cybergate | aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21

Analysis

max time kernel
177s
max time network
193s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
Size

639KB
MD5

1d12caac9cf70f982331c1bc4461783e
SHA1

1249e8a0ac9f83b619bf376abf089821b15ed79f
SHA256

aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21
SHA512

2a7fbfacd4a9c70136b4f6ceb3d5319722d3d907b46f7002f3ee00ed38513918b7a1e40784fe3a5a0d56e353e99ac60d952fee8b4593838769ebb55addbc7057
SSDEEP

12288:AlmOKxg09ePyOT94iVGDOMHS5VtIVQWaglJLobyQqVtQhU7:+KxlER48sOR7WaMNYyQqV5

Score

10^/10

cybergate l4ru agilenet persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

l4ru

brosto.strangled.net:81

brosto.strangled.net:4123

brosto.strangled.net:6745

brosto.strangled.net:7534

brosto.strangled.net:7653

sasaze.chickenkiller.com:7875

sasaze.chickenkiller.com:8545

sasaze.chickenkiller.com:8642

sasaze.chickenkiller.com:8742

sasaze.chickenkiller.com:8954

brostod.jumpingcrab.com:9647

brostod.jumpingcrab.com:9743

brostod.jumpingcrab.com:9866

brostod.jumpingcrab.com:10535

brostod.jumpingcrab.com:10877

1844205166:53575

1844205166:58656

1844205166:59534

1844205166:59642

Mutex

HN6MPGL8C6B6K0

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
interface
install_file
csrsc.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
a123123123
regkey_hkcu
exploruse
regkey_hklm
exploruse

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Executes dropped EXE 2 IoCs

Processes:

IpOverUsbSvrc.exeatiesrx.exe

pid process

1532 IpOverUsbSvrc.exe
1160 atiesrx.exe

pid	process
1532	IpOverUsbSvrc.exe
1160	atiesrx.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1700-85-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/672-90-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/672-91-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/672-140-0x0000000010410000-0x0000000010480000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exeIpOverUsbSvrc.exe

pid process

956 aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
1532 IpOverUsbSvrc.exe

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IpOverUsbSvrc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe

Suspicious use of SetThreadContext 18 IoCs

Processes:

aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exeatiesrx.exe

description	pid	process	target process
PID 956 set thread context of 1700	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	AppLaunch.exe
PID 956 set thread context of 608	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	AppLaunch.exe
PID 956 set thread context of 1644	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	AppLaunch.exe
PID 956 set thread context of 680	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	AppLaunch.exe
PID 956 set thread context of 568	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	AppLaunch.exe
PID 956 set thread context of 992	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	AppLaunch.exe
PID 956 set thread context of 1524	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	AppLaunch.exe
PID 1160 set thread context of 920	1160	atiesrx.exe	AppLaunch.exe
PID 1160 set thread context of 1520	1160	atiesrx.exe	AppLaunch.exe
PID 1160 set thread context of 856	1160	atiesrx.exe	AppLaunch.exe
PID 1160 set thread context of 1052	1160	atiesrx.exe	AppLaunch.exe
PID 1160 set thread context of 1952	1160	atiesrx.exe	AppLaunch.exe
PID 1160 set thread context of 652	1160	atiesrx.exe	AppLaunch.exe
PID 1160 set thread context of 956	1160	atiesrx.exe	AppLaunch.exe
PID 1160 set thread context of 2032	1160	atiesrx.exe	AppLaunch.exe
PID 1160 set thread context of 764	1160	atiesrx.exe	AppLaunch.exe
PID 1160 set thread context of 1192	1160	atiesrx.exe	AppLaunch.exe
PID 1160 set thread context of 816	1160	atiesrx.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exeAppLaunch.exeAppLaunch.exeAppLaunch.exeIpOverUsbSvrc.exeAppLaunch.exe

pid	process
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
1700	AppLaunch.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
608	AppLaunch.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
1644	AppLaunch.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
1532	IpOverUsbSvrc.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
1532	IpOverUsbSvrc.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
1532	IpOverUsbSvrc.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
680	AppLaunch.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
1532	IpOverUsbSvrc.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
1532	IpOverUsbSvrc.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
1532	IpOverUsbSvrc.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
1532	IpOverUsbSvrc.exe
956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exeAppLaunch.exeIpOverUsbSvrc.exeatiesrx.exe

description	pid	process
Token: SeDebugPrivilege	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
Token: SeDebugPrivilege	672	AppLaunch.exe
Token: SeDebugPrivilege	672	AppLaunch.exe
Token: SeDebugPrivilege	1532	IpOverUsbSvrc.exe
Token: SeDebugPrivilege	1160	atiesrx.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exeAppLaunch.exe

description	pid	process	target process
PID 956 wrote to memory of 1700	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	AppLaunch.exe
PID 956 wrote to memory of 1700	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	AppLaunch.exe
PID 956 wrote to memory of 1700	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	AppLaunch.exe
PID 956 wrote to memory of 1700	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	AppLaunch.exe
PID 956 wrote to memory of 1700	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	AppLaunch.exe
PID 956 wrote to memory of 1700	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	AppLaunch.exe
PID 956 wrote to memory of 1700	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	AppLaunch.exe
PID 956 wrote to memory of 1700	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	AppLaunch.exe
PID 956 wrote to memory of 1700	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	AppLaunch.exe
PID 956 wrote to memory of 1700	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	AppLaunch.exe
PID 956 wrote to memory of 1700	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	AppLaunch.exe
PID 956 wrote to memory of 1700	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	AppLaunch.exe
PID 956 wrote to memory of 1700	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	AppLaunch.exe
PID 956 wrote to memory of 1700	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	AppLaunch.exe
PID 956 wrote to memory of 1700	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	AppLaunch.exe
PID 956 wrote to memory of 1532	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	IpOverUsbSvrc.exe
PID 956 wrote to memory of 1532	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	IpOverUsbSvrc.exe
PID 956 wrote to memory of 1532	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	IpOverUsbSvrc.exe
PID 956 wrote to memory of 1532	956	aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe	IpOverUsbSvrc.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe
PID 1700 wrote to memory of 672	1700	AppLaunch.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
"C:\Users\Admin\AppData\Local\Temp\aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
4⤵
PID:920

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
4⤵
PID:1520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
4⤵
PID:856

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
4⤵
PID:1052

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
4⤵
PID:1952

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
4⤵
PID:652

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
4⤵
PID:956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
4⤵
PID:2032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
4⤵
PID:764

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
4⤵
PID:1192

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
4⤵
PID:816

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:608

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1644

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:680

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
PID:568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
PID:992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
234KB

MD5
b26bbcfb276900a1eed8ba68446a2d06

SHA1
1969dcdfde0ef2f9a47db4e722f591b50e980b59

SHA256
e7290f0d95c5b4508b722a8e2c79ff4073bf33a82f63fbf9c5f692667e79cd33

SHA512
67c475f3efb03e90e4fa06b79945a9169b22d4f31202d0ebbb62cff428ce2a6330ef459a8bfb6f3133f29dfa51cca9561835eeaf1e8a7b044373fbaa4ab49e9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe

Filesize
11KB

MD5
f8bc8d1ca96a71ae8e1e94a16c2b0b7f

SHA1
fc70099b050befc0d3912c9ecdc234d967fc22a5

SHA256
7038d8b4a9eab84047cbf60f68fd47d5192592c57b69f3ec2480dc95c561803f

SHA512
18b4ea3c0bdf8e1e64bf8f8b3f74dbd34f652f3d1c6850a194d8372f23bd0b2621b751ef9bd4a6a5d7959192aeac4b4ad130cb12f7d690599e4b1a666410c1f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe

Filesize
11KB

MD5
f8bc8d1ca96a71ae8e1e94a16c2b0b7f

SHA1
fc70099b050befc0d3912c9ecdc234d967fc22a5

SHA256
7038d8b4a9eab84047cbf60f68fd47d5192592c57b69f3ec2480dc95c561803f

SHA512
18b4ea3c0bdf8e1e64bf8f8b3f74dbd34f652f3d1c6850a194d8372f23bd0b2621b751ef9bd4a6a5d7959192aeac4b4ad130cb12f7d690599e4b1a666410c1f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
639KB

MD5
1d12caac9cf70f982331c1bc4461783e

SHA1
1249e8a0ac9f83b619bf376abf089821b15ed79f

SHA256
aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21

SHA512
2a7fbfacd4a9c70136b4f6ceb3d5319722d3d907b46f7002f3ee00ed38513918b7a1e40784fe3a5a0d56e353e99ac60d952fee8b4593838769ebb55addbc7057

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
639KB

MD5
1d12caac9cf70f982331c1bc4461783e

SHA1
1249e8a0ac9f83b619bf376abf089821b15ed79f

SHA256
aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21

SHA512
2a7fbfacd4a9c70136b4f6ceb3d5319722d3d907b46f7002f3ee00ed38513918b7a1e40784fe3a5a0d56e353e99ac60d952fee8b4593838769ebb55addbc7057

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe

Filesize
11KB

MD5
f8bc8d1ca96a71ae8e1e94a16c2b0b7f

SHA1
fc70099b050befc0d3912c9ecdc234d967fc22a5

SHA256
7038d8b4a9eab84047cbf60f68fd47d5192592c57b69f3ec2480dc95c561803f

SHA512
18b4ea3c0bdf8e1e64bf8f8b3f74dbd34f652f3d1c6850a194d8372f23bd0b2621b751ef9bd4a6a5d7959192aeac4b4ad130cb12f7d690599e4b1a666410c1f8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
639KB

MD5
1d12caac9cf70f982331c1bc4461783e

SHA1
1249e8a0ac9f83b619bf376abf089821b15ed79f

SHA256
aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21

SHA512
2a7fbfacd4a9c70136b4f6ceb3d5319722d3d907b46f7002f3ee00ed38513918b7a1e40784fe3a5a0d56e353e99ac60d952fee8b4593838769ebb55addbc7057

Download Submit
memory/568-172-0x0000000000409860-mapping.dmp

Download
memory/568-180-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/568-181-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/608-104-0x0000000000409860-mapping.dmp

Download
memory/608-112-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/608-113-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/652-343-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/652-342-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/652-334-0x0000000000409860-mapping.dmp

Download
memory/672-83-0x0000000000000000-mapping.dmp

Download
memory/672-88-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/672-140-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/672-91-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/672-90-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/680-161-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/680-160-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/680-152-0x0000000000409860-mapping.dmp

Download
memory/764-402-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/764-403-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/764-394-0x0000000000409860-mapping.dmp

Download
memory/816-442-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/816-434-0x0000000000409860-mapping.dmp

Download
memory/856-283-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/856-282-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/856-274-0x0000000000409860-mapping.dmp

Download
memory/920-241-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/920-233-0x0000000000409860-mapping.dmp

Download
memory/920-243-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/956-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/956-56-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/956-223-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/956-55-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/956-354-0x0000000000409860-mapping.dmp

Download
memory/956-363-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/956-362-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/992-201-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/992-202-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/992-193-0x0000000000409860-mapping.dmp

Download
memory/1052-302-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1052-303-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1052-294-0x0000000000409860-mapping.dmp

Download
memory/1160-139-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/1160-182-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/1160-136-0x0000000000000000-mapping.dmp

Download
memory/1192-423-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1192-414-0x0000000000409860-mapping.dmp

Download
memory/1192-422-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1520-262-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1520-263-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1520-254-0x0000000000409860-mapping.dmp

Download
memory/1524-213-0x0000000000409860-mapping.dmp

Download
memory/1524-229-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1524-242-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1532-132-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/1532-80-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/1532-72-0x0000000000000000-mapping.dmp

Download
memory/1644-141-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1644-124-0x0000000000409860-mapping.dmp

Download
memory/1644-133-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1700-85-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1700-61-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1700-57-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1700-58-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1700-92-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1700-70-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1700-68-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1700-67-0x0000000000409860-mapping.dmp

Download
memory/1700-66-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1700-64-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1700-63-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1700-81-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1700-79-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1700-77-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1700-62-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1700-60-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1952-323-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1952-322-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1952-314-0x0000000000409860-mapping.dmp

Download
memory/2032-383-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2032-382-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2032-374-0x0000000000409860-mapping.dmp

Download