bitrat | 6ed2e7b85f9591e922a95dbc167e5ed3ca2da2d3b823ed14aadc3eecdbddd5f0

General

Target

873_93_517_PDF.exe
Size

23KB
MD5

bf1cd9a3b9f4e67ccfd3a2a1e2942c0c
SHA1

fb5249b0a315531d94bf4e73d2b9902b8a39e63f
SHA256

6ed2e7b85f9591e922a95dbc167e5ed3ca2da2d3b823ed14aadc3eecdbddd5f0
SHA512

5e219a2d85b36080a49079a97eb6aa4c5a4dc3290f0ed3e67134824b622d29fe72c3e58f8a2c6c41471d7c198250a29c101a6792eba628483a0052bfdf074cc7
SSDEEP

384:+2HMdudOHoRir1G/gJ6jX4hy7cySdI5P9mei8MwU/iUx8VWDCvqhms3h2wappTut:+20v/xDDuwkuedmdVKBDhpA3T+RPvjG

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitone9090.duckdns.org:9090

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1420-57-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1420-59-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1420-60-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1420-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1420-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

CasPol.exe

pid process

1420 CasPol.exe
1420 CasPol.exe
1420 CasPol.exe
1420 CasPol.exe
1420 CasPol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

873_93_517_PDF.exe

description pid process target process

PID 1980 set thread context of 1420 1980 873_93_517_PDF.exe CasPol.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1652 1628 WerFault.exe 873_93_517_PDF.exe

pid	process
1420	CasPol.exe
1420	CasPol.exe
1420	CasPol.exe
1420	CasPol.exe
1420	CasPol.exe

description	pid	process	target process
PID 1980 set thread context of 1420	1980	873_93_517_PDF.exe	CasPol.exe

pid	pid_target	process	target process
1652	1628	WerFault.exe	873_93_517_PDF.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

NTFS ADS 2 IoCs

Processes:

CasPol.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local:26-10-2022	CasPol.exe
File opened for modification	C:\Users\Admin\AppData\Local:26-10-2022	CasPol.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

chrome.exechrome.exe

pid process

1332 chrome.exe
188 chrome.exe
188 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

CasPol.exe

pid process

1420 CasPol.exe

pid	process
1332	chrome.exe
188	chrome.exe
188	chrome.exe

pid	process
1420	CasPol.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

873_93_517_PDF.exeAUDIODG.EXECasPol.exe873_93_517_PDF.exe

description	pid	process
Token: SeDebugPrivilege	1980	873_93_517_PDF.exe
Token: 33	1892	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1892	AUDIODG.EXE
Token: 33	1892	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1892	AUDIODG.EXE
Token: SeDebugPrivilege	1420	CasPol.exe
Token: SeShutdownPrivilege	1420	CasPol.exe
Token: SeDebugPrivilege	1628	873_93_517_PDF.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe
188	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

CasPol.exe

pid process

1420 CasPol.exe
1420 CasPol.exe

pid	process
1420	CasPol.exe
1420	CasPol.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

873_93_517_PDF.exe873_93_517_PDF.exechrome.exe

description	pid	process	target process
PID 1980 wrote to memory of 1420	1980	873_93_517_PDF.exe	CasPol.exe
PID 1980 wrote to memory of 1420	1980	873_93_517_PDF.exe	CasPol.exe
PID 1980 wrote to memory of 1420	1980	873_93_517_PDF.exe	CasPol.exe
PID 1980 wrote to memory of 1420	1980	873_93_517_PDF.exe	CasPol.exe
PID 1980 wrote to memory of 1420	1980	873_93_517_PDF.exe	CasPol.exe
PID 1980 wrote to memory of 1420	1980	873_93_517_PDF.exe	CasPol.exe
PID 1980 wrote to memory of 1420	1980	873_93_517_PDF.exe	CasPol.exe
PID 1980 wrote to memory of 1420	1980	873_93_517_PDF.exe	CasPol.exe
PID 1628 wrote to memory of 1652	1628	873_93_517_PDF.exe	WerFault.exe
PID 1628 wrote to memory of 1652	1628	873_93_517_PDF.exe	WerFault.exe
PID 1628 wrote to memory of 1652	1628	873_93_517_PDF.exe	WerFault.exe
PID 188 wrote to memory of 1688	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1688	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1688	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1304	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1332	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1332	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 1332	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 900	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 900	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 900	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 900	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 900	188	chrome.exe	chrome.exe
PID 188 wrote to memory of 900	188	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\873_93_517_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\873_93_517_PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1420

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1772

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Users\Admin\AppData\Local\Temp\873_93_517_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\873_93_517_PDF.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1628 -s 1200
2⤵
- Program crash
PID:1652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
1⤵
PID:1480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6704f50,0x7fef6704f60,0x7fef6704f70
2⤵
PID:1688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1112,14324399130960729230,17934642190170425269,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1124 /prefetch:2
2⤵
PID:1304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1112,14324399130960729230,17934642190170425269,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1264 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1112,14324399130960729230,17934642190170425269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1744 /prefetch:8
2⤵
PID:900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,14324399130960729230,17934642190170425269,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:1
2⤵
PID:1984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,14324399130960729230,17934642190170425269,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2056 /prefetch:1
2⤵
PID:1132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,14324399130960729230,17934642190170425269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
2⤵
PID:2056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1112,14324399130960729230,17934642190170425269,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3372 /prefetch:2
2⤵
PID:2144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,14324399130960729230,17934642190170425269,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
2⤵
PID:2188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,14324399130960729230,17934642190170425269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3712 /prefetch:8
2⤵
PID:2268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,14324399130960729230,17934642190170425269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3852 /prefetch:8
2⤵
PID:2276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,14324399130960729230,17934642190170425269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3928 /prefetch:8
2⤵
PID:2348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,14324399130960729230,17934642190170425269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3904 /prefetch:8
2⤵
PID:2356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,14324399130960729230,17934642190170425269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3940 /prefetch:8
2⤵
PID:2364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,14324399130960729230,17934642190170425269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4088 /prefetch:8
2⤵
PID:2372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,14324399130960729230,17934642190170425269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4104 /prefetch:8
2⤵
PID:2500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,14324399130960729230,17934642190170425269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4132 /prefetch:8
2⤵
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,14324399130960729230,17934642190170425269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4140 /prefetch:8
2⤵
PID:2508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,14324399130960729230,17934642190170425269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4068 /prefetch:8
2⤵
PID:2528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,14324399130960729230,17934642190170425269,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
2⤵
PID:2676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,14324399130960729230,17934642190170425269,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2128 /prefetch:1
2⤵
PID:2752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_188_EPOVFFCFMCGMCVSL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1420-65-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/1420-58-0x00000000007E2730-mapping.dmp

Download
memory/1420-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1420-63-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download
memory/1420-64-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/1420-57-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1420-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1420-67-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/1420-68-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/1420-59-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1420-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1480-73-0x0000000001390000-0x00000000013AC000-memory.dmp

Filesize
112KB

Download
memory/1628-70-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

Filesize
40KB

Download
memory/1652-71-0x0000000000000000-mapping.dmp

Download
memory/1772-55-0x000007FEFB831000-0x000007FEFB833000-memory.dmp

Filesize
8KB

Download
memory/1980-54-0x0000000001040000-0x000000000104A000-memory.dmp

Filesize
40KB

Download
memory/1980-56-0x000000001CD60000-0x000000001CF0A000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads