bitrat | 67cda8c74585c33e1aaf255bf9283b781c2f4e15b7833ea02c3a725bc4ef9ea1

General

Target

3164_23_147_PDF.exe
Size

300.0MB
MD5

19ee0757397eff0b8cafa381c9c3737b
SHA1

801fbacb698b52aca0448fcbd6ab44d921ff6c3d
SHA256

50c0fd86906d4b61410326cde1aaf9c114684287b0b165e785873b599f6dd9c3
SHA512

ef09f79119e3f55d4e85b83a2586d41b2e4156ed2a7d28784aa880218d8c1dc623268b4232b22e254bcd91aa9d202e7a044d4d25ec289ab08b3228197beed312
SSDEEP

98304:FwcVlQ8/lL2LLeZWL0kDdtJRLum/quFUD1nUzsg:ycX1VCLeen1UpU

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitone9090.duckdns.org:9090

bit9090.duckdns.org:9090

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 4 IoCs

Processes:

nbitt9090.execvdafs.execvdafs.execvdafs.exe

pid process

1268 nbitt9090.exe
364 cvdafs.exe
1228 cvdafs.exe
1688 cvdafs.exe

pid	process
1268	nbitt9090.exe
364	cvdafs.exe
1228	cvdafs.exe
1688	cvdafs.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/888-61-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/888-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/888-64-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/888-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/888-67-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/888-68-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\nbitt9090.exe	upx
\Users\Admin\AppData\Local\Temp\nbitt9090.exe	upx
C:\Users\Admin\AppData\Local\Temp\nbitt9090.exe	upx
behavioral1/memory/888-75-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1268-76-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/888-77-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1268-78-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/840-97-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/840-98-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/912-116-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/912-117-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

3164_23_147_PDF.exe

pid process

912 3164_23_147_PDF.exe
912 3164_23_147_PDF.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

Processes:

vbc.exenbitt9090.exevbc.exevbc.exe

pid process

888 vbc.exe
1268 nbitt9090.exe
888 vbc.exe
888 vbc.exe
1268 nbitt9090.exe
888 vbc.exe
1268 nbitt9090.exe
1268 nbitt9090.exe
840 vbc.exe
912 vbc.exe

pid	process
912	3164_23_147_PDF.exe
912	3164_23_147_PDF.exe

pid	process
888	vbc.exe
1268	nbitt9090.exe
888	vbc.exe
888	vbc.exe
1268	nbitt9090.exe
888	vbc.exe
1268	nbitt9090.exe
1268	nbitt9090.exe
840	vbc.exe
912	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

3164_23_147_PDF.execvdafs.execvdafs.exe

description	pid	process	target process
PID 912 set thread context of 888	912	3164_23_147_PDF.exe	vbc.exe
PID 364 set thread context of 840	364	cvdafs.exe	vbc.exe
PID 1228 set thread context of 912	1228	cvdafs.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1724 schtasks.exe
1732 schtasks.exe
1904 schtasks.exe

pid	process
1724	schtasks.exe
1732	schtasks.exe
1904	schtasks.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

AUDIODG.EXEvbc.exenbitt9090.exevbc.exevbc.exe

description	pid	process
Token: 33	464	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	464	AUDIODG.EXE
Token: 33	464	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	464	AUDIODG.EXE
Token: SeDebugPrivilege	888	vbc.exe
Token: SeShutdownPrivilege	888	vbc.exe
Token: SeDebugPrivilege	1268	nbitt9090.exe
Token: SeShutdownPrivilege	1268	nbitt9090.exe
Token: SeDebugPrivilege	840	vbc.exe
Token: SeShutdownPrivilege	840	vbc.exe
Token: SeDebugPrivilege	912	vbc.exe
Token: SeShutdownPrivilege	912	vbc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

vbc.exenbitt9090.exe

pid process

888 vbc.exe
1268 nbitt9090.exe
1268 nbitt9090.exe
888 vbc.exe

pid	process
888	vbc.exe
1268	nbitt9090.exe
1268	nbitt9090.exe
888	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3164_23_147_PDF.execmd.exetaskeng.execvdafs.execmd.execvdafs.execmd.exe

description	pid	process	target process
PID 912 wrote to memory of 1136	912	3164_23_147_PDF.exe	cmd.exe
PID 912 wrote to memory of 1136	912	3164_23_147_PDF.exe	cmd.exe
PID 912 wrote to memory of 1136	912	3164_23_147_PDF.exe	cmd.exe
PID 912 wrote to memory of 1136	912	3164_23_147_PDF.exe	cmd.exe
PID 1136 wrote to memory of 1732	1136	cmd.exe	schtasks.exe
PID 1136 wrote to memory of 1732	1136	cmd.exe	schtasks.exe
PID 1136 wrote to memory of 1732	1136	cmd.exe	schtasks.exe
PID 1136 wrote to memory of 1732	1136	cmd.exe	schtasks.exe
PID 912 wrote to memory of 2020	912	3164_23_147_PDF.exe	cmd.exe
PID 912 wrote to memory of 2020	912	3164_23_147_PDF.exe	cmd.exe
PID 912 wrote to memory of 2020	912	3164_23_147_PDF.exe	cmd.exe
PID 912 wrote to memory of 2020	912	3164_23_147_PDF.exe	cmd.exe
PID 912 wrote to memory of 888	912	3164_23_147_PDF.exe	vbc.exe
PID 912 wrote to memory of 888	912	3164_23_147_PDF.exe	vbc.exe
PID 912 wrote to memory of 888	912	3164_23_147_PDF.exe	vbc.exe
PID 912 wrote to memory of 888	912	3164_23_147_PDF.exe	vbc.exe
PID 912 wrote to memory of 888	912	3164_23_147_PDF.exe	vbc.exe
PID 912 wrote to memory of 888	912	3164_23_147_PDF.exe	vbc.exe
PID 912 wrote to memory of 888	912	3164_23_147_PDF.exe	vbc.exe
PID 912 wrote to memory of 888	912	3164_23_147_PDF.exe	vbc.exe
PID 912 wrote to memory of 1268	912	3164_23_147_PDF.exe	nbitt9090.exe
PID 912 wrote to memory of 1268	912	3164_23_147_PDF.exe	nbitt9090.exe
PID 912 wrote to memory of 1268	912	3164_23_147_PDF.exe	nbitt9090.exe
PID 912 wrote to memory of 1268	912	3164_23_147_PDF.exe	nbitt9090.exe
PID 1576 wrote to memory of 364	1576	taskeng.exe	cvdafs.exe
PID 1576 wrote to memory of 364	1576	taskeng.exe	cvdafs.exe
PID 1576 wrote to memory of 364	1576	taskeng.exe	cvdafs.exe
PID 1576 wrote to memory of 364	1576	taskeng.exe	cvdafs.exe
PID 364 wrote to memory of 980	364	cvdafs.exe	cmd.exe
PID 364 wrote to memory of 980	364	cvdafs.exe	cmd.exe
PID 364 wrote to memory of 980	364	cvdafs.exe	cmd.exe
PID 364 wrote to memory of 980	364	cvdafs.exe	cmd.exe
PID 364 wrote to memory of 1408	364	cvdafs.exe	cmd.exe
PID 364 wrote to memory of 1408	364	cvdafs.exe	cmd.exe
PID 364 wrote to memory of 1408	364	cvdafs.exe	cmd.exe
PID 364 wrote to memory of 1408	364	cvdafs.exe	cmd.exe
PID 980 wrote to memory of 1904	980	cmd.exe	schtasks.exe
PID 980 wrote to memory of 1904	980	cmd.exe	schtasks.exe
PID 980 wrote to memory of 1904	980	cmd.exe	schtasks.exe
PID 980 wrote to memory of 1904	980	cmd.exe	schtasks.exe
PID 364 wrote to memory of 840	364	cvdafs.exe	vbc.exe
PID 364 wrote to memory of 840	364	cvdafs.exe	vbc.exe
PID 364 wrote to memory of 840	364	cvdafs.exe	vbc.exe
PID 364 wrote to memory of 840	364	cvdafs.exe	vbc.exe
PID 364 wrote to memory of 840	364	cvdafs.exe	vbc.exe
PID 364 wrote to memory of 840	364	cvdafs.exe	vbc.exe
PID 364 wrote to memory of 840	364	cvdafs.exe	vbc.exe
PID 364 wrote to memory of 840	364	cvdafs.exe	vbc.exe
PID 1576 wrote to memory of 1228	1576	taskeng.exe	cvdafs.exe
PID 1576 wrote to memory of 1228	1576	taskeng.exe	cvdafs.exe
PID 1576 wrote to memory of 1228	1576	taskeng.exe	cvdafs.exe
PID 1576 wrote to memory of 1228	1576	taskeng.exe	cvdafs.exe
PID 1228 wrote to memory of 1136	1228	cvdafs.exe	cmd.exe
PID 1228 wrote to memory of 1136	1228	cvdafs.exe	cmd.exe
PID 1228 wrote to memory of 1136	1228	cvdafs.exe	cmd.exe
PID 1228 wrote to memory of 1136	1228	cvdafs.exe	cmd.exe
PID 1228 wrote to memory of 1900	1228	cvdafs.exe	cmd.exe
PID 1228 wrote to memory of 1900	1228	cvdafs.exe	cmd.exe
PID 1228 wrote to memory of 1900	1228	cvdafs.exe	cmd.exe
PID 1228 wrote to memory of 1900	1228	cvdafs.exe	cmd.exe
PID 1136 wrote to memory of 1724	1136	cmd.exe	schtasks.exe
PID 1136 wrote to memory of 1724	1136	cmd.exe	schtasks.exe
PID 1136 wrote to memory of 1724	1136	cmd.exe	schtasks.exe
PID 1136 wrote to memory of 1724	1136	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\3164_23_147_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\3164_23_147_PDF.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\cvdafs.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\cvdafs.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1732

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\3164_23_147_PDF.exe" "C:\Users\Admin\AppData\Roaming\cvdafs.exe"
2⤵
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:888

C:\Users\Admin\AppData\Local\Temp\nbitt9090.exe
"C:\Users\Admin\AppData\Local\Temp\nbitt9090.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1268

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1760

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\system32\taskeng.exe
taskeng.exe {291871FE-E73D-4B20-80C1-B49D6482E9D3} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Users\Admin\AppData\Roaming\cvdafs.exe
C:\Users\Admin\AppData\Roaming\cvdafs.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\cvdafs.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\cvdafs.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1904

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\cvdafs.exe" "C:\Users\Admin\AppData\Roaming\cvdafs.exe"
3⤵
PID:1408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Users\Admin\AppData\Roaming\cvdafs.exe
C:\Users\Admin\AppData\Roaming\cvdafs.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\cvdafs.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\cvdafs.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1724

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\cvdafs.exe" "C:\Users\Admin\AppData\Roaming\cvdafs.exe"
3⤵
PID:1900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Users\Admin\AppData\Roaming\cvdafs.exe
C:\Users\Admin\AppData\Roaming\cvdafs.exe
2⤵
- Executes dropped EXE
PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nbitt9090.exe

Filesize
1.4MB

MD5
d2d601c4f27a42233076ebc6e05f07f0

SHA1
5a0b561f883b88ca3d4d9bdba5143f103ea83d14

SHA256
dc9fcc38f0fad625bdd15fa418178cbcd8783e8c66bccf1bd300ead64c9e05eb

SHA512
f28db947332f2151de3a7b24101788afaeb3a00a63221dd20b745bd4ffe1ca495c6a4ac148ff8925635b720ae7c8bc586ab697622097a78a0e2588aa9d70b077

Download Submit
C:\Users\Admin\AppData\Roaming\cvdafs.exe

Filesize
300.0MB

MD5
19ee0757397eff0b8cafa381c9c3737b

SHA1
801fbacb698b52aca0448fcbd6ab44d921ff6c3d

SHA256
50c0fd86906d4b61410326cde1aaf9c114684287b0b165e785873b599f6dd9c3

SHA512
ef09f79119e3f55d4e85b83a2586d41b2e4156ed2a7d28784aa880218d8c1dc623268b4232b22e254bcd91aa9d202e7a044d4d25ec289ab08b3228197beed312

Download Submit
C:\Users\Admin\AppData\Roaming\cvdafs.exe

Filesize
121.9MB

MD5
af2ab3029dd8117553b5a0e792c172bd

SHA1
06b36c3d6d5925bd3568ff2267bed14dd20b4d3c

SHA256
79e0ce1fe85e7dd663f4e9c03bf5f4888bdce6aa10f1470405434d094d7865a3

SHA512
3e402225a356d84c0537692549d7c3be9ad289ae36bef89475090ac83583a2b087aac50e09be546e8cc43ce9e6373e8ed378fc938ffb9c0d58d2e6de9f92e8f4

Download Submit
C:\Users\Admin\AppData\Roaming\cvdafs.exe

Filesize
300.0MB

MD5
19ee0757397eff0b8cafa381c9c3737b

SHA1
801fbacb698b52aca0448fcbd6ab44d921ff6c3d

SHA256
50c0fd86906d4b61410326cde1aaf9c114684287b0b165e785873b599f6dd9c3

SHA512
ef09f79119e3f55d4e85b83a2586d41b2e4156ed2a7d28784aa880218d8c1dc623268b4232b22e254bcd91aa9d202e7a044d4d25ec289ab08b3228197beed312

Download Submit
C:\Users\Admin\AppData\Roaming\cvdafs.exe

Filesize
300.0MB

MD5
19ee0757397eff0b8cafa381c9c3737b

SHA1
801fbacb698b52aca0448fcbd6ab44d921ff6c3d

SHA256
50c0fd86906d4b61410326cde1aaf9c114684287b0b165e785873b599f6dd9c3

SHA512
ef09f79119e3f55d4e85b83a2586d41b2e4156ed2a7d28784aa880218d8c1dc623268b4232b22e254bcd91aa9d202e7a044d4d25ec289ab08b3228197beed312

Download Submit
\Users\Admin\AppData\Local\Temp\nbitt9090.exe

Filesize
1.4MB

MD5
d2d601c4f27a42233076ebc6e05f07f0

SHA1
5a0b561f883b88ca3d4d9bdba5143f103ea83d14

SHA256
dc9fcc38f0fad625bdd15fa418178cbcd8783e8c66bccf1bd300ead64c9e05eb

SHA512
f28db947332f2151de3a7b24101788afaeb3a00a63221dd20b745bd4ffe1ca495c6a4ac148ff8925635b720ae7c8bc586ab697622097a78a0e2588aa9d70b077

Download Submit
\Users\Admin\AppData\Local\Temp\nbitt9090.exe

Filesize
1.4MB

MD5
d2d601c4f27a42233076ebc6e05f07f0

SHA1
5a0b561f883b88ca3d4d9bdba5143f103ea83d14

SHA256
dc9fcc38f0fad625bdd15fa418178cbcd8783e8c66bccf1bd300ead64c9e05eb

SHA512
f28db947332f2151de3a7b24101788afaeb3a00a63221dd20b745bd4ffe1ca495c6a4ac148ff8925635b720ae7c8bc586ab697622097a78a0e2588aa9d70b077

Download Submit
memory/364-80-0x0000000000000000-mapping.dmp

Download
memory/364-82-0x00000000010D0000-0x00000000013C6000-memory.dmp

Filesize
3.0MB

Download
memory/840-98-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/840-97-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/840-92-0x00000000007E2730-mapping.dmp

Download
memory/888-65-0x00000000007E2730-mapping.dmp

Download
memory/888-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/888-67-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/888-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/888-64-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/888-61-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/888-75-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/888-68-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/888-77-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/888-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/912-117-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/912-54-0x0000000001200000-0x00000000014F6000-memory.dmp

Filesize
3.0MB

Download
memory/912-111-0x00000000007E2730-mapping.dmp

Download
memory/912-116-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/912-55-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download
memory/980-84-0x0000000000000000-mapping.dmp

Download
memory/1136-103-0x0000000000000000-mapping.dmp

Download
memory/1136-56-0x0000000000000000-mapping.dmp

Download
memory/1228-101-0x0000000000290000-0x0000000000586000-memory.dmp

Filesize
3.0MB

Download
memory/1228-99-0x0000000000000000-mapping.dmp

Download
memory/1268-78-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1268-71-0x0000000000000000-mapping.dmp

Download
memory/1268-76-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1408-85-0x0000000000000000-mapping.dmp

Download
memory/1688-120-0x0000000000990000-0x0000000000C86000-memory.dmp

Filesize
3.0MB

Download
memory/1688-118-0x0000000000000000-mapping.dmp

Download
memory/1724-105-0x0000000000000000-mapping.dmp

Download
memory/1732-57-0x0000000000000000-mapping.dmp

Download
memory/1760-59-0x000007FEFC341000-0x000007FEFC343000-memory.dmp

Filesize
8KB

Download
memory/1900-104-0x0000000000000000-mapping.dmp

Download
memory/1904-86-0x0000000000000000-mapping.dmp

Download
memory/2020-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads