bitrat | 07a3e0b0b46beba9fcf603b62237748395cb801229e19500ff0e5cb38c12c067

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FedEx00B1915_parsed.exe
Size

1.7MB
MD5

e6641a7a0c61243081e9342c2e5076c6
SHA1

035914a1d0244039d43c48cadcab0439ed6855d0
SHA256

07a3e0b0b46beba9fcf603b62237748395cb801229e19500ff0e5cb38c12c067
SHA512

fe6049ed585272f8dac944bfdb402241c0f0e844c2e210c2f61a1d96fbeb451e5bddc3e69b22febd2c1dffc5357b951d28710fcde61bab31e11b6f5ff8b0ceda
SSDEEP

49152:rl3Nx5txMWMlY23V6MKAL1BVHiBIHKG5HqMG:xH50WOY2lxKALpHhKo3G

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

akatabit1915.duckdns.org:1915

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Executes dropped EXE 3 IoCs

pid	Process
2180	msdtc.exe
1644	msdtc.exe
4492	msdtc.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5060-139-0x0000000000B60000-0x0000000000F44000-memory.dmp	upx
behavioral2/memory/5060-140-0x0000000000B60000-0x0000000000F44000-memory.dmp	upx
behavioral2/memory/5008-145-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/5008-146-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/5008-147-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/5008-148-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/5008-153-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/5008-156-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/5048-162-0x0000000000A00000-0x0000000000DE4000-memory.dmp	upx
behavioral2/memory/5048-163-0x0000000000A00000-0x0000000000DE4000-memory.dmp	upx
behavioral2/memory/4924-168-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/4924-170-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/4924-171-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/4924-172-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/4924-174-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/2196-181-0x0000000000900000-0x0000000000CE4000-memory.dmp	upx
behavioral2/memory/2196-182-0x0000000000900000-0x0000000000CE4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
5008	RegAsm.exe
5008	RegAsm.exe
5008	RegAsm.exe
5008	RegAsm.exe
5008	RegAsm.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1472 set thread context of 5060	1472	FedEx00B1915_parsed.exe	82
PID 2180 set thread context of 5008	2180	msdtc.exe	94
PID 1644 set thread context of 5048	1644	msdtc.exe	109
PID 5008 set thread context of 4924	5008	RegAsm.exe	119
PID 4492 set thread context of 2196	4492	msdtc.exe	123

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\License.XenArmor	RegAsm.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\License.XenArmor	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-conio-l1-1-0_not.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-environment-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-math-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-multibyte-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-string-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-utility-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\freebl3.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-convert-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-heap-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-locale-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-stdio-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\mozglue.dll	RegAsm.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-time-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\msvcp140.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\nss3.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\softokn3.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Unknown.dll	RegAsm.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Unknown.dll	RegAsm.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-filesystem-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-runtime-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\vcruntime140.dll	RegAsm.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2208	5060	WerFault.exe	82
1648	5048	WerFault.exe	109
260	2196	WerFault.exe	123

