bitrat | 07a3e0b0b46beba9fcf603b62237748395cb801229e19500ff0e5cb38c12c067

General

Target

FedEx00B1915_parsed.exe
Size

1.7MB
MD5

e6641a7a0c61243081e9342c2e5076c6
SHA1

035914a1d0244039d43c48cadcab0439ed6855d0
SHA256

07a3e0b0b46beba9fcf603b62237748395cb801229e19500ff0e5cb38c12c067
SHA512

fe6049ed585272f8dac944bfdb402241c0f0e844c2e210c2f61a1d96fbeb451e5bddc3e69b22febd2c1dffc5357b951d28710fcde61bab31e11b6f5ff8b0ceda
SSDEEP

49152:rl3Nx5txMWMlY23V6MKAL1BVHiBIHKG5HqMG:xH50WOY2lxKALpHhKo3G

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

akatabit1915.duckdns.org:1915

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 3 IoCs

Processes:

msdtc.exemsdtc.exemsdtc.exe

pid process

2180 msdtc.exe
1644 msdtc.exe
4492 msdtc.exe

pid	process
2180	msdtc.exe
1644	msdtc.exe
4492	msdtc.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5060-139-0x0000000000B60000-0x0000000000F44000-memory.dmp	upx
behavioral2/memory/5060-140-0x0000000000B60000-0x0000000000F44000-memory.dmp	upx
behavioral2/memory/5008-145-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/5008-146-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/5008-147-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/5008-148-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/5008-153-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/5008-156-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/5048-162-0x0000000000A00000-0x0000000000DE4000-memory.dmp	upx
behavioral2/memory/5048-163-0x0000000000A00000-0x0000000000DE4000-memory.dmp	upx
behavioral2/memory/4924-168-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/4924-170-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/4924-171-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/4924-172-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/4924-174-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/2196-181-0x0000000000900000-0x0000000000CE4000-memory.dmp	upx
behavioral2/memory/2196-182-0x0000000000900000-0x0000000000CE4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

RegAsm.exe

pid process

5008 RegAsm.exe
5008 RegAsm.exe
5008 RegAsm.exe
5008 RegAsm.exe
5008 RegAsm.exe

pid	process
5008	RegAsm.exe
5008	RegAsm.exe
5008	RegAsm.exe
5008	RegAsm.exe
5008	RegAsm.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

FedEx00B1915_parsed.exemsdtc.exemsdtc.exeRegAsm.exemsdtc.exe

description	pid	process	target process
PID 1472 set thread context of 5060	1472	FedEx00B1915_parsed.exe	RegAsm.exe
PID 2180 set thread context of 5008	2180	msdtc.exe	RegAsm.exe
PID 1644 set thread context of 5048	1644	msdtc.exe	RegAsm.exe
PID 5008 set thread context of 4924	5008	RegAsm.exe	RegAsm.exe
PID 4492 set thread context of 2196	4492	msdtc.exe	RegAsm.exe

Drops file in Windows directory 25 IoCs

Processes:

RegAsm.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\License.XenArmor	RegAsm.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\License.XenArmor	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-conio-l1-1-0_not.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-environment-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-math-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-multibyte-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-string-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-utility-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\freebl3.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-convert-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-heap-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-locale-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-stdio-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\mozglue.dll	RegAsm.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-time-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\msvcp140.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\nss3.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\softokn3.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Unknown.dll	RegAsm.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Unknown.dll	RegAsm.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-filesystem-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-runtime-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\vcruntime140.dll	RegAsm.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2208 5060 WerFault.exe RegAsm.exe
1648 5048 WerFault.exe RegAsm.exe
260 2196 WerFault.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3644 schtasks.exe
3664 schtasks.exe
2552 schtasks.exe
1552 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeShutdownPrivilege 5008 RegAsm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

5008 RegAsm.exe
5008 RegAsm.exe

pid	pid_target	process	target process
2208	5060	WerFault.exe	RegAsm.exe
1648	5048	WerFault.exe	RegAsm.exe
260	2196	WerFault.exe	RegAsm.exe

pid	process
3644	schtasks.exe
3664	schtasks.exe
2552	schtasks.exe
1552	schtasks.exe

description	pid	process
Token: SeShutdownPrivilege	5008	RegAsm.exe

pid	process
5008	RegAsm.exe
5008	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FedEx00B1915_parsed.execmd.exemsdtc.execmd.exemsdtc.execmd.exeRegAsm.exe

description	pid	process	target process
PID 1472 wrote to memory of 5060	1472	FedEx00B1915_parsed.exe	RegAsm.exe
PID 1472 wrote to memory of 5060	1472	FedEx00B1915_parsed.exe	RegAsm.exe
PID 1472 wrote to memory of 5060	1472	FedEx00B1915_parsed.exe	RegAsm.exe
PID 1472 wrote to memory of 5060	1472	FedEx00B1915_parsed.exe	RegAsm.exe
PID 1472 wrote to memory of 5060	1472	FedEx00B1915_parsed.exe	RegAsm.exe
PID 1472 wrote to memory of 5060	1472	FedEx00B1915_parsed.exe	RegAsm.exe
PID 1472 wrote to memory of 5060	1472	FedEx00B1915_parsed.exe	RegAsm.exe
PID 1472 wrote to memory of 1424	1472	FedEx00B1915_parsed.exe	cmd.exe
PID 1472 wrote to memory of 1424	1472	FedEx00B1915_parsed.exe	cmd.exe
PID 1472 wrote to memory of 1424	1472	FedEx00B1915_parsed.exe	cmd.exe
PID 1472 wrote to memory of 4968	1472	FedEx00B1915_parsed.exe	cmd.exe
PID 1472 wrote to memory of 4968	1472	FedEx00B1915_parsed.exe	cmd.exe
PID 1472 wrote to memory of 4968	1472	FedEx00B1915_parsed.exe	cmd.exe
PID 1472 wrote to memory of 4020	1472	FedEx00B1915_parsed.exe	cmd.exe
PID 1472 wrote to memory of 4020	1472	FedEx00B1915_parsed.exe	cmd.exe
PID 1472 wrote to memory of 4020	1472	FedEx00B1915_parsed.exe	cmd.exe
PID 4968 wrote to memory of 3644	4968	cmd.exe	schtasks.exe
PID 4968 wrote to memory of 3644	4968	cmd.exe	schtasks.exe
PID 4968 wrote to memory of 3644	4968	cmd.exe	schtasks.exe
PID 2180 wrote to memory of 5008	2180	msdtc.exe	RegAsm.exe
PID 2180 wrote to memory of 5008	2180	msdtc.exe	RegAsm.exe
PID 2180 wrote to memory of 5008	2180	msdtc.exe	RegAsm.exe
PID 2180 wrote to memory of 5008	2180	msdtc.exe	RegAsm.exe
PID 2180 wrote to memory of 5008	2180	msdtc.exe	RegAsm.exe
PID 2180 wrote to memory of 5008	2180	msdtc.exe	RegAsm.exe
PID 2180 wrote to memory of 5008	2180	msdtc.exe	RegAsm.exe
PID 2180 wrote to memory of 4168	2180	msdtc.exe	cmd.exe
PID 2180 wrote to memory of 4168	2180	msdtc.exe	cmd.exe
PID 2180 wrote to memory of 4168	2180	msdtc.exe	cmd.exe
PID 2180 wrote to memory of 1748	2180	msdtc.exe	cmd.exe
PID 2180 wrote to memory of 1748	2180	msdtc.exe	cmd.exe
PID 2180 wrote to memory of 1748	2180	msdtc.exe	cmd.exe
PID 2180 wrote to memory of 4904	2180	msdtc.exe	cmd.exe
PID 2180 wrote to memory of 4904	2180	msdtc.exe	cmd.exe
PID 2180 wrote to memory of 4904	2180	msdtc.exe	cmd.exe
PID 1748 wrote to memory of 3664	1748	cmd.exe	schtasks.exe
PID 1748 wrote to memory of 3664	1748	cmd.exe	schtasks.exe
PID 1748 wrote to memory of 3664	1748	cmd.exe	schtasks.exe
PID 1644 wrote to memory of 5048	1644	msdtc.exe	RegAsm.exe
PID 1644 wrote to memory of 5048	1644	msdtc.exe	RegAsm.exe
PID 1644 wrote to memory of 5048	1644	msdtc.exe	RegAsm.exe
PID 1644 wrote to memory of 5048	1644	msdtc.exe	RegAsm.exe
PID 1644 wrote to memory of 5048	1644	msdtc.exe	RegAsm.exe
PID 1644 wrote to memory of 5048	1644	msdtc.exe	RegAsm.exe
PID 1644 wrote to memory of 5048	1644	msdtc.exe	RegAsm.exe
PID 1644 wrote to memory of 4912	1644	msdtc.exe	cmd.exe
PID 1644 wrote to memory of 4912	1644	msdtc.exe	cmd.exe
PID 1644 wrote to memory of 4912	1644	msdtc.exe	cmd.exe
PID 1644 wrote to memory of 1420	1644	msdtc.exe	cmd.exe
PID 1644 wrote to memory of 1420	1644	msdtc.exe	cmd.exe
PID 1644 wrote to memory of 1420	1644	msdtc.exe	cmd.exe
PID 1644 wrote to memory of 3516	1644	msdtc.exe	cmd.exe
PID 1644 wrote to memory of 3516	1644	msdtc.exe	cmd.exe
PID 1644 wrote to memory of 3516	1644	msdtc.exe	cmd.exe
PID 1420 wrote to memory of 2552	1420	cmd.exe	schtasks.exe
PID 1420 wrote to memory of 2552	1420	cmd.exe	schtasks.exe
PID 1420 wrote to memory of 2552	1420	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 4924	5008	RegAsm.exe	RegAsm.exe
PID 5008 wrote to memory of 4924	5008	RegAsm.exe	RegAsm.exe
PID 5008 wrote to memory of 4924	5008	RegAsm.exe	RegAsm.exe
PID 5008 wrote to memory of 4924	5008	RegAsm.exe	RegAsm.exe
PID 5008 wrote to memory of 4924	5008	RegAsm.exe	RegAsm.exe
PID 5008 wrote to memory of 4924	5008	RegAsm.exe	RegAsm.exe
PID 5008 wrote to memory of 4924	5008	RegAsm.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\FedEx00B1915_parsed.exe
"C:\Users\Admin\AppData\Local\Temp\FedEx00B1915_parsed.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 540
3⤵
- Program crash
PID:2208

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\msdtc"
2⤵
PID:1424

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3644

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\FedEx00B1915_parsed.exe" "C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe"
2⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5060 -ip 5060
1⤵
PID:4820

C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe
C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
-a "C:\Users\Admin\AppData\Local\56110c9a\plg\CtZBaqlY.json"
3⤵
- Drops file in Windows directory
PID:4924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"
4⤵
PID:5036

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\msdtc"
2⤵
PID:4168

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3664

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe"
2⤵
PID:4904

C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe
C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 540
3⤵
- Program crash
PID:1648

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\msdtc"
2⤵
PID:4912

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2552

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe"
2⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5048 -ip 5048
1⤵
PID:1412

C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe
C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 540
3⤵
- Program crash
PID:260

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\msdtc"
2⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f
2⤵
PID:4808

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1552

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe"
2⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2196 -ip 2196
1⤵
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\56110c9a\plg\CtZBaqlY.json
Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\msdtc.exe.log
Filesize
517B

MD5
3334ecde6536c93e216decce323cbe3e

SHA1
277f9a4e3a14c5dbe6b92fabac8b2050cab3629b

SHA256
494fcff7f11e2d7ea9abfbf91d6dea2595388ab4c45269e5fd74c82796d0a76a

SHA512
2830773d60aa9fe73c7e0a28502e198d931422b4a1df9a0b844d3952bb0aed7aa2b5da39e1adf145c9e6c2f75a33560da23c9b2b774fb38718bde066eafcad9d

Download Submit
C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe
Filesize
1.7MB

MD5
e6641a7a0c61243081e9342c2e5076c6

SHA1
035914a1d0244039d43c48cadcab0439ed6855d0

SHA256
07a3e0b0b46beba9fcf603b62237748395cb801229e19500ff0e5cb38c12c067

SHA512
fe6049ed585272f8dac944bfdb402241c0f0e844c2e210c2f61a1d96fbeb451e5bddc3e69b22febd2c1dffc5357b951d28710fcde61bab31e11b6f5ff8b0ceda

Download Submit
C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe
Filesize
1.7MB

MD5
e6641a7a0c61243081e9342c2e5076c6

SHA1
035914a1d0244039d43c48cadcab0439ed6855d0

SHA256
07a3e0b0b46beba9fcf603b62237748395cb801229e19500ff0e5cb38c12c067

SHA512
fe6049ed585272f8dac944bfdb402241c0f0e844c2e210c2f61a1d96fbeb451e5bddc3e69b22febd2c1dffc5357b951d28710fcde61bab31e11b6f5ff8b0ceda

Download Submit
C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe
Filesize
1.7MB

MD5
e6641a7a0c61243081e9342c2e5076c6

SHA1
035914a1d0244039d43c48cadcab0439ed6855d0

SHA256
07a3e0b0b46beba9fcf603b62237748395cb801229e19500ff0e5cb38c12c067

SHA512
fe6049ed585272f8dac944bfdb402241c0f0e844c2e210c2f61a1d96fbeb451e5bddc3e69b22febd2c1dffc5357b951d28710fcde61bab31e11b6f5ff8b0ceda

Download Submit
C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe
Filesize
1.7MB

MD5
e6641a7a0c61243081e9342c2e5076c6

SHA1
035914a1d0244039d43c48cadcab0439ed6855d0

SHA256
07a3e0b0b46beba9fcf603b62237748395cb801229e19500ff0e5cb38c12c067

SHA512
fe6049ed585272f8dac944bfdb402241c0f0e844c2e210c2f61a1d96fbeb451e5bddc3e69b22febd2c1dffc5357b951d28710fcde61bab31e11b6f5ff8b0ceda

Download Submit
memory/1420-164-0x0000000000000000-mapping.dmp

Download
memory/1424-136-0x0000000000000000-mapping.dmp

Download
memory/1472-132-0x0000000000A10000-0x0000000000BC0000-memory.dmp

Filesize
1.7MB

Download
memory/1472-133-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/1552-186-0x0000000000000000-mapping.dmp

Download
memory/1748-150-0x0000000000000000-mapping.dmp

Download
memory/2020-183-0x0000000000000000-mapping.dmp

Download
memory/2196-181-0x0000000000900000-0x0000000000CE4000-memory.dmp

Filesize
3.9MB

Download
memory/2196-179-0x0000000000000000-mapping.dmp

Download
memory/2196-182-0x0000000000900000-0x0000000000CE4000-memory.dmp

Filesize
3.9MB

Download
memory/2552-166-0x0000000000000000-mapping.dmp

Download
memory/3516-165-0x0000000000000000-mapping.dmp

Download
memory/3644-141-0x0000000000000000-mapping.dmp

Download
memory/3664-152-0x0000000000000000-mapping.dmp

Download
memory/4020-138-0x0000000000000000-mapping.dmp

Download
memory/4168-149-0x0000000000000000-mapping.dmp

Download
memory/4328-185-0x0000000000000000-mapping.dmp

Download
memory/4808-184-0x0000000000000000-mapping.dmp

Download
memory/4904-151-0x0000000000000000-mapping.dmp

Download
memory/4912-161-0x0000000000000000-mapping.dmp

Download
memory/4924-171-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/4924-174-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/4924-172-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/4924-170-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/4924-168-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/4924-167-0x0000000000000000-mapping.dmp

Download
memory/4968-137-0x0000000000000000-mapping.dmp

Download
memory/5008-148-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5008-146-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5008-177-0x0000000074940000-0x0000000074979000-memory.dmp

Filesize
228KB

Download
memory/5008-147-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5008-176-0x00000000745C0000-0x00000000745F9000-memory.dmp

Filesize
228KB

Download
memory/5008-156-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5008-155-0x0000000074940000-0x0000000074979000-memory.dmp

Filesize
228KB

Download
memory/5008-154-0x00000000745C0000-0x00000000745F9000-memory.dmp

Filesize
228KB

Download
memory/5008-144-0x0000000000000000-mapping.dmp

Download
memory/5008-145-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5008-153-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-173-0x0000000000000000-mapping.dmp

Download
memory/5048-163-0x0000000000A00000-0x0000000000DE4000-memory.dmp

Filesize
3.9MB

Download
memory/5048-159-0x0000000000000000-mapping.dmp

Download
memory/5048-162-0x0000000000A00000-0x0000000000DE4000-memory.dmp

Filesize
3.9MB

Download
memory/5060-134-0x0000000000000000-mapping.dmp

Download
memory/5060-140-0x0000000000B60000-0x0000000000F44000-memory.dmp

Filesize
3.9MB

Download
memory/5060-139-0x0000000000B60000-0x0000000000F44000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads