5c9a74674baa49a8cc3965a2d84a4f89cd4ea1a459a9b493fc02a581c95bf3a8
Filesize137KB
MD504bfbfec8db966420fe4c7b85ebb506a
SHA1939bb742a354a92e1dcd3661a62d69e48030a335
SHA256da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd
SHA5124ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65
-
C:\Users\Admin\AppData\Local\Temp\pkg-e4HPfM\b9a7b76665d92af2d90cc6a15ffdc1a79635559cbc1c40bd1f83c4c4449cd442
Filesize1.8MB
MD566a65322c9d362a23cf3d3f7735d5430
SHA1ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA5120a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21