Analysis
-
max time kernel
19s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-03-2024 12:54
Static task
static1
Behavioral task
behavioral1
Sample
ce1cad6bad06a0829eb3e79d542346a9.exe
Resource
win7-20240221-en
General
-
Target
ce1cad6bad06a0829eb3e79d542346a9.exe
-
Size
751KB
-
MD5
ce1cad6bad06a0829eb3e79d542346a9
-
SHA1
e9218c6f5023ba12456c315938e87af2516032f2
-
SHA256
50dd5b286881767006a5fc79500e49568c31cbe9b2711ce54aac1cd111d81da6
-
SHA512
26dd7660c2ee06a17b82d9234676d7162c99450e60d90cd4c08ea4d3793a80ea824652f0a4d548d32685ee76232069ea2b06bb6e065d3c67237d823467df604f
-
SSDEEP
12288:lxf8DmbVEld2TKKNpPQ3jKtfLgvBpBARkw5uQZOWHkmuMAkomCJO:lxfAZwPojKFo7K6wUwTulSCJO
Malware Config
Extracted
cybergate
v1.07.5
Cyber
acehax.no-ip.biz:4572
A03L0A3F56HU16
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe" vbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" vbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe -
Modifies Installed Components in the registry 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{XKFL113I-BA12-7614-DU18-6N0G2PS6YQ7U} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{XKFL113I-BA12-7614-DU18-6N0G2PS6YQ7U}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{XKFL113I-BA12-7614-DU18-6N0G2PS6YQ7U} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{XKFL113I-BA12-7614-DU18-6N0G2PS6YQ7U}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{XKFL113I-BA12-7614-DU18-6N0G2PS6YQ7U} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{XKFL113I-BA12-7614-DU18-6N0G2PS6YQ7U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe Restart" vbc.exe -
Executes dropped EXE 2 IoCs
pid Process 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 1208 ce1cad6bad06a0829eb3e79d542346a9.exe -
Loads dropped DLL 2 IoCs
pid Process 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe -
resource yara_rule behavioral1/memory/1488-1474-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral1/memory/3032-1800-0x0000000010560000-0x00000000105C5000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartUp Name = "C:\\Users\\Admin\\AppData\\Roaming\\RSBuddy Client.exe" ce1cad6bad06a0829eb3e79d542346a9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe" vbc.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\install\server.exe vbc.exe File created C:\Windows\SysWOW64\install\server.exe vbc.exe File created C:\Windows\SysWOW64\install\server.exe vbc.exe File opened for modification C:\Windows\SysWOW64\install\server.exe vbc.exe File opened for modification C:\Windows\SysWOW64\install\server.exe vbc.exe File opened for modification C:\Windows\SysWOW64\install\server.exe vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1208 set thread context of 2576 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 30 PID 2228 set thread context of 2468 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 31 PID 1396 set thread context of 2604 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 1396 ce1cad6bad06a0829eb3e79d542346a9.