bitrat | db222538ebb97c259d49917f7fdb5f7b38470fe96c38f190d0a2d79bcab1fb7a

General

Target

827615424_PDF_parsed.exe
Size

1.5MB
MD5

cd33f6e84ebfe15dab41be1319122907
SHA1

bff44bfcd5d534a2ce2ea8cab944391e7f55abc1
SHA256

db222538ebb97c259d49917f7fdb5f7b38470fe96c38f190d0a2d79bcab1fb7a
SHA512

6e664b00d9b7afb44e5559b7b152a742979c2a132857aa7eb94edb0ff22c75ad193c7eb5bb7dfb8071a79d480985c9b2b16550504632d9086814c10d02168a6b
SSDEEP

49152:Vnm4UcmDYIbFaTI39LMK44bFh1DgtJaJk4UUUUUJUUUUUU:x6blbku9Le4bFhuO1UUUUUJUUUUUU

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitone9090.duckdns.org:9090

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 5 IoCs

Processes:

jkgtr.exejkgtr.exejkgtr.exejkgtr.exejkgtr.exe

pid process

1072 jkgtr.exe
832 jkgtr.exe
1472 jkgtr.exe
1908 jkgtr.exe
1420 jkgtr.exe

pid	process
1072	jkgtr.exe
832	jkgtr.exe
1472	jkgtr.exe
1908	jkgtr.exe
1420	jkgtr.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1192-60-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1192-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1192-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1192-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1192-65-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1192-69-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1192-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1192-71-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1192-79-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1432-92-0x0000000000570000-0x0000000000954000-memory.dmp	upx
behavioral1/memory/1432-91-0x0000000000570000-0x0000000000954000-memory.dmp	upx
behavioral1/memory/1432-95-0x0000000000570000-0x0000000000954000-memory.dmp	upx
behavioral1/memory/1696-111-0x0000000000510000-0x00000000008F4000-memory.dmp	upx
behavioral1/memory/1696-112-0x0000000000510000-0x00000000008F4000-memory.dmp	upx
behavioral1/memory/1696-115-0x0000000000510000-0x00000000008F4000-memory.dmp	upx
behavioral1/memory/1696-117-0x0000000000510000-0x00000000008F4000-memory.dmp	upx
behavioral1/memory/1696-118-0x0000000000510000-0x00000000008F4000-memory.dmp	upx
behavioral1/memory/1760-137-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1760-138-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1964-157-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1964-158-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

pid process

1192 RegAsm.exe
1192 RegAsm.exe
1192 RegAsm.exe
1192 RegAsm.exe
1192 RegAsm.exe
1432 RegAsm.exe
1696 RegAsm.exe
1760 RegAsm.exe
1964 RegAsm.exe

pid	process
1192	RegAsm.exe
1192	RegAsm.exe
1192	RegAsm.exe
1192	RegAsm.exe
1192	RegAsm.exe
1432	RegAsm.exe
1696	RegAsm.exe
1760	RegAsm.exe
1964	RegAsm.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

827615424_PDF_parsed.exejkgtr.exejkgtr.exejkgtr.exejkgtr.exe

description	pid	process	target process
PID 1368 set thread context of 1192	1368	827615424_PDF_parsed.exe	RegAsm.exe
PID 1072 set thread context of 1432	1072	jkgtr.exe	RegAsm.exe
PID 832 set thread context of 1696	832	jkgtr.exe	RegAsm.exe
PID 1472 set thread context of 1760	1472	jkgtr.exe	RegAsm.exe
PID 1908 set thread context of 1964	1908	jkgtr.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1248 schtasks.exe
1600 schtasks.exe
1644 schtasks.exe
1556 schtasks.exe
1168 schtasks.exe

pid	process
1248	schtasks.exe
1600	schtasks.exe
1644	schtasks.exe
1556	schtasks.exe
1168	schtasks.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1192	RegAsm.exe
Token: SeShutdownPrivilege	1192	RegAsm.exe
Token: SeDebugPrivilege	1432	RegAsm.exe
Token: SeShutdownPrivilege	1432	RegAsm.exe
Token: SeDebugPrivilege	1696	RegAsm.exe
Token: SeShutdownPrivilege	1696	RegAsm.exe
Token: SeDebugPrivilege	1760	RegAsm.exe
Token: SeShutdownPrivilege	1760	RegAsm.exe
Token: SeDebugPrivilege	1964	RegAsm.exe
Token: SeShutdownPrivilege	1964	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

1192 RegAsm.exe
1192 RegAsm.exe

pid	process
1192	RegAsm.exe
1192	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

827615424_PDF_parsed.execmd.exetaskeng.exejkgtr.execmd.exejkgtr.execmd.exe

description	pid	process	target process
PID 1368 wrote to memory of 1644	1368	827615424_PDF_parsed.exe	cmd.exe
PID 1368 wrote to memory of 1644	1368	827615424_PDF_parsed.exe	cmd.exe
PID 1368 wrote to memory of 1644	1368	827615424_PDF_parsed.exe	cmd.exe
PID 1368 wrote to memory of 1644	1368	827615424_PDF_parsed.exe	cmd.exe
PID 1644 wrote to memory of 1248	1644	cmd.exe	schtasks.exe
PID 1644 wrote to memory of 1248	1644	cmd.exe	schtasks.exe
PID 1644 wrote to memory of 1248	1644	cmd.exe	schtasks.exe
PID 1644 wrote to memory of 1248	1644	cmd.exe	schtasks.exe
PID 1368 wrote to memory of 528	1368	827615424_PDF_parsed.exe	cmd.exe
PID 1368 wrote to memory of 528	1368	827615424_PDF_parsed.exe	cmd.exe
PID 1368 wrote to memory of 528	1368	827615424_PDF_parsed.exe	cmd.exe
PID 1368 wrote to memory of 528	1368	827615424_PDF_parsed.exe	cmd.exe
PID 1368 wrote to memory of 1192	1368	827615424_PDF_parsed.exe	RegAsm.exe
PID 1368 wrote to memory of 1192	1368	827615424_PDF_parsed.exe	RegAsm.exe
PID 1368 wrote to memory of 1192	1368	827615424_PDF_parsed.exe	RegAsm.exe
PID 1368 wrote to memory of 1192	1368	827615424_PDF_parsed.exe	RegAsm.exe
PID 1368 wrote to memory of 1192	1368	827615424_PDF_parsed.exe	RegAsm.exe
PID 1368 wrote to memory of 1192	1368	827615424_PDF_parsed.exe	RegAsm.exe
PID 1368 wrote to memory of 1192	1368	827615424_PDF_parsed.exe	RegAsm.exe
PID 1368 wrote to memory of 1192	1368	827615424_PDF_parsed.exe	RegAsm.exe
PID 1368 wrote to memory of 1192	1368	827615424_PDF_parsed.exe	RegAsm.exe
PID 1368 wrote to memory of 1192	1368	827615424_PDF_parsed.exe	RegAsm.exe
PID 1368 wrote to memory of 1192	1368	827615424_PDF_parsed.exe	RegAsm.exe
PID 800 wrote to memory of 1072	800	taskeng.exe	jkgtr.exe
PID 800 wrote to memory of 1072	800	taskeng.exe	jkgtr.exe
PID 800 wrote to memory of 1072	800	taskeng.exe	jkgtr.exe
PID 800 wrote to memory of 1072	800	taskeng.exe	jkgtr.exe
PID 1072 wrote to memory of 1748	1072	jkgtr.exe	cmd.exe
PID 1072 wrote to memory of 1748	1072	jkgtr.exe	cmd.exe
PID 1072 wrote to memory of 1748	1072	jkgtr.exe	cmd.exe
PID 1072 wrote to memory of 1748	1072	jkgtr.exe	cmd.exe
PID 1072 wrote to memory of 1816	1072	jkgtr.exe	cmd.exe
PID 1072 wrote to memory of 1816	1072	jkgtr.exe	cmd.exe
PID 1072 wrote to memory of 1816	1072	jkgtr.exe	cmd.exe
PID 1072 wrote to memory of 1816	1072	jkgtr.exe	cmd.exe
PID 1748 wrote to memory of 1600	1748	cmd.exe	schtasks.exe
PID 1748 wrote to memory of 1600	1748	cmd.exe	schtasks.exe
PID 1748 wrote to memory of 1600	1748	cmd.exe	schtasks.exe
PID 1748 wrote to memory of 1600	1748	cmd.exe	schtasks.exe
PID 1072 wrote to memory of 1432	1072	jkgtr.exe	RegAsm.exe
PID 1072 wrote to memory of 1432	1072	jkgtr.exe	RegAsm.exe
PID 1072 wrote to memory of 1432	1072	jkgtr.exe	RegAsm.exe
PID 1072 wrote to memory of 1432	1072	jkgtr.exe	RegAsm.exe
PID 1072 wrote to memory of 1432	1072	jkgtr.exe	RegAsm.exe
PID 1072 wrote to memory of 1432	1072	jkgtr.exe	RegAsm.exe
PID 1072 wrote to memory of 1432	1072	jkgtr.exe	RegAsm.exe
PID 1072 wrote to memory of 1432	1072	jkgtr.exe	RegAsm.exe
PID 1072 wrote to memory of 1432	1072	jkgtr.exe	RegAsm.exe
PID 1072 wrote to memory of 1432	1072	jkgtr.exe	RegAsm.exe
PID 1072 wrote to memory of 1432	1072	jkgtr.exe	RegAsm.exe
PID 800 wrote to memory of 832	800	taskeng.exe	jkgtr.exe
PID 800 wrote to memory of 832	800	taskeng.exe	jkgtr.exe
PID 800 wrote to memory of 832	800	taskeng.exe	jkgtr.exe
PID 800 wrote to memory of 832	800	taskeng.exe	jkgtr.exe
PID 832 wrote to memory of 1168	832	jkgtr.exe	cmd.exe
PID 832 wrote to memory of 1168	832	jkgtr.exe	cmd.exe
PID 832 wrote to memory of 1168	832	jkgtr.exe	cmd.exe
PID 832 wrote to memory of 1168	832	jkgtr.exe	cmd.exe
PID 832 wrote to memory of 624	832	jkgtr.exe	cmd.exe
PID 832 wrote to memory of 624	832	jkgtr.exe	cmd.exe
PID 832 wrote to memory of 624	832	jkgtr.exe	cmd.exe
PID 832 wrote to memory of 624	832	jkgtr.exe	cmd.exe
PID 1168 wrote to memory of 1644	1168	cmd.exe	schtasks.exe
PID 1168 wrote to memory of 1644	1168	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\827615424_PDF_parsed.exe
"C:\Users\Admin\AppData\Local\Temp\827615424_PDF_parsed.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1248

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\827615424_PDF_parsed.exe" "C:\Users\Admin\AppData\Roaming\jkgtr.exe"
2⤵
PID:528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1192

C:\Windows\system32\taskeng.exe
taskeng.exe {C279F74E-D16D-4DC8-923B-7C6AD02EF95A} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:800

C:\Users\Admin\AppData\Roaming\jkgtr.exe
C:\Users\Admin\AppData\Roaming\jkgtr.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1600

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\jkgtr.exe" "C:\Users\Admin\AppData\Roaming\jkgtr.exe"
3⤵
PID:1816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Users\Admin\AppData\Roaming\jkgtr.exe
C:\Users\Admin\AppData\Roaming\jkgtr.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1644

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\jkgtr.exe" "C:\Users\Admin\AppData\Roaming\jkgtr.exe"
3⤵
PID:624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Users\Admin\AppData\Roaming\jkgtr.exe
C:\Users\Admin\AppData\Roaming\jkgtr.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1472

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
3⤵
PID:2004

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1556

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\jkgtr.exe" "C:\Users\Admin\AppData\Roaming\jkgtr.exe"
3⤵
PID:680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Users\Admin\AppData\Roaming\jkgtr.exe
C:\Users\Admin\AppData\Roaming\jkgtr.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1908

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
3⤵
PID:528

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1168

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\jkgtr.exe" "C:\Users\Admin\AppData\Roaming\jkgtr.exe"
3⤵
PID:860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Users\Admin\AppData\Roaming\jkgtr.exe
C:\Users\Admin\AppData\Roaming\jkgtr.exe
2⤵
- Executes dropped EXE
PID:1420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\jkgtr.exe
Filesize
1.5MB

MD5
cd33f6e84ebfe15dab41be1319122907

SHA1
bff44bfcd5d534a2ce2ea8cab944391e7f55abc1

SHA256
db222538ebb97c259d49917f7fdb5f7b38470fe96c38f190d0a2d79bcab1fb7a

SHA512
6e664b00d9b7afb44e5559b7b152a742979c2a132857aa7eb94edb0ff22c75ad193c7eb5bb7dfb8071a79d480985c9b2b16550504632d9086814c10d02168a6b

Download Submit
C:\Users\Admin\AppData\Roaming\jkgtr.exe
Filesize
1.5MB

MD5
cd33f6e84ebfe15dab41be1319122907

SHA1
bff44bfcd5d534a2ce2ea8cab944391e7f55abc1

SHA256
db222538ebb97c259d49917f7fdb5f7b38470fe96c38f190d0a2d79bcab1fb7a

SHA512
6e664b00d9b7afb44e5559b7b152a742979c2a132857aa7eb94edb0ff22c75ad193c7eb5bb7dfb8071a79d480985c9b2b16550504632d9086814c10d02168a6b

Download Submit
C:\Users\Admin\AppData\Roaming\jkgtr.exe
Filesize
1.5MB

MD5
cd33f6e84ebfe15dab41be1319122907

SHA1
bff44bfcd5d534a2ce2ea8cab944391e7f55abc1

SHA256
db222538ebb97c259d49917f7fdb5f7b38470fe96c38f190d0a2d79bcab1fb7a

SHA512
6e664b00d9b7afb44e5559b7b152a742979c2a132857aa7eb94edb0ff22c75ad193c7eb5bb7dfb8071a79d480985c9b2b16550504632d9086814c10d02168a6b

Download Submit
C:\Users\Admin\AppData\Roaming\jkgtr.exe
Filesize
1.5MB

MD5
cd33f6e84ebfe15dab41be1319122907

SHA1
bff44bfcd5d534a2ce2ea8cab944391e7f55abc1

SHA256
db222538ebb97c259d49917f7fdb5f7b38470fe96c38f190d0a2d79bcab1fb7a

SHA512
6e664b00d9b7afb44e5559b7b152a742979c2a132857aa7eb94edb0ff22c75ad193c7eb5bb7dfb8071a79d480985c9b2b16550504632d9086814c10d02168a6b

Download Submit
C:\Users\Admin\AppData\Roaming\jkgtr.exe
Filesize
1.5MB

MD5
cd33f6e84ebfe15dab41be1319122907

SHA1
bff44bfcd5d534a2ce2ea8cab944391e7f55abc1

SHA256
db222538ebb97c259d49917f7fdb5f7b38470fe96c38f190d0a2d79bcab1fb7a

SHA512
6e664b00d9b7afb44e5559b7b152a742979c2a132857aa7eb94edb0ff22c75ad193c7eb5bb7dfb8071a79d480985c9b2b16550504632d9086814c10d02168a6b

Download Submit
C:\Users\Admin\AppData\Roaming\jkgtr.exe
Filesize
1.5MB

MD5
cd33f6e84ebfe15dab41be1319122907

SHA1
bff44bfcd5d534a2ce2ea8cab944391e7f55abc1

SHA256
db222538ebb97c259d49917f7fdb5f7b38470fe96c38f190d0a2d79bcab1fb7a

SHA512
6e664b00d9b7afb44e5559b7b152a742979c2a132857aa7eb94edb0ff22c75ad193c7eb5bb7dfb8071a79d480985c9b2b16550504632d9086814c10d02168a6b

Download Submit
memory/528-58-0x0000000000000000-mapping.dmp

Download
memory/528-142-0x0000000000000000-mapping.dmp

Download
memory/624-103-0x0000000000000000-mapping.dmp

Download
memory/680-124-0x0000000000000000-mapping.dmp

Download
memory/832-98-0x0000000000000000-mapping.dmp

Download
memory/832-100-0x0000000001140000-0x00000000012CC000-memory.dmp

Filesize
1.5MB

Download
memory/860-144-0x0000000000000000-mapping.dmp

Download
memory/1072-75-0x0000000001140000-0x00000000012CC000-memory.dmp

Filesize
1.5MB

Download
memory/1072-73-0x0000000000000000-mapping.dmp

Download
memory/1168-102-0x0000000000000000-mapping.dmp

Download
memory/1168-143-0x0000000000000000-mapping.dmp

Download
memory/1192-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1192-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1192-77-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/1192-78-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/1192-79-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1192-80-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/1192-81-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/1192-59-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1192-65-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1192-69-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1192-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1192-64-0x00000000007E2730-mapping.dmp

Download
memory/1192-71-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1192-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1192-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1248-57-0x0000000000000000-mapping.dmp

Download
memory/1368-54-0x0000000001230000-0x00000000013BC000-memory.dmp

Filesize
1.5MB

Download
memory/1368-55-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download
memory/1420-159-0x0000000000000000-mapping.dmp

Download
memory/1432-91-0x0000000000570000-0x0000000000954000-memory.dmp

Filesize
3.9MB

Download
memory/1432-86-0x00000000007E2000-0x0000000000953000-memory.dmp

Filesize
1.4MB

Download
memory/1432-97-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1432-90-0x00000000007E2730-mapping.dmp

Download
memory/1432-92-0x0000000000570000-0x0000000000954000-memory.dmp

Filesize
3.9MB

Download
memory/1432-95-0x0000000000570000-0x0000000000954000-memory.dmp

Filesize
3.9MB

Download
memory/1472-119-0x0000000000000000-mapping.dmp

Download
memory/1556-123-0x0000000000000000-mapping.dmp

Download
memory/1600-84-0x0000000000000000-mapping.dmp

Download
memory/1644-56-0x0000000000000000-mapping.dmp

Download
memory/1644-104-0x0000000000000000-mapping.dmp

Download
memory/1696-118-0x0000000000510000-0x00000000008F4000-memory.dmp

Filesize
3.9MB

Download
memory/1696-117-0x0000000000510000-0x00000000008F4000-memory.dmp

Filesize
3.9MB

Download
memory/1696-112-0x0000000000510000-0x00000000008F4000-memory.dmp

Filesize
3.9MB

Download
memory/1696-115-0x0000000000510000-0x00000000008F4000-memory.dmp

Filesize
3.9MB

Download
memory/1696-111-0x0000000000510000-0x00000000008F4000-memory.dmp

Filesize
3.9MB

Download
memory/1696-110-0x00000000007E2730-mapping.dmp

Download
memory/1748-82-0x0000000000000000-mapping.dmp

Download
memory/1760-138-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1760-137-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1760-130-0x00000000007E2730-mapping.dmp

Download
memory/1816-83-0x0000000000000000-mapping.dmp

Download
memory/1908-139-0x0000000000000000-mapping.dmp

Download
memory/1964-150-0x00000000007E2730-mapping.dmp

Download
memory/1964-157-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1964-158-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2004-122-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads