bitrat | 5b35b7ece66692f0291cfd6d27bb430a4c0680e6a9706fbca578b90799786458

General

Target

INVOICE.exe
Size

1.6MB
MD5

dcc3fab0819a6859a896f163c78d8d8f
SHA1

356682a4ed7d49531f61caf30b3ce705909ef35d
SHA256

5b35b7ece66692f0291cfd6d27bb430a4c0680e6a9706fbca578b90799786458
SHA512

1039d8f79fdb9563814b72ca7866e3aab3e37999405f5ce5502ce47fad38c09930e51e4f2c8a85b27533e84fc254e8cead5462ae5d2640b9dbee4f4c93b60091

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9400.duckdns.org:9400

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 4 IoCs

Processes:

casr.execasr.execasr.execasr.exe

pid process

2944 casr.exe
4316 casr.exe
616 casr.exe
4356 casr.exe

pid	process
2944	casr.exe
4316	casr.exe
616	casr.exe
4356	casr.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4684-136-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4684-137-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4684-138-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4684-140-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4684-139-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4684-144-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4908-155-0x0000000000A20000-0x0000000000E04000-memory.dmp	upx
behavioral2/memory/4908-156-0x0000000000A20000-0x0000000000E04000-memory.dmp	upx
behavioral2/memory/1564-172-0x0000000000730000-0x0000000000B14000-memory.dmp	upx
behavioral2/memory/1564-173-0x0000000000730000-0x0000000000B14000-memory.dmp	upx
behavioral2/memory/1028-190-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1028-191-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3844-205-0x0000000000700000-0x0000000000AE4000-memory.dmp	upx
behavioral2/memory/3844-206-0x0000000000700000-0x0000000000AE4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

RegAsm.exeRegAsm.exe

pid process

4684 RegAsm.exe
4684 RegAsm.exe
4684 RegAsm.exe
4684 RegAsm.exe
1028 RegAsm.exe

pid	process
4684	RegAsm.exe
4684	RegAsm.exe
4684	RegAsm.exe
4684	RegAsm.exe
1028	RegAsm.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

INVOICE.execasr.execasr.execasr.execasr.exe

description	pid	process	target process
PID 4800 set thread context of 4684	4800	INVOICE.exe	RegAsm.exe
PID 2944 set thread context of 4908	2944	casr.exe	RegAsm.exe
PID 4316 set thread context of 1564	4316	casr.exe	RegAsm.exe
PID 616 set thread context of 1028	616	casr.exe	RegAsm.exe
PID 4356 set thread context of 3844	4356	casr.exe	RegAsm.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1848	4908	WerFault.exe	RegAsm.exe
4968	1564	WerFault.exe	RegAsm.exe
3692	3844	WerFault.exe	RegAsm.exe
2568	3844	WerFault.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1460 schtasks.exe
4548 schtasks.exe
808 schtasks.exe
1512 schtasks.exe
208 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegAsm.exeRegAsm.exe

description pid process

Token: SeShutdownPrivilege 4684 RegAsm.exe
Token: SeShutdownPrivilege 1028 RegAsm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

4684 RegAsm.exe
4684 RegAsm.exe

pid	process
1460	schtasks.exe
4548	schtasks.exe
808	schtasks.exe
1512	schtasks.exe
208	schtasks.exe

description	pid	process
Token: SeShutdownPrivilege	4684	RegAsm.exe
Token: SeShutdownPrivilege	1028	RegAsm.exe

pid	process
4684	RegAsm.exe
4684	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

INVOICE.execmd.execasr.execmd.execasr.execmd.execasr.execmd.exe

description	pid	process	target process
PID 4800 wrote to memory of 3604	4800	INVOICE.exe	cmd.exe
PID 4800 wrote to memory of 3604	4800	INVOICE.exe	cmd.exe
PID 4800 wrote to memory of 3604	4800	INVOICE.exe	cmd.exe
PID 3604 wrote to memory of 1460	3604	cmd.exe	schtasks.exe
PID 3604 wrote to memory of 1460	3604	cmd.exe	schtasks.exe
PID 3604 wrote to memory of 1460	3604	cmd.exe	schtasks.exe
PID 4800 wrote to memory of 4780	4800	INVOICE.exe	cmd.exe
PID 4800 wrote to memory of 4780	4800	INVOICE.exe	cmd.exe
PID 4800 wrote to memory of 4780	4800	INVOICE.exe	cmd.exe
PID 4800 wrote to memory of 4684	4800	INVOICE.exe	RegAsm.exe
PID 4800 wrote to memory of 4684	4800	INVOICE.exe	RegAsm.exe
PID 4800 wrote to memory of 4684	4800	INVOICE.exe	RegAsm.exe
PID 4800 wrote to memory of 4684	4800	INVOICE.exe	RegAsm.exe
PID 4800 wrote to memory of 4684	4800	INVOICE.exe	RegAsm.exe
PID 4800 wrote to memory of 4684	4800	INVOICE.exe	RegAsm.exe
PID 4800 wrote to memory of 4684	4800	INVOICE.exe	RegAsm.exe
PID 2944 wrote to memory of 1016	2944	casr.exe	cmd.exe
PID 2944 wrote to memory of 1016	2944	casr.exe	cmd.exe
PID 2944 wrote to memory of 1016	2944	casr.exe	cmd.exe
PID 1016 wrote to memory of 4548	1016	cmd.exe	schtasks.exe
PID 1016 wrote to memory of 4548	1016	cmd.exe	schtasks.exe
PID 1016 wrote to memory of 4548	1016	cmd.exe	schtasks.exe
PID 2944 wrote to memory of 8	2944	casr.exe	cmd.exe
PID 2944 wrote to memory of 8	2944	casr.exe	cmd.exe
PID 2944 wrote to memory of 8	2944	casr.exe	cmd.exe
PID 2944 wrote to memory of 4908	2944	casr.exe	RegAsm.exe
PID 2944 wrote to memory of 4908	2944	casr.exe	RegAsm.exe
PID 2944 wrote to memory of 4908	2944	casr.exe	RegAsm.exe
PID 2944 wrote to memory of 4908	2944	casr.exe	RegAsm.exe
PID 2944 wrote to memory of 4908	2944	casr.exe	RegAsm.exe
PID 2944 wrote to memory of 4908	2944	casr.exe	RegAsm.exe
PID 2944 wrote to memory of 4908	2944	casr.exe	RegAsm.exe
PID 4316 wrote to memory of 344	4316	casr.exe	cmd.exe
PID 4316 wrote to memory of 344	4316	casr.exe	cmd.exe
PID 4316 wrote to memory of 344	4316	casr.exe	cmd.exe
PID 344 wrote to memory of 808	344	cmd.exe	schtasks.exe
PID 344 wrote to memory of 808	344	cmd.exe	schtasks.exe
PID 344 wrote to memory of 808	344	cmd.exe	schtasks.exe
PID 4316 wrote to memory of 3392	4316	casr.exe	cmd.exe
PID 4316 wrote to memory of 3392	4316	casr.exe	cmd.exe
PID 4316 wrote to memory of 3392	4316	casr.exe	cmd.exe
PID 4316 wrote to memory of 1564	4316	casr.exe	RegAsm.exe
PID 4316 wrote to memory of 1564	4316	casr.exe	RegAsm.exe
PID 4316 wrote to memory of 1564	4316	casr.exe	RegAsm.exe
PID 4316 wrote to memory of 1564	4316	casr.exe	RegAsm.exe
PID 4316 wrote to memory of 1564	4316	casr.exe	RegAsm.exe
PID 4316 wrote to memory of 1564	4316	casr.exe	RegAsm.exe
PID 4316 wrote to memory of 1564	4316	casr.exe	RegAsm.exe
PID 616 wrote to memory of 1872	616	casr.exe	cmd.exe
PID 616 wrote to memory of 1872	616	casr.exe	cmd.exe
PID 616 wrote to memory of 1872	616	casr.exe	cmd.exe
PID 1872 wrote to memory of 1512	1872	cmd.exe	schtasks.exe
PID 1872 wrote to memory of 1512	1872	cmd.exe	schtasks.exe
PID 1872 wrote to memory of 1512	1872	cmd.exe	schtasks.exe
PID 616 wrote to memory of 4052	616	casr.exe	cmd.exe
PID 616 wrote to memory of 4052	616	casr.exe	cmd.exe
PID 616 wrote to memory of 4052	616	casr.exe	cmd.exe
PID 616 wrote to memory of 1028	616	casr.exe	RegAsm.exe
PID 616 wrote to memory of 1028	616	casr.exe	RegAsm.exe
PID 616 wrote to memory of 1028	616	casr.exe	RegAsm.exe
PID 616 wrote to memory of 1028	616	casr.exe	RegAsm.exe
PID 616 wrote to memory of 1028	616	casr.exe	RegAsm.exe
PID 616 wrote to memory of 1028	616	casr.exe	RegAsm.exe
PID 616 wrote to memory of 1028	616	casr.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1460

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe" "C:\Users\Admin\AppData\Roaming\casr.exe"
2⤵
PID:4780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4684

C:\Users\Admin\AppData\Roaming\casr.exe
C:\Users\Admin\AppData\Roaming\casr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4548

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\casr.exe" "C:\Users\Admin\AppData\Roaming\casr.exe"
2⤵
PID:8

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 540
3⤵
- Program crash
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4908 -ip 4908
1⤵
PID:4640

C:\Users\Admin\AppData\Roaming\casr.exe
C:\Users\Admin\AppData\Roaming\casr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:344

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:808

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\casr.exe" "C:\Users\Admin\AppData\Roaming\casr.exe"
2⤵
PID:3392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 184
3⤵
- Program crash
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1564 -ip 1564
1⤵
PID:1308

C:\Users\Admin\AppData\Roaming\casr.exe
C:\Users\Admin\AppData\Roaming\casr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1512

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\casr.exe" "C:\Users\Admin\AppData\Roaming\casr.exe"
2⤵
PID:4052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Users\Admin\AppData\Roaming\casr.exe
C:\Users\Admin\AppData\Roaming\casr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4356

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
2⤵
PID:4668

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:208

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\casr.exe" "C:\Users\Admin\AppData\Roaming\casr.exe"
2⤵
PID:3596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 196
3⤵
- Program crash
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 200
3⤵
- Program crash
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3844 -ip 3844
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3844 -ip 3844
1⤵
PID:4156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\casr.exe.log
Filesize
520B

MD5
41c37de2b4598f7759f865817dba5f80

SHA1
884ccf344bc2dd409425dc5ace0fd909a5f8cce4

SHA256
427235491a8da3fc8770ed60d30af731835c94585cd08d4d81fca9f703b283bc

SHA512
a8f3c74916623de100e4cf22e05df9cdf541b1e32443aab0434f35fb9c4a7fa950b997ce589b532e65731ae471a1f152cd5c00ea1df4bd7a6b57eb27c93c54bd

Download Submit
C:\Users\Admin\AppData\Roaming\casr.exe
Filesize
1.6MB

MD5
dcc3fab0819a6859a896f163c78d8d8f

SHA1
356682a4ed7d49531f61caf30b3ce705909ef35d

SHA256
5b35b7ece66692f0291cfd6d27bb430a4c0680e6a9706fbca578b90799786458

SHA512
1039d8f79fdb9563814b72ca7866e3aab3e37999405f5ce5502ce47fad38c09930e51e4f2c8a85b27533e84fc254e8cead5462ae5d2640b9dbee4f4c93b60091