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2228 ce1cad6bad06a0829eb3e79d542346a9.exe Token: SeDebugPrivilege 1396 ce1cad6bad06a0829eb3e79d542346a9.exe Token: SeDebugPrivilege 1208 ce1cad6bad06a0829eb3e79d542346a9.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2468 vbc.exe 2604 vbc.exe 2576 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2228 wrote to memory of 1396 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 28 PID 2228 wrote to memory of 1396 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 28 PID 2228 wrote to memory of 1396 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 28 PID 2228 wrote to memory of 1396 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 28 PID 2228 wrote to memory of 1208 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 29 PID 2228 wrote to memory of 1208 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 29 PID 2228 wrote to memory of 1208 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 29 PID 2228 wrote to memory of 1208 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 29 PID 1208 wrote to memory of 2576 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 30 PID 1208 wrote to memory of 2576 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 30 PID 1208 wrote to memory of 2576 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 30 PID 1208 wrote to memory of 2576 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 30 PID 1208 wrote to memory of 2576 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 30 PID 1208 wrote to memory of 2576 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 30 PID 1208 wrote to memory of 2576 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 30 PID 1208 wrote to memory of 2576 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 30 PID 1208 wrote to memory of 2576 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 30 PID 1208 wrote to memory of 2576 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 30 PID 1208 wrote to memory of 2576 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 30 PID 1208 wrote to memory of 2576 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 30 PID 1208 wrote to memory of 2576 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 30 PID 1208 wrote to memory of 2576 1208 ce1cad6bad06a0829eb3e79d542346a9.exe 30 PID 2228 wrote to memory of 2468 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 31 PID 2228 wrote to memory of 2468 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 31 PID 2228 wrote to memory of 2468 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 31 PID 2228 wrote to memory of 2468 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 31 PID 2228 wrote to memory of 2468 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 31 PID 2228 wrote to memory of 2468 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 31 PID 2228 wrote to memory of 2468 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 31 PID 2228 wrote to memory of 2468 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 31 PID 2228 wrote to memory of 2468 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 31 PID 2228 wrote to memory of 2468 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 31 PID 2228 wrote to memory of 2468 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 31 PID 2228 wrote to memory of 2468 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 31 PID 2228 wrote to memory of 2468 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 31 PID 2228 wrote to memory of 2468 2228 ce1cad6bad06a0829eb3e79d542346a9.exe 31 PID 1396 wrote to memory of 2604 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 32 PID 1396 wrote to memory of 2604 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 32 PID 1396 wrote to memory of 2604 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 32 PID 1396 wrote to memory of 2604 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 32 PID 1396 wrote to memory of 2604 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 32 PID 1396 wrote to memory of 2604 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 32 PID 1396 wrote to memory of 2604 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 32 PID 1396 wrote to memory of 2604 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 32 PID 1396 wrote to memory of 2604 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 32 PID 1396 wrote to memory of 2604 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 32 PID 1396 wrote to memory of 2604 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 32 PID 1396 wrote to memory of 2604 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 32 PID 1396 wrote to memory of 2604 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 32 PID 1396 wrote to memory of 2604 1396 ce1cad6bad06a0829eb3e79d542346a9.exe 32 PID 2468 wrote to memory of 1200 2468 vbc.exe 21 PID 2468 wrote to memory of 1200 2468 vbc.exe 21 PID 2604 wrote to memory of 1200 2604 vbc.exe 21 PID 2468 wrote to memory of 1200 2468 vbc.exe 21 PID 2576 wrote to memory of 1200 2576 vbc.exe 21 PID 2468 wrote to memory of 1200 2468 vbc.exe 21 PID 2604 wrote to memory of 1200 2604 vbc.exe 21 PID 2468 wrote to memory of 1200 2468 vbc.exe 21 PID 2576 wrote to memory of 1200 2576 vbc.exe 21 PID 2468 wrote to memory of 1200 2468 vbc.exe 21 PID 2604 wrote to memory of 1200 2604 vbc.exe 21 PID 2468 wrote to memory of 1200 2468 vbc.exe 21 PID 2468 wrote to memory of 1200 2468 vbc.exe 21 PID 2576 wrote to memory of 1200 2576 vbc.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\ce1cad6bad06a0829eb3e79d542346a9.exe"C:\Users\Admin\AppData\Local\Temp\ce1cad6bad06a0829eb3e79d542346a9.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\ce1cad6bad06a0829eb3e79d542346a9.exe"C:\Users\Admin\AppData\Local\Temp\ce1cad6bad06a0829eb3e79d542346a9.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe4⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:1488
-
C:\Users\Admin\AppData\Roaming\install\server.exe"C:\Users\Admin\AppData\Roaming\install\server.exe"6⤵PID:2240
-
-
C:\Users\Admin\AppData\Roaming\install\server.exe"C:\Users\Admin\AppData\Roaming\install\server.exe"6⤵PID:2336
-
-
C:\Users\Admin\AppData\Roaming\install\server.exe"C:\Users\Admin\AppData\Roaming\install\server.exe"6⤵PID:1668
-
-
C:\Users\Admin\AppData\Roaming\install\server.exe"C:\Users\Admin\AppData\Roaming\install\server.exe"6⤵PID:312
-
-
C:\Users\Admin\AppData\Roaming\install\server.exe"C:\Users\Admin\AppData\Roaming\install\server.exe"6⤵PID:1532
-
-
C:\Users\Admin\AppData\Roaming\install\server.exe"C:\Users\Admin\AppData\Roaming\install\server.exe"6⤵PID:2712
-
-
C:\Users\Admin\AppData\Roaming\install\server.exe"C:\Users\Admin\AppData\Roaming\install\server.exe"6⤵PID:1860
-
-
C:\Users\Admin\AppData\Roaming\install\server.exe"C:\Users\Admin\AppData\Roaming\install\server.exe"6⤵PID:2400
-
-
C:\Users\Admin\AppData\Roaming\install\server.exe"C:\Users\Admin\AppData\Roaming\install\server.exe"6⤵PID:788
-
-
C:\Users\Admin\AppData\Roaming\install\server.exe"C:\Users\Admin\AppData\Roaming\install\server.exe"6⤵PID:2896
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2824
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"5⤵PID:3032
-
C:\Users\Admin\AppData\Roaming\install\server.exe"C:\Users\Admin\AppData\Roaming\install\server.exe"6⤵PID:2184
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ce1cad6bad06a0829eb3e79d542346a9.exe"C:\Users\Admin\AppData\Local\Temp\ce1cad6bad06a0829eb3e79d542346a9.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:1652
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1824
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD5a57fad0f50b6e09c768c8b1592da09a9
SHA1ad0ee0861fb20dada980d863c31154bbc4774d69
SHA256d1514e8ebd7e5d42efc5b1def3abf83621ab7f6adc522d1cc9501dbdbd19e40c
SHA5128fae3eb34f7a5d5ddcbbee420793478325f0d64d818bdc811b68e1f4a209e684c25b5b4e6040eae3db52e5c19218ec43d1360dc63905d9155f59979870ea2d37
-
Filesize
128KB
MD58a96e6f20b51854722dda86dfb0059f7
SHA1edab45a20f60f2bb1e78d7a9dcf46ad4a77efb4a
SHA25657b394f7d73055750bbbe55d5bbbf08659c8aa01ab64d8eeab61ebccac011e51
SHA512a440c949920134e11c31ab84450e1d0119d0fa643bd983b0b5be7d7f8063d6a7f7990124ab122c4b4660bf70d62825e16fc69922129d7a0412e1436c5e864fbc
-
Filesize
64KB
MD5d259e840ffcd1985fadec436cac85834
SHA1de35a06f05d493b4f142dc850144261061bad32d
SHA256148304f1dc8d1ce93b619b18487b36b7611ae2fad69e4d307b4c438f35c495de
SHA5121727ff428292fd46bfae2b0e73ae03258f766056d9a4fb50d152dc51f5922b05859dab739553f794c5a136d887e1ebeb5d8d85769d9f9cf1f31f3dbb888968f9
-
Filesize
8B
MD5be23463c2564197cadd34dbdcd4a4423
SHA121c1360a16aa8bd6d984a213ed79116e7cefd37c
SHA256e5ff53ffccffc79c169b472fe71b7ba1bd21c31ef886919c1a3e2d019fb40ae2
SHA51237c1cf9e60333cdaee4a57856658d86a758d96939ce1022bdcabcd4b96617133ea32b82c5138d1d884c64b8c3da8d6463c7429452a1befbf074ebab10d12fe04
-
Filesize
8B
MD5652693cd7a1e9adc92b2c41de14a96b8
SHA18770951f4ad67c41f7681d22f8e40f89274c4874
SHA2564e4f3c752809e4f88233d4bdd4cc20b7908b0c91681ef47c6bef3eb711593aad
SHA5122e5c7ad1e8057fece6354bd9694362d943e13ffff81f5436821894208d1798f55503f24522594201593b045202fdfd02745bbc1cf89b2ec8a6b0278dee845d39
-
Filesize
8B
MD511dcf307a18340a655e320b82d9f7f24
SHA1be4fa8a11fbffaf58ce3a7bf5e25c532a767f8fd
SHA25681e67f3c6bd93d37ec07077f7e30984f150134eb46026b3542d20a3f0e0fd47a
