bitrat | 5b35b7ece66692f0291cfd6d27bb430a4c0680e6a9706fbca578b90799786458

General

Target

INVOICE.exe
Size

1.6MB
MD5

dcc3fab0819a6859a896f163c78d8d8f
SHA1

356682a4ed7d49531f61caf30b3ce705909ef35d
SHA256

5b35b7ece66692f0291cfd6d27bb430a4c0680e6a9706fbca578b90799786458
SHA512

1039d8f79fdb9563814b72ca7866e3aab3e37999405f5ce5502ce47fad38c09930e51e4f2c8a85b27533e84fc254e8cead5462ae5d2640b9dbee4f4c93b60091

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9400.duckdns.org:9400

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 4 IoCs

Processes:

casr.execasr.execasr.execasr.exe

pid process

1888 casr.exe
992 casr.exe
1924 casr.exe
1684 casr.exe

pid	process
1888	casr.exe
992	casr.exe
1924	casr.exe
1684	casr.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2012-61-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2012-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2012-64-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2012-67-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2012-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2012-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2012-71-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2012-72-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2012-73-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1980-88-0x0000000000460000-0x0000000000844000-memory.dmp	upx
behavioral1/memory/1980-89-0x0000000000460000-0x0000000000844000-memory.dmp	upx
behavioral1/memory/1980-92-0x0000000000460000-0x0000000000844000-memory.dmp	upx
behavioral1/memory/1980-94-0x0000000000460000-0x0000000000844000-memory.dmp	upx
behavioral1/memory/1980-95-0x0000000000460000-0x0000000000844000-memory.dmp	upx
behavioral1/memory/1616-115-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1616-116-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1832-135-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1832-136-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/604-156-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/604-157-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

pid process

2012 RegAsm.exe
2012 RegAsm.exe
2012 RegAsm.exe
2012 RegAsm.exe
1980 RegAsm.exe
1616 RegAsm.exe
1832 RegAsm.exe
604 RegAsm.exe

pid	process
2012	RegAsm.exe
2012	RegAsm.exe
2012	RegAsm.exe
2012	RegAsm.exe
1980	RegAsm.exe
1616	RegAsm.exe
1832	RegAsm.exe
604	RegAsm.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

INVOICE.execasr.execasr.execasr.execasr.exe

description	pid	process	target process
PID 1600 set thread context of 2012	1600	INVOICE.exe	RegAsm.exe
PID 1888 set thread context of 1980	1888	casr.exe	RegAsm.exe
PID 992 set thread context of 1616	992	casr.exe	RegAsm.exe
PID 1924 set thread context of 1832	1924	casr.exe	RegAsm.exe
PID 1684 set thread context of 604	1684	casr.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2016 schtasks.exe
1484 schtasks.exe
1692 schtasks.exe
1448 schtasks.exe
1156 schtasks.exe

pid	process
2016	schtasks.exe
1484	schtasks.exe
1692	schtasks.exe
1448	schtasks.exe
1156	schtasks.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2012	RegAsm.exe
Token: SeShutdownPrivilege	2012	RegAsm.exe
Token: SeDebugPrivilege	1980	RegAsm.exe
Token: SeShutdownPrivilege	1980	RegAsm.exe
Token: SeDebugPrivilege	1616	RegAsm.exe
Token: SeShutdownPrivilege	1616	RegAsm.exe
Token: SeDebugPrivilege	1832	RegAsm.exe
Token: SeShutdownPrivilege	1832	RegAsm.exe
Token: SeDebugPrivilege	604	RegAsm.exe
Token: SeShutdownPrivilege	604	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

2012 RegAsm.exe
2012 RegAsm.exe

pid	process
2012	RegAsm.exe
2012	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