Download Submit
C:\Users\Admin\AppData\Roaming\casr.exe
Filesize
1.6MB

MD5
dcc3fab0819a6859a896f163c78d8d8f

SHA1
356682a4ed7d49531f61caf30b3ce705909ef35d

SHA256
5b35b7ece66692f0291cfd6d27bb430a4c0680e6a9706fbca578b90799786458

SHA512
1039d8f79fdb9563814b72ca7866e3aab3e37999405f5ce5502ce47fad38c09930e51e4f2c8a85b27533e84fc254e8cead5462ae5d2640b9dbee4f4c93b60091

Download Submit
C:\Users\Admin\AppData\Roaming\casr.exe
Filesize
1.6MB

MD5
dcc3fab0819a6859a896f163c78d8d8f

SHA1
356682a4ed7d49531f61caf30b3ce705909ef35d

SHA256
5b35b7ece66692f0291cfd6d27bb430a4c0680e6a9706fbca578b90799786458

SHA512
1039d8f79fdb9563814b72ca7866e3aab3e37999405f5ce5502ce47fad38c09930e51e4f2c8a85b27533e84fc254e8cead5462ae5d2640b9dbee4f4c93b60091

Download Submit
C:\Users\Admin\AppData\Roaming\casr.exe
Filesize
1.6MB

MD5
dcc3fab0819a6859a896f163c78d8d8f

SHA1
356682a4ed7d49531f61caf30b3ce705909ef35d

SHA256
5b35b7ece66692f0291cfd6d27bb430a4c0680e6a9706fbca578b90799786458

SHA512
1039d8f79fdb9563814b72ca7866e3aab3e37999405f5ce5502ce47fad38c09930e51e4f2c8a85b27533e84fc254e8cead5462ae5d2640b9dbee4f4c93b60091

Download Submit
C:\Users\Admin\AppData\Roaming\casr.exe
Filesize
1.6MB

MD5
dcc3fab0819a6859a896f163c78d8d8f

SHA1
356682a4ed7d49531f61caf30b3ce705909ef35d

SHA256
5b35b7ece66692f0291cfd6d27bb430a4c0680e6a9706fbca578b90799786458

SHA512
1039d8f79fdb9563814b72ca7866e3aab3e37999405f5ce5502ce47fad38c09930e51e4f2c8a85b27533e84fc254e8cead5462ae5d2640b9dbee4f4c93b60091

Download Submit
memory/8-152-0x0000000000000000-mapping.dmp

Download
memory/208-201-0x0000000000000000-mapping.dmp

Download
memory/344-167-0x0000000000000000-mapping.dmp

Download
memory/808-168-0x0000000000000000-mapping.dmp

Download
memory/1016-150-0x0000000000000000-mapping.dmp

Download
memory/1028-185-0x0000000000000000-mapping.dmp

Download
memory/1028-190-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1028-191-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1460-132-0x0000000000000000-mapping.dmp

Download
memory/1512-183-0x0000000000000000-mapping.dmp

Download
memory/1564-172-0x0000000000730000-0x0000000000B14000-memory.dmp

Filesize
3.9MB

Download
memory/1564-170-0x0000000000000000-mapping.dmp

Download
memory/1564-173-0x0000000000730000-0x0000000000B14000-memory.dmp

Filesize
3.9MB

Download
memory/1872-182-0x0000000000000000-mapping.dmp

Download
memory/3392-169-0x0000000000000000-mapping.dmp

Download
memory/3596-202-0x0000000000000000-mapping.dmp

Download
memory/3604-131-0x0000000000000000-mapping.dmp

Download
memory/3844-206-0x0000000000700000-0x0000000000AE4000-memory.dmp

Filesize
3.9MB

Download
memory/3844-205-0x0000000000700000-0x0000000000AE4000-memory.dmp

Filesize
3.9MB

Download
memory/3844-203-0x0000000000000000-mapping.dmp

Download
memory/4052-184-0x0000000000000000-mapping.dmp

Download
memory/4548-151-0x0000000000000000-mapping.dmp

Download
memory/4668-200-0x0000000000000000-mapping.dmp

Download
memory/4684-176-0x0000000074B60000-0x0000000074B99000-memory.dmp

Filesize
228KB

Download
memory/4684-196-0x0000000074880000-0x00000000748B9000-memory.dmp

Filesize
228KB

Download
memory/4684-145-0x0000000074B60000-0x0000000074B99000-memory.dmp

Filesize
228KB

Download
memory/4684-144-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4684-164-0x0000000074B60000-0x0000000074B99000-memory.dmp

Filesize
228KB

Download
memory/4684-165-0x0000000074880000-0x00000000748B9000-memory.dmp

Filesize
228KB

Download
memory/4684-166-0x0000000074880000-0x00000000748B9000-memory.dmp

Filesize
228KB

Download
memory/4684-143-0x0000000074B60000-0x0000000074B99000-memory.dmp

Filesize
228KB

Download
memory/4684-142-0x0000000074B60000-0x0000000074B99000-memory.dmp

Filesize
228KB

Download
memory/4684-160-0x0000000074B60000-0x0000000074B99000-memory.dmp

Filesize
228KB

Download
memory/4684-141-0x00000000747C0000-0x00000000747F9000-memory.dmp

Filesize
228KB

Download
memory/4684-139-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4684-140-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4684-174-0x0000000074B60000-0x0000000074B99000-memory.dmp

Filesize
228KB

Download
memory/4684-175-0x0000000074880000-0x00000000748B9000-memory.dmp

Filesize
228KB

Download
memory/4684-149-0x0000000074880000-0x00000000748B9000-memory.dmp

Filesize
228KB

Download
memory/4684-138-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4684-178-0x0000000074B60000-0x0000000074B99000-memory.dmp

Filesize
228KB

Download
memory/4684-179-0x0000000074880000-0x00000000748B9000-memory.dmp

Filesize
228KB

Download
memory/4684-180-0x0000000074B60000-0x0000000074B99000-memory.dmp

Filesize
228KB

Download
memory/4684-181-0x0000000074880000-0x00000000748B9000-memory.dmp

Filesize
228KB

Download
memory/4684-207-0x0000000074B60000-0x0000000074B99000-memory.dmp

Filesize
228KB

Download
memory/4684-137-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4684-159-0x0000000074B60000-0x0000000074B99000-memory.dmp

Filesize
228KB

Download
memory/4684-136-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4684-135-0x0000000000000000-mapping.dmp

Download
memory/4684-148-0x0000000074880000-0x00000000748B9000-memory.dmp

Filesize
228KB

Download
memory/4684-192-0x0000000074880000-0x00000000748B9000-memory.dmp

Filesize
228KB

Download
memory/4684-193-0x0000000074B60000-0x0000000074B99000-memory.dmp

Filesize
228KB

Download
memory/4684-194-0x0000000074B60000-0x0000000074B99000-memory.dmp

Filesize
228KB

Download
memory/4684-157-0x0000000074B60000-0x0000000074B99000-memory.dmp

Filesize
228KB

Download
memory/4684-161-0x0000000074B60000-0x0000000074B99000-memory.dmp

Filesize
228KB

Download
memory/4684-197-0x0000000074B60000-0x0000000074B99000-memory.dmp

Filesize
228KB

Download
memory/4684-198-0x0000000074880000-0x00000000748B9000-memory.dmp

Filesize
228KB

Download
memory/4684-199-0x0000000074880000-0x00000000748B9000-memory.dmp

Filesize
228KB

Download
memory/4684-158-0x00000000747C0000-0x00000000747F9000-memory.dmp

Filesize
228KB

Download
memory/4780-134-0x0000000000000000-mapping.dmp

Download
memory/4800-133-0x0000000005840000-0x0000000005DE4000-memory.dmp

Filesize
5.6MB

Download
memory/4800-130-0x00000000001E0000-0x0000000000374000-memory.dmp

Filesize
1.6MB

Download
memory/4908-156-0x0000000000A20000-0x0000000000E04000-memory.dmp

Filesize
3.9MB

Download
memory/4908-155-0x0000000000A20000-0x0000000000E04000-memory.dmp

Filesize
3.9MB

Download
memory/4908-153-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads