cybergate | baaef35c43e34186c7e2ff97f998e41692498a2c60f78eb294bf71ae7fe1e16b

General

Target

BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.exe
Size

336KB
MD5

ed9183c25af4078b84e3f24b4f6d72ad
SHA1

192ee7bd81a054b2570414803b6e1ca602f108de
SHA256

baaef35c43e34186c7e2ff97f998e41692498a2c60f78eb294bf71ae7fe1e16b
SHA512

08b1e40fbc178822b623f9651330aee59228cf1eff021ed5e92e90788db96c6008f71f50b89002601803edbc19f954748753ef36e787efe2c5532dc234ad7e3e

Score

10^/10

cybergate persistence stealer trojan upx

Malware Config

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

w.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\msa\\wimpr.exe"	w.exe

Executes dropped EXE 3 IoCs

Processes:

wimpr.exew.exewimpr.EXE

pid process

2660 wimpr.exe
3576 w.exe
2504 wimpr.EXE

pid	process
2660	wimpr.exe
3576	w.exe
2504	wimpr.EXE

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2816-116-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/2816-118-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1072-157-0x0000000024010000-0x0000000024072000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\w.exe	upx
C:\Users\Admin\AppData\Local\Temp\w.exe	upx
behavioral2/memory/2504-169-0x0000000000400000-0x0000000000459000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.exewimpr.exe

description	pid	process	target process
PID 1852 set thread context of 2816	1852	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.exe	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2660 set thread context of 2504	2660	wimpr.exe	wimpr.EXE

Drops file in Windows directory 3 IoCs

Processes:

BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXEwimpr.exe

description	ioc	process
File created	C:\Windows\msa\wimpr.exe	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
File opened for modification	C:\Windows\msa\wimpr.exe	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
File opened for modification	C:\Windows\msa\wimpr.EXE	wimpr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE

pid process

1072 BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE

pid	process
1072	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXEw.exe

description	pid	process
Token: SeDebugPrivilege	1072	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
Token: SeDebugPrivilege	1072	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
Token: SeTakeOwnershipPrivilege	3576	w.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.exewimpr.exe

pid process

1852 BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.exe
2660 wimpr.exe

pid	process
1852	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.exe
2660	wimpr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.exeBAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE

C:\Users\Admin\AppData\Local\Temp\BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.exe
"C:\Users\Admin\AppData\Local\Temp\BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1852

C:\Users\Admin\AppData\Local\Temp\BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
"C:\Users\Admin\AppData\Local\Temp\BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2816

C:\Users\Admin\AppData\Local\Temp\BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
"C:\Users\Admin\AppData\Local\Temp\BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE"
3⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\msa\wimpr.exe
"C:\Windows\msa\wimpr.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2660

C:\Windows\msa\wimpr.EXE
"C:\Windows\msa\wimpr.EXE"
5⤵
- Executes dropped EXE
PID:2504

C:\Users\Admin\AppData\Local\Temp\w.exe
"C:\Users\Admin\AppData\Local\Temp\w.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" "C:\Users\Admin\AppData\Local\Temp\teste.vbs"
4⤵
PID:3488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
MD5
66c4d4b77ccf11f96419d337b97cc409

SHA1
478d6cd9ec4c5076dc1901c79a7e275bc354073f

SHA256
6e98c4d80a9b64efda0967ccfdbb9d016d649dbea363e3d22a5c69d8d7b39aa8

SHA512
80efd8b80ced18d13a76f35a7469b3f02e3b849747c8fb4108da0808c116be8b3c333522949df6f60888717ff886e25c1afe2aac2c3e688b56394701fc672b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\teste.txt
MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\teste.vbs
MD5
615964e5ab63a70f0e205a476c48e356

SHA1
292620321db69d57ba23fa98d2a89484ddcf83d0

SHA256
38a2c0e90a7c86eb5355710dd205f22f84dbba59e688cd3da6394af8c924a102

SHA512
69886825baf2075f8e6cdc50b0b34f92d5d06d42db4586396fb3db806fef79986ba5754c7b1251b007cde4f943efe9e3d27800dd7e15f8084fd7e7e6046c3ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\w.exe
MD5
7d7a0419f7bd586c93f17dc06be2ca29

SHA1
ddc69c7c8388f98859a0afa1d724176e8ee6977d

SHA256
a25915348d3fdaa9e9774e365c1b033e5b2ca8ea814b2155ae49c55842ffc21e

SHA512
782447505006a6eb8db599a8cdf83e1323c1be66b9556c641aa0f21c530522e8a0fac1c89f8c7be3ec3839816806b53568df85dbd0e88586b5ea911d971eebf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\w.exe
MD5
7d7a0419f7bd586c93f17dc06be2ca29

SHA1
ddc69c7c8388f98859a0afa1d724176e8ee6977d

SHA256
a25915348d3fdaa9e9774e365c1b033e5b2ca8ea814b2155ae49c55842ffc21e

SHA512
782447505006a6eb8db599a8cdf83e1323c1be66b9556c641aa0f21c530522e8a0fac1c89f8c7be3ec3839816806b53568df85dbd0e88586b5ea911d971eebf3

Download Submit
C:\Windows\msa\wimpr.exe
MD5
ed9183c25af4078b84e3f24b4f6d72ad

SHA1
192ee7bd81a054b2570414803b6e1ca602f108de

SHA256
baaef35c43e34186c7e2ff97f998e41692498a2c60f78eb294bf71ae7fe1e16b

SHA512
08b1e40fbc178822b623f9651330aee59228cf1eff021ed5e92e90788db96c6008f71f50b89002601803edbc19f954748753ef36e787efe2c5532dc234ad7e3e

Download Submit
C:\Windows\msa\wimpr.exe
MD5
ed9183c25af4078b84e3f24b4f6d72ad

SHA1
192ee7bd81a054b2570414803b6e1ca602f108de

SHA256
baaef35c43e34186c7e2ff97f998e41692498a2c60f78eb294bf71ae7fe1e16b

SHA512
08b1e40fbc178822b623f9651330aee59228cf1eff021ed5e92e90788db96c6008f71f50b89002601803edbc19f954748753ef36e787efe2c5532dc234ad7e3e

Download Submit
C:\Windows\msa\wimpr.exe
MD5
ed9183c25af4078b84e3f24b4f6d72ad

SHA1
192ee7bd81a054b2570414803b6e1ca602f108de

SHA256
baaef35c43e34186c7e2ff97f998e41692498a2c60f78eb294bf71ae7fe1e16b

SHA512
08b1e40fbc178822b623f9651330aee59228cf1eff021ed5e92e90788db96c6008f71f50b89002601803edbc19f954748753ef36e787efe2c5532dc234ad7e3e

Download Submit
memory/1072-120-0x0000000000000000-mapping.dmp

Download
memory/1072-123-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1072-122-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1072-157-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2504-167-0x0000000000457CB0-mapping.dmp

Download
memory/2504-169-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2660-159-0x0000000000000000-mapping.dmp

Download
memory/2816-116-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2816-118-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2816-117-0x0000000000457CB0-mapping.dmp

Download
memory/3488-170-0x0000000000000000-mapping.dmp

Download
memory/3576-160-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1852 wrote to memory of 2816	1852	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.exe	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 1852 wrote to memory of 2816	1852	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.exe	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 1852 wrote to memory of 2816	1852	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.exe	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 1852 wrote to memory of 2816	1852	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.exe	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 1852 wrote to memory of 2816	1852	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.exe	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 1852 wrote to memory of 2816	1852	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.exe	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 1852 wrote to memory of 2816	1852	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.exe	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 1852 wrote to memory of 2816	1852	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.exe	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE
PID 2816 wrote to memory of 1072	2816	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE	BAAEF35C43E34186C7E2FF97F998E41692498A2C60F78.EXE

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads