cybergate | e6bf950b873e20d8cd98393cc78d78cba077b0bae5caca44be9aeec126d57805

Analysis

max time kernel
12s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3caabee1b1684e6780e7655c561913b6.exe
Size

326KB
MD5

3caabee1b1684e6780e7655c561913b6
SHA1

ba359eb3f7de6c8c548025c98ddd53dc32514dae
SHA256

e6bf950b873e20d8cd98393cc78d78cba077b0bae5caca44be9aeec126d57805
SHA512

a129aaf275c9d7fcd21b058cde174d78ff2fbc508d7d7b49338c429b3660a920ce26593f49326ff5363b8a0904292861dc150bc98e5d0b980f02c4aafc349eec
SSDEEP

6144:+V8reMf7THSdiDOzHnoj/j4S5ubqWak1Hwnuz7zdLa:9S7diDOzHoLrSqJk12uzlLa

Score

10^/10

cybergate lammer persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.02.1

Botnet

Lammer

127.0.0.1:81

Mutex

PlugUN

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./
ftp_interval
30
injected_process
explorer.exe
install_dir
Microsoft
install_file
Plun.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
VOCÊ FOI HACKEADO ...SEU SISTEMA SERÁ FORMATADO.
message_box_title
LAMMER
password
spycronic
regkey_hkcu
AvirnTT
regkey_hklm
AvgnTT

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3caabee1b1684e6780e7655c561913b6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\Microsoft\\PluN\\Microsoft\\Plun.exe"	3caabee1b1684e6780e7655c561913b6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	3caabee1b1684e6780e7655c561913b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\Microsoft\\PluN\\Microsoft\\Plun.exe"	3caabee1b1684e6780e7655c561913b6.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	3caabee1b1684e6780e7655c561913b6.exe

Executes dropped EXE 2 IoCs

Processes:

Plun.exePlun.exe

pid process

2516 Plun.exe
1084 Plun.exe
Loads dropped DLL 6 IoCs

Processes:

3caabee1b1684e6780e7655c561913b6.exeWerFault.exe

pid process

2896 3caabee1b1684e6780e7655c561913b6.exe
2880 WerFault.exe
2880 WerFault.exe
2880 WerFault.exe
2880 WerFault.exe
2880 WerFault.exe

pid	process
2516	Plun.exe
1084	Plun.exe

pid	process
2896	3caabee1b1684e6780e7655c561913b6.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2896-318-0x0000000024010000-0x0000000024070000-memory.dmp	upx
behavioral1/memory/2896-1400-0x0000000024010000-0x0000000024070000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3caabee1b1684e6780e7655c561913b6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AvgnTT = "c:\\directory\\Microsoft\\PluN\\Microsoft\\Plun.exe"	3caabee1b1684e6780e7655c561913b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\AvirnTT = "c:\\directory\\Microsoft\\PluN\\Microsoft\\Plun.exe"	3caabee1b1684e6780e7655c561913b6.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

3caabee1b1684e6780e7655c561913b6.exePlun.exe

description	pid	process	target process
PID 2512 set thread context of 1864	2512	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 2516 set thread context of 1084	2516	Plun.exe	Plun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2720 2512 WerFault.exe 3caabee1b1684e6780e7655c561913b6.exe
2880 2516 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

3caabee1b1684e6780e7655c561913b6.exe

pid process

2896 3caabee1b1684e6780e7655c561913b6.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3caabee1b1684e6780e7655c561913b6.exe

description pid process

Token: SeDebugPrivilege 2896 3caabee1b1684e6780e7655c561913b6.exe
Token: SeDebugPrivilege 2896 3caabee1b1684e6780e7655c561913b6.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

3caabee1b1684e6780e7655c561913b6.exePlun.exe

pid process

2512 3caabee1b1684e6780e7655c561913b6.exe
2516 Plun.exe

pid	pid_target	process	target process
2720	2512	WerFault.exe	3caabee1b1684e6780e7655c561913b6.exe
2880	2516	WerFault.exe

pid	process
2896	3caabee1b1684e6780e7655c561913b6.exe

description	pid	process
Token: SeDebugPrivilege	2896	3caabee1b1684e6780e7655c561913b6.exe
Token: SeDebugPrivilege	2896	3caabee1b1684e6780e7655c561913b6.exe

pid	process
2512	3caabee1b1684e6780e7655c561913b6.exe
2516	Plun.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3caabee1b1684e6780e7655c561913b6.exe3caabee1b1684e6780e7655c561913b6.exe

C:\Users\Admin\AppData\Local\Temp\3caabee1b1684e6780e7655c561913b6.exe
"C:\Users\Admin\AppData\Local\Temp\3caabee1b1684e6780e7655c561913b6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 192
2⤵
- Program crash
PID:2720

C:\Users\Admin\AppData\Local\Temp\3caabee1b1684e6780e7655c561913b6.exe
2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Local\Temp\3caabee1b1684e6780e7655c561913b6.exe
"C:\Users\Admin\AppData\Local\Temp\3caabee1b1684e6780e7655c561913b6.exe"
3⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 192
1⤵
- Loads dropped DLL
- Program crash
PID:2880

C:\directory\Microsoft\PluN\Microsoft\Plun.exe
1⤵
- Executes dropped EXE
PID:1084

C:\directory\Microsoft\PluN\Microsoft\Plun.exe
"C:\directory\Microsoft\PluN\Microsoft\Plun.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2516

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
d5ad8493763526f952f3838117413419

SHA1
327d03ba742ce8173835aa93c6e798c9026d5885

SHA256
6a780a703e25eb76f18c8207a3e3669dd9bdf0401973b05d73320c9f52e5e7ca

SHA512
c53c59b8fc54101bc5c23829ffa29e846f2322e34c81594e229e4b39d405382dba04233f5d7f5f4d4d427a2ee10e34847cc96ed041ab0b5bf61a46eeb9650fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
0404899e91f30eaa535b5b07ec286c1d

SHA1
db65ac40b418c219ef19f4716db8fed8990e635a

SHA256
b96df356a2bfec91454dce6848741edd0aa0f1b4a4f595e52e1e1e16529e8084

SHA512
ecff2bbac73b99b72d4a948ce36afd469bdad17dfea8063924ed6b418312f0affe02526291f36d3ca0412493393f3355afff5744cb33ddc4c684cf830e18d0a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
647a4b475e01d3f75b1ec098c4d160eb

SHA1
8bff570ed041ec2145f53f1d11066ba441e2cabc

SHA256
f7642b0196bca4047a8373ba9bdfd3def3a2b55acd341b934ccd54183f5760f4

SHA512
dbc8d50617d1ae958e3d52d72181e3c4195a36c6e7c11501c04c492a6b43e7bb5a5b970bef50860110f94b0f23f3a9c1a1fcae028f3468817cfbbd7f79ee7dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
b88bd39de2f7cf03356b6d62fe24cd03

SHA1
957f1b0064342e348fb5ca9c67a35884e25ada58

SHA256
13a9cb7ce89bb62af40f50e4dde963d0f52935220c7231a2f5bbb279143ad824

SHA512
b1525e3592a661d92cbc39d44c905889ca0c029490037a156a1d2a9c002d86cec30944a11423072f367fb59589840af88e76ce62d80cdac33f21cfcb7c97230e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
4f20bba4725165bfe87cf9fa13b05bfa

SHA1
09505cc1b068627453b3c0c6183db1fc9f072ddd

SHA256
671251a31eff7b8b9ecc299a0e9e51651ea4621eadc1f93cdae21f7ab1dc1f5a

SHA512
839dc0c5b95c68827cdee1ecc95b34a526c79a08a3bdf7a0dea4874e5a652ad9781f1b07c1ad24b6aafa35ce1810fd4035d58ff9c97a25232be37b6b54de4b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
9ec3750db29297eb5e5f839911d73cdd

SHA1
9cd607437550c9a2b5f25bacfd294d4645b142d6

SHA256
70f0b9898aced0bef5ade1ab4eb0bec738c2ba05c6cc634fc2461b0920492089

SHA512
8bd4d59e945ec08bd68a59a4605f820f670bb2093442151d5b52a700274ca69fe8193374fd3a845ab46349887713d38f9f3f163905bd83a7365ff669a9e96f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
e1675510ccae7af4c934560b2c97c4a7

SHA1
449fe741ec1e46c9168b376a58c5de4f84b62a63

SHA256
a4d6f3bce96068ce586e5b79d47bae9a7abe0d7d6cf41d5350a410d1e5f13256

SHA512
be9cf1c037a1f4ad3d9b18c906ff949f46fe1d5663014d9bbd2f689e948546da5303a80b6b942e28eafcea8909deadd43f736b97070dd5ba5126de402fcc457f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
1b5f073374f458c2649f7c43666e771e

SHA1
edc7a8d3625545c3900bb0f7d5ddf04c40e95822

SHA256
3517f8dc10dd3cb07eee6c13d55f5c8502e0cc2e20cd61b3ca79c05f59de5b70

SHA512
49f9b84e67d74cf39cb4b3139bce64188fd5d3268a3d71751d63ac10b59e44821e9feb815df5cc392de9a943bdaa7bcf8c645ab83bdd7f16f1b0c52554072126

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
af996251656785cbefd265d20e69407b

SHA1
1aac63bb63eb9489536b5a99a29355c09d0bd7a2

SHA256
550572ed67368cfeb782ab9b3668344ac7a31b7950faafa6310b453a91c1ad0c

SHA512
252b461b96db51a2920deec98f9fe709d7767ae97db3afb3ef04bca9d45abca73c330ba7c0253de62a5e62fb252ec82fdf2429161bbf913ba36822e6ca1c43e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
c6a5262533e4e084b6c88d20e8aab4c0

SHA1
3b366cdf7f62351efc71f280b4d77904510a770b

SHA256
81f490204d0d7bb0a0782cfa2de2b86f79ce7e00fd867288bdd8e279f6da48a3

SHA512
f83acaed8a57fdf6d8031b043445b835ee5b0e7849857a274222d5233a67a96c7a1277ae48acb1231301749e2d657160b3fe8bccd1441a06239c11da69fd6cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
5f8c7070bf3183eafe92d5957be4f332

SHA1
6626dc85eb6a3307bc5a2c0cd940bd23b492b1cb

SHA256
bba658c5f81107d0c49e1046a1ff82fc5e441a218c6fc5638abd325bc96ac21e

SHA512
22c149b3696a641d4a3e310448e60d6e8f2415b2850a094df24d230a36ceea4e1d99ebadb242b116d4053c7bdbe07ce50b795bc7312bb1e94636ecf840b886cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
3ddf8c4c548ea5ece76c7a0b899a49b6

SHA1
ecaf7d3a5c04b610233dd8d52fb196de4950eebb

SHA256
701762d7efcf9ffa4b1a676ce38614d6cc504d7039ca134efd3b406541013bdb

SHA512
9eab6459df3c2302253680733ed6d2991a5959e4b08362ae1af779be614e33503a68f60585486ef5b14ba5a57eb6bfbb96912c51acd47d50fcd693ed5d6169a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
991e7c5c7929d3628f8289df20395b97

SHA1
328dc54385422156aa1d1c0534763a5a020c1492

SHA256
70b30154fd1c4fb061bdce2046f3103019d90730971a0fe500988a8edcd2f715

SHA512
184756ebead34d3390f4e38619257756275348a6416abd45c42a33a51b992582d19e9eec713ee7125e5fa2cf6dd1d07e29ea009b429897404378f7a58ad492a1

Download Submit
memory/1084-369-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1084-373-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1864-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1864-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1864-6-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1864-7-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1864-4-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1864-18-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1864-19-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1864-17-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1864-20-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1864-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1864-320-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1864-9-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1864-11-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2896-33-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2896-318-0x0000000024010000-0x0000000024070000-memory.dmp

Filesize
384KB

Download
memory/2896-24-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2896-27-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2896-1400-0x0000000024010000-0x0000000024070000-memory.dmp

Filesize
384KB

Download

description	pid	process	target process
PID 2512 wrote to memory of 1864	2512	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 2512 wrote to memory of 1864	2512	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 2512 wrote to memory of 1864	2512	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 2512 wrote to memory of 1864	2512	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 2512 wrote to memory of 1864	2512	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 2512 wrote to memory of 1864	2512	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 2512 wrote to memory of 1864	2512	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 2512 wrote to memory of 1864	2512	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 2512 wrote to memory of 1864	2512	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 2512 wrote to memory of 1864	2512	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 2512 wrote to memory of 1864	2512	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 2512 wrote to memory of 1864	2512	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 2512 wrote to memory of 2720	2512	3caabee1b1684e6780e7655c561913b6.exe	WerFault.exe
PID 2512 wrote to memory of 2720	2512	3caabee1b1684e6780e7655c561913b6.exe	WerFault.exe
PID 2512 wrote to memory of 2720	2512	3caabee1b1684e6780e7655c561913b6.exe	WerFault.exe
PID 2512 wrote to memory of 2720	2512	3caabee1b1684e6780e7655c561913b6.exe	WerFault.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe
PID 1864 wrote to memory of 2896	1864	3caabee1b1684e6780e7655c561913b6.exe	3caabee1b1684e6780e7655c561913b6.exe