INVOICE.execmd.exetaskeng.execasr.execmd.execasr.execmd.exe

description	pid	process	target process
PID 1600 wrote to memory of 1688	1600	INVOICE.exe	cmd.exe
PID 1600 wrote to memory of 1688	1600	INVOICE.exe	cmd.exe
PID 1600 wrote to memory of 1688	1600	INVOICE.exe	cmd.exe
PID 1600 wrote to memory of 1688	1600	INVOICE.exe	cmd.exe
PID 1688 wrote to memory of 2016	1688	cmd.exe	schtasks.exe
PID 1688 wrote to memory of 2016	1688	cmd.exe	schtasks.exe
PID 1688 wrote to memory of 2016	1688	cmd.exe	schtasks.exe
PID 1688 wrote to memory of 2016	1688	cmd.exe	schtasks.exe
PID 1600 wrote to memory of 1216	1600	INVOICE.exe	cmd.exe
PID 1600 wrote to memory of 1216	1600	INVOICE.exe	cmd.exe
PID 1600 wrote to memory of 1216	1600	INVOICE.exe	cmd.exe
PID 1600 wrote to memory of 1216	1600	INVOICE.exe	cmd.exe
PID 1600 wrote to memory of 2012	1600	INVOICE.exe	RegAsm.exe
PID 1600 wrote to memory of 2012	1600	INVOICE.exe	RegAsm.exe
PID 1600 wrote to memory of 2012	1600	INVOICE.exe	RegAsm.exe
PID 1600 wrote to memory of 2012	1600	INVOICE.exe	RegAsm.exe
PID 1600 wrote to memory of 2012	1600	INVOICE.exe	RegAsm.exe
PID 1600 wrote to memory of 2012	1600	INVOICE.exe	RegAsm.exe
PID 1600 wrote to memory of 2012	1600	INVOICE.exe	RegAsm.exe
PID 1600 wrote to memory of 2012	1600	INVOICE.exe	RegAsm.exe
PID 1600 wrote to memory of 2012	1600	INVOICE.exe	RegAsm.exe
PID 1600 wrote to memory of 2012	1600	INVOICE.exe	RegAsm.exe
PID 1600 wrote to memory of 2012	1600	INVOICE.exe	RegAsm.exe
PID 1352 wrote to memory of 1888	1352	taskeng.exe	casr.exe
PID 1352 wrote to memory of 1888	1352	taskeng.exe	casr.exe
PID 1352 wrote to memory of 1888	1352	taskeng.exe	casr.exe
PID 1352 wrote to memory of 1888	1352	taskeng.exe	casr.exe
PID 1888 wrote to memory of 1820	1888	casr.exe	cmd.exe
PID 1888 wrote to memory of 1820	1888	casr.exe	cmd.exe
PID 1888 wrote to memory of 1820	1888	casr.exe	cmd.exe
PID 1888 wrote to memory of 1820	1888	casr.exe	cmd.exe
PID 1820 wrote to memory of 1484	1820	cmd.exe	schtasks.exe
PID 1820 wrote to memory of 1484	1820	cmd.exe	schtasks.exe
PID 1820 wrote to memory of 1484	1820	cmd.exe	schtasks.exe
PID 1820 wrote to memory of 1484	1820	cmd.exe	schtasks.exe
PID 1888 wrote to memory of 1620	1888	casr.exe	cmd.exe
PID 1888 wrote to memory of 1620	1888	casr.exe	cmd.exe
PID 1888 wrote to memory of 1620	1888	casr.exe	cmd.exe
PID 1888 wrote to memory of 1620	1888	casr.exe	cmd.exe
PID 1888 wrote to memory of 1980	1888	casr.exe	RegAsm.exe
PID 1888 wrote to memory of 1980	1888	casr.exe	RegAsm.exe
PID 1888 wrote to memory of 1980	1888	casr.exe	RegAsm.exe
PID 1888 wrote to memory of 1980	1888	casr.exe	RegAsm.exe
PID 1888 wrote to memory of 1980	1888	casr.exe	RegAsm.exe
PID 1888 wrote to memory of 1980	1888	casr.exe	RegAsm.exe
PID 1888 wrote to memory of 1980	1888	casr.exe	RegAsm.exe
PID 1888 wrote to memory of 1980	1888	casr.exe	RegAsm.exe
PID 1888 wrote to memory of 1980	1888	casr.exe	RegAsm.exe
PID 1888 wrote to memory of 1980	1888	casr.exe	RegAsm.exe
PID 1888 wrote to memory of 1980	1888	casr.exe	RegAsm.exe
PID 1352 wrote to memory of 992	1352	taskeng.exe	casr.exe
PID 1352 wrote to memory of 992	1352	taskeng.exe	casr.exe
PID 1352 wrote to memory of 992	1352	taskeng.exe	casr.exe
PID 1352 wrote to memory of 992	1352	taskeng.exe	casr.exe
PID 992 wrote to memory of 1312	992	casr.exe	cmd.exe
PID 992 wrote to memory of 1312	992	casr.exe	cmd.exe
PID 992 wrote to memory of 1312	992	casr.exe	cmd.exe
PID 992 wrote to memory of 1312	992	casr.exe	cmd.exe
PID 1312 wrote to memory of 1692	1312	cmd.exe	schtasks.exe
PID 1312 wrote to memory of 1692	1312	cmd.exe	schtasks.exe
PID 1312 wrote to memory of 1692	1312	cmd.exe	schtasks.exe
PID 1312 wrote to memory of 1692	1312	cmd.exe	schtasks.exe
PID 992 wrote to memory of 820	992	casr.exe	cmd.exe
PID 992 wrote to memory of 820	992	casr.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2016

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe" "C:\Users\Admin\AppData\Roaming\casr.exe"
2⤵
PID:1216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Windows\system32\taskeng.exe
taskeng.exe {A5C655C1-4DA0-4C2F-AABF-7066944B31A3} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Roaming\casr.exe
C:\Users\Admin\AppData\Roaming\casr.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1484

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\casr.exe" "C:\Users\Admin\AppData\Roaming\casr.exe"
3⤵
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Users\Admin\AppData\Roaming\casr.exe
C:\Users\Admin\AppData\Roaming\casr.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1692

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\casr.exe" "C:\Users\Admin\AppData\Roaming\casr.exe"
3⤵
PID:820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Users\Admin\AppData\Roaming\casr.exe
C:\Users\Admin\AppData\Roaming\casr.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1924

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
3⤵
PID:564

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1448

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\casr.exe" "C:\Users\Admin\AppData\Roaming\casr.exe"
3⤵
PID:1696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Users\Admin\AppData\Roaming\casr.exe
C:\Users\Admin\AppData\Roaming\casr.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1684

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
3⤵
PID:1204

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1156

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\casr.exe" "C:\Users\Admin\AppData\Roaming\casr.exe"
3⤵
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\casr.exe
Filesize
1.6MB

MD5
dcc3fab0819a6859a896f163c78d8d8f

SHA1
356682a4ed7d49531f61caf30b3ce705909ef35d

SHA256
5b35b7ece66692f0291cfd6d27bb430a4c0680e6a9706fbca578b90799786458

SHA512
1039d8f79fdb9563814b72ca7866e3aab3e37999405f5ce5502ce47fad38c09930e51e4f2c8a85b27533e84fc254e8cead5462ae5d2640b9dbee4f4c93b60091

Download Submit
C:\Users\Admin\AppData\Roaming\casr.exe
Filesize
1.6MB

MD5
dcc3fab0819a6859a896f163c78d8d8f

SHA1
356682a4ed7d49531f61caf30b3ce705909ef35d

SHA256
5b35b7ece66692f0291cfd6d27bb430a4c0680e6a9706fbca578b90799786458

SHA512
1039d8f79fdb9563814b72ca7866e3aab3e37999405f5ce5502ce47fad38c09930e51e4f2c8a85b27533e84fc254e8cead5462ae5d2640b9dbee4f4c93b60091

Download Submit
C:\Users\Admin\AppData\Roaming\casr.exe
Filesize
1.6MB

MD5
dcc3fab0819a6859a896f163c78d8d8f

SHA1
356682a4ed7d49531f61caf30b3ce705909ef35d

SHA256
5b35b7ece66692f0291cfd6d27bb430a4c0680e6a9706fbca578b90799786458

SHA512
1039d8f79fdb9563814b72ca7866e3aab3e37999405f5ce5502ce47fad38c09930e51e4f2c8a85b27533e84fc254e8cead5462ae5d2640b9dbee4f4c93b60091

Download Submit
C:\Users\Admin\AppData\Roaming\casr.exe
Filesize
1.6MB

MD5
dcc3fab0819a6859a896f163c78d8d8f

SHA1
356682a4ed7d49531f61caf30b3ce705909ef35d

SHA256
5b35b7ece66692f0291cfd6d27bb430a4c0680e6a9706fbca578b90799786458

SHA512
1039d8f79fdb9563814b72ca7866e3aab3e37999405f5ce5502ce47fad38c09930e51e4f2c8a85b27533e84fc254e8cead5462ae5d2640b9dbee4f4c93b60091

Download Submit
C:\Users\Admin\AppData\Roaming\casr.exe
Filesize
1.6MB

MD5
dcc3fab0819a6859a896f163c78d8d8f

SHA1
356682a4ed7d49531f61caf30b3ce705909ef35d

SHA256
5b35b7ece66692f0291cfd6d27bb430a4c0680e6a9706fbca578b90799786458

SHA512
1039d8f79fdb9563814b72ca7866e3aab3e37999405f5ce5502ce47fad38c09930e51e4f2c8a85b27533e84fc254e8cead5462ae5d2640b9dbee4f4c93b60091

Download Submit
memory/564-120-0x0000000000000000-mapping.dmp

Download
memory/604-157-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/604-156-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/604-149-0x00000000007E2740-mapping.dmp

Download
memory/820-102-0x0000000000000000-mapping.dmp

Download
memory/992-98-0x0000000001310000-0x00000000014A4000-memory.dmp

Filesize
1.6MB

Download
memory/992-96-0x0000000000000000-mapping.dmp

Download
memory/1156-142-0x0000000000000000-mapping.dmp

Download
memory/1204-141-0x0000000000000000-mapping.dmp

Download
memory/1216-59-0x0000000000000000-mapping.dmp

Download
memory/1312-100-0x0000000000000000-mapping.dmp

Download
memory/1448-121-0x0000000000000000-mapping.dmp

Download
memory/1484-80-0x0000000000000000-mapping.dmp

Download
memory/1600-55-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

Filesize
8KB

Download
memory/1600-54-0x0000000000BB0000-0x0000000000D44000-memory.dmp

Filesize
1.6MB

Download
memory/1600-56-0x00000000052C0000-0x0000000005436000-memory.dmp

Filesize
1.5MB

Download
memory/1616-108-0x00000000007E2740-mapping.dmp

Download
memory/1616-116-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1616-115-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1620-81-0x0000000000000000-mapping.dmp

Download
memory/1684-137-0x0000000000000000-mapping.dmp

Download
memory/1684-139-0x00000000013B0000-0x0000000001544000-memory.dmp

Filesize
1.6MB

Download
memory/1688-57-0x0000000000000000-mapping.dmp

Download
memory/1688-143-0x0000000000000000-mapping.dmp

Download
memory/1692-101-0x0000000000000000-mapping.dmp

Download
memory/1696-122-0x0000000000000000-mapping.dmp

Download
memory/1820-79-0x0000000000000000-mapping.dmp

Download
memory/1832-135-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1832-136-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1832-128-0x00000000007E2740-mapping.dmp

Download
memory/1888-77-0x0000000001310000-0x00000000014A4000-memory.dmp

Filesize
1.6MB

Download
memory/1888-75-0x0000000000000000-mapping.dmp

Download
memory/1924-117-0x0000000000000000-mapping.dmp

Download
memory/1980-92-0x0000000000460000-0x0000000000844000-memory.dmp

Filesize
3.9MB

Download
memory/1980-95-0x0000000000460000-0x0000000000844000-memory.dmp

Filesize
3.9MB

Download
memory/1980-94-0x0000000000460000-0x0000000000844000-memory.dmp

Filesize
3.9MB

Download
memory/1980-89-0x0000000000460000-0x0000000000844000-memory.dmp

Filesize
3.9MB

Download
memory/1980-88-0x0000000000460000-0x0000000000844000-memory.dmp

Filesize
3.9MB

Download
memory/1980-87-0x00000000007E2740-mapping.dmp

Download
memory/1980-83-0x00000000006D2000-0x0000000000843000-memory.dmp

Filesize
1.4MB

Download
memory/2012-73-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2012-72-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2012-71-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2012-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2012-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2012-67-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2012-65-0x00000000007E2740-mapping.dmp

Download
memory/2012-64-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2012-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2012-61-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2012-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2016-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads