cybergate | 82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a

General

Target

82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
Size

315KB
MD5

fa7e49c844abb9d84bb581e9d64cbb81
SHA1

671f00b6f79cf9822c15d44fbaee804cf8351090
SHA256

82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a
SHA512

955b00f740fbf1378163033dfdd8c0ed7efe95112ce8338eca8d0001e1900e611180c134432ddbb35f77d653573640fab2083ceb1a00a4b74f23b1949c04cc60
SSDEEP

6144:lOpslFlq3hdBCkWYxuukP1pjSKSNVkq/MVJbU:lwslmTBd47GLRMTbU

Score

10^/10

cybergate modiloader cyber persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

crusaderthe.no-ip.biz:200

Mutex

101S2A484O73H7

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
C:\Windows\install\server.exe	modiloader_stage2
C:\Windows\install\server.exe	modiloader_stage2
C:\Windows\install\server.exe	modiloader_stage2

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe"	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe"	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe

Executes dropped EXE 2 IoCs

Processes:

server.exeserver.exe

pid process

4804 server.exe
3412 server.exe

pid	process
4804	server.exe
3412	server.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{8H85THT8-7MJ0-L546-4520-H2K2G8PGO0WX}	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8H85THT8-7MJ0-L546-4520-H2K2G8PGO0WX}\StubPath = "C:\\Windows\\install\\server.exe Restart"	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4960-139-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/4520-142-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/4520-144-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/4520-147-0x0000000010410000-0x0000000010475000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\server.exe"	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\server.exe"	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exeserver.exe

description	pid	process	target process
PID 3156 set thread context of 4960	3156	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4804 set thread context of 3412	4804	server.exe	server.exe

Drops file in Windows directory 4 IoCs

Processes:

82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe

description	ioc	process
File opened for modification	C:\Windows\install\	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
File created	C:\Windows\install\server.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
File opened for modification	C:\Windows\install\server.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
File opened for modification	C:\Windows\install\server.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4644 3412 WerFault.exe server.exe

pid	pid_target	process	target process
4644	3412	WerFault.exe	server.exe

Modifies registry class 1 IoCs

Processes:

82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe

pid	process
4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe

pid process

4520 82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe

pid	process
4520	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe

description	pid	process
Token: SeBackupPrivilege	4520	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
Token: SeRestorePrivilege	4520	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
Token: SeDebugPrivilege	4520	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
Token: SeDebugPrivilege	4520	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe

C:\Users\Admin\AppData\Local\Temp\82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
"C:\Users\Admin\AppData\Local\Temp\82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3156

C:\Users\Admin\AppData\Local\Temp\82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
C:\Users\Admin\AppData\Local\Temp\82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4960

C:\Users\Admin\AppData\Local\Temp\82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
"C:\Users\Admin\AppData\Local\Temp\82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe"
3⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\install\server.exe
"C:\Windows\install\server.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4804

C:\Windows\install\server.exe
C:\Windows\install\server.exe
5⤵
- Executes dropped EXE
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 556
6⤵
- Program crash
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3412 -ip 3412
1⤵
PID:4500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
224KB

MD5
f310fd8e312bd2ca97aa0c1c5cfa99c5

SHA1
8c8cabd0f5202169233ba30341a383f7466a2bb2

SHA256
184a889c0c6c172c1f2340fb3e4b788a9039e9082fc977bb2b1cfc1ee105ae06

SHA512
8319590abf7db89f33144673a3d7700550ec5a52fd28c0879f013b922d6e1673274dbc3879375f2bdf25126491eecb5426fc56682072426cd67f13d6ec826779

Download Submit
C:\Windows\install\server.exe
Filesize
315KB

MD5
fa7e49c844abb9d84bb581e9d64cbb81

SHA1
671f00b6f79cf9822c15d44fbaee804cf8351090

SHA256
82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a

SHA512
955b00f740fbf1378163033dfdd8c0ed7efe95112ce8338eca8d0001e1900e611180c134432ddbb35f77d653573640fab2083ceb1a00a4b74f23b1949c04cc60

Download Submit
C:\Windows\install\server.exe
Filesize
315KB

MD5
fa7e49c844abb9d84bb581e9d64cbb81

SHA1
671f00b6f79cf9822c15d44fbaee804cf8351090

SHA256
82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a

SHA512
955b00f740fbf1378163033dfdd8c0ed7efe95112ce8338eca8d0001e1900e611180c134432ddbb35f77d653573640fab2083ceb1a00a4b74f23b1949c04cc60

Download Submit
C:\Windows\install\server.exe
Filesize
315KB

MD5
fa7e49c844abb9d84bb581e9d64cbb81

SHA1
671f00b6f79cf9822c15d44fbaee804cf8351090

SHA256
82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a

SHA512
955b00f740fbf1378163033dfdd8c0ed7efe95112ce8338eca8d0001e1900e611180c134432ddbb35f77d653573640fab2083ceb1a00a4b74f23b1949c04cc60

Download Submit
memory/3412-156-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3412-155-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3412-154-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3412-150-0x0000000000000000-mapping.dmp

Download
memory/4520-138-0x0000000000000000-mapping.dmp

Download
memory/4520-142-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/4520-144-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/4520-147-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/4804-148-0x0000000000000000-mapping.dmp

Download
memory/4960-133-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4960-135-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4960-132-0x0000000000000000-mapping.dmp

Download
memory/4960-134-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4960-143-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4960-139-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/4960-136-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

description	pid	process	target process
PID 3156 wrote to memory of 4960	3156	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 3156 wrote to memory of 4960	3156	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 3156 wrote to memory of 4960	3156	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 3156 wrote to memory of 4960	3156	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 3156 wrote to memory of 4960	3156	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe
PID 4960 wrote to memory of 4520	4960	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe	82064f47eaf532b9a88b9ee5bef3c8a3b4a3b777778f5c61622f27c3942b236a.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads