Analysis
-
max time kernel
172s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2022, 10:02
Static task
static1
Behavioral task
behavioral1
Sample
a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe
Resource
win10v2004-20220812-en
General
-
Target
a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe
-
Size
886KB
-
MD5
0a348b7fdfbf352cb88d90d7f9a51130
-
SHA1
1ce66ddab94692f7417bd39c8d8716b16ceed429
-
SHA256
a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1
-
SHA512
251eb18ded8d1621fb47de568004799919fc494f1ff94e7330e289ef07ca4a05146eb4d71e070fa0f1413200c87c1446aadaf70a1d75febdb4db0a8b78a0ded5
-
SSDEEP
12288:Wat0EAH49n8BOM81CPJZG3t2mPFeCekSoyZc5/glTka9J01WPbU7NI51u/33EhfX:Bt24NM8AP2vFuBZOglLJ9z1CwoltK
Malware Config
Extracted
cybergate
v3.4.2.4
DSCR_SPR_220214
clippico.zapto.org:33881
38N85GEQ100N2E
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
FlashPlayerPlugin_11_9_900_175.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
27042704
-
regkey_hkcu
FlashPlayerPlugin
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" KcAxPTFELm.com Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" KcAxPTFELm.com Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" KcAxPTFELm.com -
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run RegSvcs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\FlashPlayerPlugin_11_9_900_175.exe" RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run RegSvcs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\FlashPlayerPlugin_11_9_900_175.exe" RegSvcs.exe -
Executes dropped EXE 5 IoCs
pid Process 2208 KcAxPTFELm.com 1256 KcAxPTFELm.com 5044 KcAxPTFELm.com 4092 KcAxPTFELm.com 4796 KcAxPTFELm.com -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{KQ46L5FY-1LC2-867Y-K4P2-V8YX8G2QNWBO}\StubPath = "C:\\install\\FlashPlayerPlugin_11_9_900_175.exe Restart" RegSvcs.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{KQ46L5FY-1LC2-867Y-K4P2-V8YX8G2QNWBO} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{KQ46L5FY-1LC2-867Y-K4P2-V8YX8G2QNWBO}\StubPath = "C:\\install\\FlashPlayerPlugin_11_9_900_175.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{KQ46L5FY-1LC2-867Y-K4P2-V8YX8G2QNWBO} RegSvcs.exe -
resource yara_rule behavioral2/memory/4080-144-0x0000000010410000-0x0000000010480000-memory.dmp upx behavioral2/memory/4080-149-0x0000000010480000-0x00000000104F0000-memory.dmp upx behavioral2/memory/1504-152-0x0000000010480000-0x00000000104F0000-memory.dmp upx behavioral2/memory/1504-153-0x0000000010480000-0x00000000104F0000-memory.dmp upx behavioral2/memory/4080-157-0x00000000104F0000-0x0000000010560000-memory.dmp upx behavioral2/memory/4080-162-0x0000000010560000-0x00000000105D0000-memory.dmp upx behavioral2/memory/3488-165-0x0000000010560000-0x00000000105D0000-memory.dmp upx behavioral2/memory/3488-166-0x0000000010560000-0x00000000105D0000-memory.dmp upx behavioral2/memory/1504-171-0x0000000010480000-0x00000000104F0000-memory.dmp upx behavioral2/memory/3488-176-0x0000000010560000-0x00000000105D0000-memory.dmp upx -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation KcAxPTFELm.com Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation KcAxPTFELm.com Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation KcAxPTFELm.com -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FlashPlayerPlugin_11_9_900_175.exe explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FlashPlayerPlugin_11_9_900_175.exe explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ explorer.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\542a49tpb3b73 = "C:\\Users\\Admin\\542a49tpb3b73\\51281.vbs" KcAxPTFELm.com Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce KcAxPTFELm.com Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\542a49tpb3b73 = "C:\\Users\\Admin\\542a49tpb3b73\\51281.vbs" KcAxPTFELm.com Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce KcAxPTFELm.com Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\542a49tpb3b73 = "C:\\Users\\Admin\\542a49tpb3b73\\51281.vbs" KcAxPTFELm.com Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run RegSvcs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FlashPlayerPlugin = "C:\\install\\FlashPlayerPlugin_11_9_900_175.exe" RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce KcAxPTFELm.com -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA KcAxPTFELm.com Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA KcAxPTFELm.com Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA KcAxPTFELm.com -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2208 set thread context of 4080 2208 KcAxPTFELm.com 81 PID 1256 set thread context of 4272 1256 KcAxPTFELm.com 94 PID 4092 set thread context of 2812 4092 KcAxPTFELm.com 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings KcAxPTFELm.com Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings KcAxPTFELm.com Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings KcAxPTFELm.com -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 2208 KcAxPTFELm.com 5044 KcAxPTFELm.com 5044 KcAxPTFELm.com 1256 KcAxPTFELm.com 1256 KcAxPTFELm.com 5044 KcAxPTFELm.com 5044 KcAxPTFELm.com 1256 KcAxPTFELm.com 1256 KcAxPTFELm.com 1256 KcAxPTFELm.com 1256 KcAxPTFELm.com 1256 KcAxPTFELm.com 1256 KcAxPTFELm.com 1256 KcAxPTFELm.com 1256 KcAxPTFELm.com 1256 KcAxPTFELm.com 1256 KcAxPTFELm.com 1256 KcAxPTFELm.com 1256 KcAxPTFELm.com -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3488 explorer.exe Token: SeDebugPrivilege 3488 explorer.exe Token: SeDebugPrivilege 1256 KcAxPTFELm.com Token: SeDebugPrivilege 4092 KcAxPTFELm.com -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4080 RegSvcs.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2996 wrote to memory of 2208 2996 a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe 79 PID 2996 wrote to memory of 2208 2996 a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe 79 PID 2996 wrote to memory of 2208 2996 a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe 79 PID 2208 wrote to memory of 4080 2208 KcAxPTFELm.com 81 PID 2208 wrote to memory of 4080 2208 KcAxPTFELm.com 81 PID 2208 wrote to memory of 4080 2208 KcAxPTFELm.com 81 PID 2208 wrote to memory of 4080 2208 KcAxPTFELm.com 81 PID 2208 wrote to memory of 4080 2208 KcAxPTFELm.com 81 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38 PID 4080 wrote to memory of 2596 4080 RegSvcs.exe 38
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe"C:\Users\Admin\AppData\Local\Temp\a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com"C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com" eFZsGeMgsklx3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Modifies Installed Components in the registry
PID:1504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:4304
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:3488
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\542A49~1\run.vbs"4⤵
- Checks computer location settings
PID:2656 -
C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com"C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com" eFZsGeMgsklx5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"6⤵PID:4272
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\542A49~1\run.vbs"6⤵
- Checks computer location settings
PID:4852 -
C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com"C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com" eFZsGeMgsklx7⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4092 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"8⤵PID:2812
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\542A49~1\run.vbs"8⤵
- Checks computer location settings
PID:3984 -
C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com"C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com" eFZsGeMgsklx9⤵
- Executes dropped EXE
PID:4796
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\542A49~1\run.vbs"4⤵
- Checks computer location settings
PID:2532 -
C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com"C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com" eFZsGeMgsklx5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5044
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202B
MD59c160bfbdb99f4fce6e270936b46b7d0
SHA1a250c33e8f5e590a369b5406a8462817ee11d14d
SHA256449ad064deabcd2cc96e131527accadafe685103724c4365127468a58ef81bbc
SHA51236afa7693e648d954ccc72c423dc7c3fa9c05503c6eb3632410ae566897f60192bae87c8933875954e6f3baba28284e29d260fd90fbe1f8accec5bc6168932ae
-
Filesize
277KB
MD5a397e3dfaf6c4df090004c47d2e29d22
SHA18e76f79d34c2498c761fbaa00eb6fc14d56ea813
SHA256991a74e23f24d62660ff47b72435145fcfc438b5e69c14ae5d1c518ecfd83eb4
SHA5128bbc17fe03c9060a32773590169684249a6d035fa0f976c10de4f07f3bfdb60e09261be7d548ac5b2dab8f0054cbcd7c43d9ec3d79778d137e1c5ee919c6d89c
-
Filesize
95B
MD5c735bed0f11b2aa8c978be1417eb4503
SHA1b46cbc79b2dee40c44c72fe3eca7d45e001e2eb6
SHA256cf87f1aa3122701b50570303d6663bf313c9dc5b1418785c0c44eb2d4409510a
SHA5128255176e00ab93d1765b3ed4197c5a7e17cd87b62b57bca458068df2d7d3ba5510b0e0673373605cce4ad53168bcbcb7ca5744ba276267a64473250a71b7706e
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
Filesize
35.9MB
MD570150e173740fe5fe9b00285b47b60de
SHA191b7699f142f5d41bbda9c24468c0cf4b75d7426
SHA256dc9e977713016621a4d09cbac7809ca1b9d6c3c2fb63100f6b8857f01bcd1196
SHA512e225d4c24b07b8b43a72b369efbe22085991114a5c3ee33fed65d017b8ef9c1c9b3ae75be0701c4283681aa311a09f26bf378c7f23cc1f5f777319874453e833
-
Filesize
234KB
MD591480253b7d1de28ccde41e8cbb1da10
SHA14f0db59cf4cfc47e6518fa8a79900c01708fb326
SHA256b3a07e078667558994034ecce19b995c583b45c6332008e7f466f53ad42ea38b
SHA51299341ac9e688b1b33d9358481d22c87c22bfede820ad8fe4f7587dc7d6b3b5732e78555a1c52454c84392285e90001c77ec07d3acd4d9f3b8f0f51b6e5ad0d4b
-
Filesize
32KB
MD53a77a4f220612fa55118fb8d7ddae83c
SHA1b96fa726fc84fd46d03dd3c32689f645e0422278
SHA2562cd6aacd0ed0f477f62833b13b97c26135f436dc59b0b09d4515a6c13cfe6e1f
SHA51233a9cfc23d49505d7f2e1af4299ea2e6ccbe36daccc81c3dafc9652b8259083da88ee67312035e88dcbc1a6d76ce2c13b6067b6dbcc2afd310b91d4ee737c94d