SHA5125837a0e51726a1b54815a66077a74cceb99e7142663bd7119cf156eaac28423fe36ca76e39614c21c1795ad7b9648c2d4369baa9fc9231f29bc836ceb08f4699
-
Filesize
8B
MD59c219916e692e63d1e40b2ed2908693c
SHA112ae37202f244b001a0444dd04760141f34f0232
SHA2565988eec13b87771c89fc1b9049c6b36e8740640d57b3007299849d2136a68cc3
SHA5125a87f38176441c9121995c32571056faca8413d30e6f2658241e540f4978b0a1901b1a321dbfc00b6f22272a72553c574c69ecdb39f6ab0a021b0362cdcea2df
-
Filesize
8B
MD511f436778f0e8ef0eb82fec2a98fdb8d
SHA1570e055477ac41c59e4e1df872d85b53cace8bff
SHA256cdbe49693f3bb1b8510622fc0e52767e96173058b0ee25c25f7f3c0fa3d7fa9c
SHA512a33b63bf47c5b12712eb22e70d3afa54c5bfe0e5c080b0221dd9a78896e4538b0e49b290f9b0b8bf3fbec2c7a2262a1212766592472a10f76019983a26bc6875
-
Filesize
8B
MD50fda28e79a33dc5320a9a0029e9ed528
SHA1a6e25b687ae3b81b85e8202299c83a8a54c41a60
SHA25679352f9bd545d9a494b4072288872a6b4d1e6370bf1a549d31b969cae995016c
SHA5123141c38254a4c80566b177e30873306d045383b9cd73af1375880bb611f8bc6eacbc992dc2d45caaf73817389a90724ef7ae6cf7a7a05b952175e6f0a56b69ed
-
Filesize
8B
MD58aa7689272292187185c306fb188f570
SHA1bcaa3f183260c7b226db5eb0fb3261614524aee3
SHA256f93a537a044823fcb424612109005b3a3afefeabd3e2c8868cf3b43bb10d1169
SHA51216f9e7a6dcf84b6d7027f0bb54731528bbc7700ea7232ee3af109c382514c9ea7ed91281c81fbab714578ad247972558ad530dcca20be9ef71b27d2faa921a9d
-
Filesize
8B
MD5a83d300c0bfe1efa4e33690bc241beca
SHA13522f5daf52b1abdbc8cbdbd2120cd9b96cf454b
SHA2566ee90d795138fcf82456e65d9101c9827f88646142c333ed5ea930114445af38
SHA5120a28728401454af09fb2a9a6a55257fe068f57a9cbfff37ad77b08b745317a2722b68dc502fc8de8d033ffabeb8547018244e46cdf05e1ae60689cccdd537317
-
Filesize
8B
MD526ac71458469b26241fc931d6eac7215
SHA1a2c6cfa35c1b53300c0750c97e22c45cf191c2c1
SHA256a873686b57be0365d3914b2f766ef8f9e2b43f297d7b5b9356819d8f76936625
SHA512333ad91dd73b2590671dba82dcb257a2267b81f4895e8c73bfd4d29151ef20726a52e6dc5eaef3169d4fe044b4b8eabd254a3384fea09c34bf3d4d9cb3b71b27
-
Filesize
8B
MD5be38b04e1dc0854d2b2f835e7baf97e3
SHA106af952ce15e872206676a960f200727fdaabba2
SHA2567fc775c43158dc64e64311b38a12a067fd9709a8b79f08bfa7d7b970d6f9b5ed
SHA5122911daef16736ad09a12b3db14a59084b59fa3f393049c0ab33e28ac8f0c01616c4fb3dfeae6c2b2c46826e617e4575dea5153c26abe76665cec2dde931c2b90
-
Filesize
8B
MD5462899c1f30abd8d2621a06fa5e514a2
SHA1c19a8b9866d290ab8f47689a3287df1444494fb7
SHA2561090784c3a0061d4986cbc3d103633bc2ed62047e1752d638dade3e9bf0de41c
SHA512848cb8af400c2618394c3f92554836a16bedd1d4ab6b669c33d232f6b5826b5b99dc8dded40ee340e3980f9f665be50946703b0333ce9ff4bb634f51eded813b
-
Filesize
8B
MD5ef6c6a1a4445acf5756e8d47a0b92541
SHA1b767bbf5c5785e9d0e96b531cc644ecd8fd38ec2
SHA2566226974b4781ce75a6f423f28f9c83391505d9a033f4347066cab201f57693eb
SHA512186b4e9f1f2d05ef962934943d489f1e64fd4516646e293e9d85bff24f71bf99aed1232bed227c9511885dfe9b29cd9db7a3ede9a652b20387a923fc91403259
-
Filesize
8B
MD507a211ab5ffbc1ca8fb45da960ff1496
SHA1c656915b755c0cfb470794c5d19ba69264e242f4
SHA2562e8c9f90ece648e5ec74d6650cef9156225d014ad101f7feffcff7afe49bc923
SHA51222b8ed03aa2a7f3c836d12a718f6b692cd3f874914a6bbff2cbeb37032ba7be8abb64848417ae50beddf0acb7f956a60a4b051c8116d02a8af57a772b3f1bf8c
-
Filesize
8B
MD57e634ec470b2c1634fb60528bc45917e
SHA1f42866ee181109348eb9b7ff3b6de28400b43e70
SHA256b389ea5ecabc8e97b91c1f2995f8194177c54ad6061c7fdd9730f55573d5c984
SHA512c9a2e4280a14702c89027e3a405af164b6b6bb6e20c33dc86480a827bb72eb8251b45a43853447bd96af7707f14ccc76e5b4523ac94b94a1141e359137522a1a
-
Filesize
8B
MD5b7a51d0d03198e8cd753b60ae08e9761
SHA174544c0a6f81c7438e96e8e5764f51cfd9119a5e
SHA2569fde1af1286aee3fcd75b950f83d6305a7ef7b39282ffdfcac5c683fb2e0bf37
SHA5123e384650584525f1cff9327e2b40694fc530501ece36331f0eb267e9dbc21fbd274ee67c8954bc8c5c557ed662482564bfaa365a0c24c5793246d9d55953739b
-
Filesize
8B
MD5593c3f851149448470a94d2eb1e21719
SHA1983fcaf5da8b92c0a20b78be64a7a9bd768d6955
SHA25685d2d688be176213afaad1e285e789eeadc26f45e7ec606fe7073bd849c27519
SHA512e3074bfa1bc34adf6dca1bbbb89a29518a7a141f6767e5dfcbda5c2f75750f857a6845e4303ff00aed1b4296b4449b1c70794bf013e1d141bc2a7834cecdffe9
-
Filesize
8B
MD5caacf6baf71aa7f4e8c767c793566a0a
SHA1d199799b31787cd3e529e8c9e38525f110cc18e9
SHA256d356f4014c6986758533ab1819f9df4c7a15c45851ab7f51f3b205adae69c0bb
SHA512435efaf6fb795d9411c77966454cde2d6d55f4a744cfe6edd5b2edd953ea4d0e862887e5a070d13052edad84ab6634a83aa6d277063c46ee8e51a46d9a4572cf
-
Filesize
8B
MD590aaf29b56a71a7ff93ab0529dc28fef
SHA138a0ac3aeddf85173bfce7537b65d849b9716901
SHA256fdd4c4775c86da60069e327ce60ee36be8c737ebfa544e4e50aa798b7482f125
SHA51203b3ad8fd86758c7133f32e762553ba582e5ef4b3c40d9289af365547f047348cacdc427f2591bb10a05684a0498aa875debfaa5e0c274ac18357565b2d40653
-
Filesize
8B
MD506d43846a8311e0ddc00c86c6e2d63b8
SHA1f1fcd3f9425dba62b3dd1b21e4268a1236cfc6ca
SHA256de811698fd527dc9ba7d4758d3dd5c37d0cb9943ffd120802114ddef9dd2ae62
SHA51213eaaec1b0394ff2bf3c2adbf01b0ad489b441b0fb7f3f781a8cc62464b1135f7a80008165e75ac7590a8d501765b4ecddba2771211fed242cb200a6636ed538
-
Filesize
8B
MD541b88f1f80729b0620b06d7d864a0369
SHA15845bb6392750283b61503ddf4b681e8787c4d9f
SHA256cb69eb291a5eac0700061cc1f8ba294e2df8e7a940cf61ef5d48d094bb10f851
SHA512e1925289330499386e83d01f2d3251c8e845108b56f601311ab6c9ee507d488d998f51cef12492a1e9df467a1fa6fbefb50d4c60e74a9dc551ae54f8e99fd296
-
Filesize
8B
MD5cdf934e11eae1b9e3d490becbf0ea6f7
SHA15d2789dece6d63fcd8877b9f6f0d8720a964be86
SHA256e3146c9d6b90b350a70ca11da79eefeb0c72187bb0014114ce5ccd3fe79870b0
SHA512dfbd7ff782f43d94b076e510558f9cb2ae596cc11b8afab127fef52700d66ebed0d3db770e6eaee0d560597ffc4804c11f6ba33a40058dbc5bf1075b1955abdb
-
Filesize
8B
MD56d981527ae8d76a6723f463fc555b022
SHA1d5a9383b33de9b6908aea143dbde7a481ac5783f
SHA256b91e39e9b51834c27148833c37cef47536269dbf35a8b0cc8f4ccbf01462a9d6
SHA512c3d79af760cf3a0382ff38c9c8cfb104a99e02e427996876d9e5cfc74f429357a39ef6a49fdfdf88b7b0330e274856477fd5f1abd519f3024d0240c1f5f95f3f
-
Filesize
8B
MD512c9fc44506e892d74f08dc589b15539
SHA125f755ce59bdff7a0d617c7df6836acef8337ed0
SHA256bff4ee50f8713be17379a8e47c4ab561af5ba193f8ca534d86f44768b25951c7
SHA512d62f43d13bbcdb4d0ce9bd145e6de39a3868f0cdfa432479f9abbc72deda431eda5b4f91518173ddf47b1c7e58ceeea2cfeea4ca6b6d2d083ee707e98ea3b65a
-
Filesize
8B
MD55453495494a7f9290c5b0e65ad79eb70
SHA11b4a72a938c448689164d810d0c310f6be2681ff
SHA256c458767d4f77e3303bdf1c2c92d2b7fc9f4c6a15c013af32b2c60e3d798da828
SHA512771b16fbaa2ae4b68a6b580792bada392b28e13225ad0dd71cc7f8682728466f6da20182ad94b823356637a68e48ae9eadad1461338bbc426c2ba1b7d5067232
-
Filesize
8B
MD5c2a0e534ab030014d51202cc15a71ce5
SHA1cde3b951c73ca0a996dac3ab562d837a90122960
SHA256c77243428ee8c60dd9b5e15cacd8e652ed6d45292d92023961e279360e87fb84
SHA512e89ee1d1cb691159ce6a84cdddd00aac43123ffb636bcedad267129f9b6a19f89e2abad006893a8aae33ae4a247daf0c6f4505a7d0f1733d141ce5ecaa464287
-
Filesize
8B
MD540c50c0c83c571df37e4d8bc154c2755
SHA13018ad33aa246175035568dbc2ede7ab3a12f0e8
SHA25637375dab2c11495f2fa9ce77c02b71c0f9cd1c237e60e772671c1bd091f374f8
SHA51288089521a14e1dac99be5557fcc01da8268db186e0bd8de5c1827a0b7ebb21a5f2432c19099c3acf2961680dc3c6a2e1352ec69272f86d057e35c09dcb6a7417
-
Filesize
8B
MD5bd59db4503a51e8bbff1752222d12803
SHA13ebc6ce3c6a82b88eb871e019cc1835bbbffe52c
SHA256ad7352f8f27382c5912feaf60787bd2eb988ab0f2b883b94b94f9a6a3c9e5b76
SHA512856c5d62ce8d3541b8dcfc1041c8a7ec4266dfc167f0cf626ff63590245df588258756e644ca28dadba38f32c35d1df0a686727bed16675ed1c9963a473b696a
-
Filesize
8B
MD5ea093e0d201cf6cb96263be62a7c8eac
SHA1a976b6a8587f8cb1edc89ddccfc8ab05aad02575
SHA256b071695ca4438e8dda6757ba53abe8c1dd1f92fcf5601b3a050aba80a5b706d1
SHA5121f0cc89c8aaecf79e3f8e1cc4e9ee36059ab833f4ccb84a2e81ff9aed2ea1298a0b3cd194ade02b2e4ad7bad47f18861cc999f0bbd226b96e14657358f6f5491
-
Filesize
8B
MD5504cc631ae88a42b4dee8b7ee1fb92bb
SHA18cacc280311643ca1820d38af9b558e5846ecb4e
SHA2564766ad201257a742387735da0b2d59886f64494972d4ee4d0bb14c11ba1fc040
SHA51213eb7c860a13e2640ff2ddfd95f332fc310b9aa33f5284d3bff7d9e136c3b123f0f1a76ce40b365702b2b9c6f9f08020a510285b150cbced68067470e422b96a
-
Filesize
8B
MD5fda519ddaf5de0459014ddcff695c5a7
SHA1858fb67c2ecb6631948ae2cceb83f19a80a1146c
SHA25630083c37f34c5de3c0bc8f9a4d4274ad3b316a113e0df179e94fffe93332e251
SHA5120b653da16578b8c029b40a1d0b6c0b4c553fa444cdf7769c7729cae0027a62692a54610667ded7660afad94afe89c98bc79c2fd0f59ddacf50d5d4abcf9696f3
-
Filesize
8B
MD5b679324fee56982775acc657f6881269
SHA1332ab561f1eb4b801cd1a1cab4f442f1f64aa546
SHA256c073d707060824b7c91f91a2c921936dbe6f7e230987f42888c600e2da56ce5e
SHA5127e878ae497490da2eca38b4cbbcab04a14161d20e82281d70b3025a9b7dca6d14f6971cb9cc060f99d06311c06765e4d2eea4e7b61851d9aba784400fba85ce0
-
Filesize
8B
MD52eadd469017d6e7a0bc5165fded7433c
SHA16baf33157af792ae50d752e1384e22f1e51f9c19
SHA2560ebc2417b77a23f9e093b8fcb311f61d8fb72ad0ad2274305216b1bc66ac0ad2
SHA512771f3ceeb5c18993acacb0749ef17059f4da6a4f051ea79f7aa0c6b72e3ca98ff463d76cb37f7847ee3fd7b1301c5c3700d56d4eb166b6cfd1faa3bd53829f35
-
Filesize
8B
MD5229de6531c62098e640287f1a4a8d37b
SHA1451038acc6bcba94bfaacd0af100e9ec62afacdb
SHA256f50cc226b20f764afe770521a0d2ffab62e721f2bd018a20488ad6b1c7e5aabf
SHA512f9ec27b0b6c36e85b8850de87b79d06c0be253fa969bd23d6d1adceb076fcb822015a4f674b6d45cf15a21bae57bb677aefea572f4d6706496c07012e4e7cd89
-
Filesize
8B
MD5a4a45540cd9d0ebabc804aa3a70f71ee
SHA1ebde78e41daaf9c783bf4490f7cc029d7d75b3c2
SHA2562d4693db3bec440f57a5bbe33d07df8349d8754f5bbfc0e036ad7034d6c0dd5c
SHA512e8022e77650312c8b39ce3778106b1d896b1f9352f0d7f6f345fb6705d82ad338fbdb6a9a1f6077ada91026fb8fc27baf8b63caf0938a2100ed9c3da2df400d7
-
Filesize
8B
MD5b417db152d1d4d1bb26e70a1b864df72
SHA1830d5133b6378fb05f6dedac19c28f22317f9246
SHA256f7935008a488733690e4009f8d8ea436d7b6c19b8a72519340c5ebd50e514378
SHA51276cac57152bfc7ba9438faf62fef14ae5e6c389c8fbf20717d10b0a8e6ab234adfff0b0c187f00c2d8da38619f4f5bc7590a7b779fdf442547ccb3059c71df40
-
Filesize
8B
MD5fcb0cdd7c52306b0a788f5abbc0aa599
SHA16d7df10e90b7708325f267792ea9a3cf7e2120b0
SHA2562b1ec9643bed77c8aec5e3ccb0927347063a1b040c5b8a87650744c57d837a65
SHA512acbb789948c6f71a92c2888d4c2fb635294780e45866ae206b0ae549d7ef5cbd280bc84c3ca3c18590ab29de661a8eb119e5de8ef19f6d259e7b3483802fc8d0
-
Filesize
8B
MD580b630431fec4daa8a8b8f4a5d8f9540
SHA1f79e48c383ed695e588300c193210a2647802d0a
SHA2565db9f261233ac057a71dbe1b9266d497bab8a8ac52c5718ffb42c11ddfded8ce
SHA51266f20fc77ded2f83f728bd8c7abad2466d60b21944502010a21d6b2c1e11a32c9990e8f684dc3f5d1d91781927a20e2a96f2106215f18be958d3fb107847b059
-
Filesize
8B
MD55a15c4346b83931d43d4680351cf0aa1
SHA1e6653fb98fab9c7c447808457417297c9088dd76
SHA2560a2ae91ef0036f1b40e89e1c7820866bc90895a902f96cd63f3ace81849a9ada
SHA512546c5b569fb203e557294bfd5717a4e551fb7574f78d0e80e64a68e1e6118ee4e98512c996354773038d611b113dafd2a04e7553d4d2ed545fb1ef7845268f65
-
Filesize
8B
MD5f22ba9cc1b7037b6599db52399c32d2e
SHA1f0f16bb71cc5bb02a22c7779b37c96235ead3aaa
SHA256ae5f1388d9db50af08a1c4bfe1c7eb5c4be956192bd2170c036b03db2368611c
SHA5126bc9a02f4b374e3bb4b9d64a623f8aa7ae75b463d4201c503285de82f5a2e9496b96ba0b80bf1a22a226321a2f84ffcebba7ae71414e6d603478323f739d0616
-
Filesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
Filesize
192KB
MD59194778055e2fc72df64d0b36d9fc593
SHA1c3201f6baaf0b6d0a5a2646ccfe577db2657048f
SHA25699149023c72bedd8016fafa910ade0464089ad06557c4c7b430acb53a8152dbc
SHA5128b7ae4d3645e088abb68f441eafab81c11117ec5b25f8efcb3d81083502ef0899b9a1e571bd8c40d54070fab39e8b4aa0a87b565532b9d8f1338ce7dbfe0e3d1
-
Filesize
128KB
MD58f3202ac304c78448b48c93addfb4ca1
SHA1f7d4893b7665ee0570e47747f169671263f2606b
SHA2565311dfa12d4aa6b5022cba7b2b1293ac0dcf8cec753c4d3e17ee5f03676b8e50
SHA512bddf04fe8546dcc7ddb10b4d1f37cb4fad11f516fa60e3cfacc67684fc6aadf8e5278351bd87342bfeeda274ac16fd89c13864d6a797a6a66f5496c7bb124ba8
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
Filesize
751KB
MD5ce1cad6bad06a0829eb3e79d542346a9
SHA1e9218c6f5023ba12456c315938e87af2516032f2
SHA25650dd5b286881767006a5fc79500e49568c31cbe9b2711ce54aac1cd111d81da6
SHA51226dd7660c2ee06a17b82d9234676d7162c99450e60d90cd4c08ea4d3793a80ea824652f0a4d548d32685ee76232069ea2b06bb6e065d3c67237d823467df604f
-
Filesize
256KB
MD5736a394343d535f59d78ad66ff1e542e
SHA123d2aca9f6d808b2445b7073a97f27ad9a0c189d
SHA2566b5a675cdae7d8b5d9e7555ea7997e002f5216b4ac0e13c4832d08a6dd20173b
SHA512b4a54f52cdceb4199eeaf2800d9b9de4831adb24a3b48bdd451a1cbb3aea2e2041fe50940e25f9fe80333e7afc938fbada1102aa317c15964ec1fc181dfd6214