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3644	schtasks.exe
3664	schtasks.exe
2552	schtasks.exe
1552	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5008	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5008	RegAsm.exe
5008	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 5060	1472	FedEx00B1915_parsed.exe	82
PID 1472 wrote to memory of 5060	1472	FedEx00B1915_parsed.exe	82
PID 1472 wrote to memory of 5060	1472	FedEx00B1915_parsed.exe	82
PID 1472 wrote to memory of 5060	1472	FedEx00B1915_parsed.exe	82
PID 1472 wrote to memory of 5060	1472	FedEx00B1915_parsed.exe	82
PID 1472 wrote to memory of 5060	1472	FedEx00B1915_parsed.exe	82
PID 1472 wrote to memory of 5060	1472	FedEx00B1915_parsed.exe	82
PID 1472 wrote to memory of 1424	1472	FedEx00B1915_parsed.exe	83
PID 1472 wrote to memory of 1424	1472	FedEx00B1915_parsed.exe	83
PID 1472 wrote to memory of 1424	1472	FedEx00B1915_parsed.exe	83
PID 1472 wrote to memory of 4968	1472	FedEx00B1915_parsed.exe	85
PID 1472 wrote to memory of 4968	1472	FedEx00B1915_parsed.exe	85
PID 1472 wrote to memory of 4968	1472	FedEx00B1915_parsed.exe	85
PID 1472 wrote to memory of 4020	1472	FedEx00B1915_parsed.exe	87
PID 1472 wrote to memory of 4020	1472	FedEx00B1915_parsed.exe	87
PID 1472 wrote to memory of 4020	1472	FedEx00B1915_parsed.exe	87
PID 4968 wrote to memory of 3644	4968	cmd.exe	89
PID 4968 wrote to memory of 3644	4968	cmd.exe	89
PID 4968 wrote to memory of 3644	4968	cmd.exe	89
PID 2180 wrote to memory of 5008	2180	msdtc.exe	94
PID 2180 wrote to memory of 5008	2180	msdtc.exe	94
PID 2180 wrote to memory of 5008	2180	msdtc.exe	94
PID 2180 wrote to memory of 5008	2180	msdtc.exe	94
PID 2180 wrote to memory of 5008	2180	msdtc.exe	94
PID 2180 wrote to memory of 5008	2180	msdtc.exe	94
PID 2180 wrote to memory of 5008	2180	msdtc.exe	94
PID 2180 wrote to memory of 4168	2180	msdtc.exe	95
PID 2180 wrote to memory of 4168	2180	msdtc.exe	95
PID 2180 wrote to memory of 4168	2180	msdtc.exe	95
PID 2180 wrote to memory of 1748	2180	msdtc.exe	97
PID 2180 wrote to memory of 1748	2180	msdtc.exe	97
PID 2180 wrote to memory of 1748	2180	msdtc.exe	97
PID 2180 wrote to memory of 4904	2180	msdtc.exe	98
PID 2180 wrote to memory of 4904	2180	msdtc.exe	98
PID 2180 wrote to memory of 4904	2180	msdtc.exe	98
PID 1748 wrote to memory of 3664	1748	cmd.exe	101
PID 1748 wrote to memory of 3664	1748	cmd.exe	101
PID 1748 wrote to memory of 3664	1748	cmd.exe	101
PID 1644 wrote to memory of 5048	1644	msdtc.exe	109
PID 1644 wrote to memory of 5048	1644	msdtc.exe	109
PID 1644 wrote to memory of 5048	1644	msdtc.exe	109
PID 1644 wrote to memory of 5048	1644	msdtc.exe	109
PID 1644 wrote to memory of 5048	1644	msdtc.exe	109
PID 1644 wrote to memory of 5048	1644	msdtc.exe	109
PID 1644 wrote to memory of 5048	1644	msdtc.exe	109
PID 1644 wrote to memory of 4912	1644	msdtc.exe	110
PID 1644 wrote to memory of 4912	1644	msdtc.exe	110
PID 1644 wrote to memory of 4912	1644	msdtc.exe	110
PID 1644 wrote to memory of 1420	1644	msdtc.exe	112
PID 1644 wrote to memory of 1420	1644	msdtc.exe	112
PID 1644 wrote to memory of 1420	1644	msdtc.exe	112
PID 1644 wrote to memory of 3516	1644	msdtc.exe	114
PID 1644 wrote to memory of 3516	1644	msdtc.exe	114
PID 1644 wrote to memory of 3516	1644	msdtc.exe	114
PID 1420 wrote to memory of 2552	1420	cmd.exe	117
PID 1420 wrote to memory of 2552	1420	cmd.exe	117
PID 1420 wrote to memory of 2552	1420	cmd.exe	117
PID 5008 wrote to memory of 4924	5008	RegAsm.exe	119
PID 5008 wrote to memory of 4924	5008	RegAsm.exe	119
PID 5008 wrote to memory of 4924	5008	RegAsm.exe	119
PID 5008 wrote to memory of 4924	5008	RegAsm.exe	119
PID 5008 wrote to memory of 4924	5008	RegAsm.exe	119
PID 5008 wrote to memory of 4924	5008	RegAsm.exe	119
PID 5008 wrote to memory of 4924	5008	RegAsm.exe	119

C:\Users\Admin\AppData\Local\Temp\FedEx00B1915_parsed.exe
"C:\Users\Admin\AppData\Local\Temp\FedEx00B1915_parsed.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:5060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 540
    3⤵
    - Program crash
    PID:2208
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\msdtc"
  2⤵
  PID:1424
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:3644
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\FedEx00B1915_parsed.exe" "C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe"
  2⤵
  PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5060 -ip 5060
1⤵
PID:4820

C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe
C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    -a "C:\Users\Admin\AppData\Local\56110c9a\plg\CtZBaqlY.json"
    3⤵
    - Drops file in Windows directory
    PID:4924
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      -a "C:\Users\Admin\AppData\Local\Temp\unk.xml"
      4⤵
      PID:5036
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\msdtc"
  2⤵
  PID:4168
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:3664
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe"
  2⤵
  PID:4904

C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe
C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:5048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 540
    3⤵
    - Program crash
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\msdtc"
  2⤵
  PID:4912
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2552
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe"
  2⤵
  PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5048 -ip 5048
1⤵
PID:1412

C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe
C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 540
    3⤵
    - Program crash
    PID:260
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\msdtc"
  2⤵
  PID:2020
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f
  2⤵
  PID:4808
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:1552
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe"
  2⤵
  PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2196 -ip 2196
1⤵
PID:1492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\56110c9a\plg\CtZBaqlY.json

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\msdtc.exe.log

Filesize
517B

MD5
3334ecde6536c93e216decce323cbe3e

SHA1
277f9a4e3a14c5dbe6b92fabac8b2050cab3629b

SHA256
494fcff7f11e2d7ea9abfbf91d6dea2595388ab4c45269e5fd74c82796d0a76a

SHA512
2830773d60aa9fe73c7e0a28502e198d931422b4a1df9a0b844d3952bb0aed7aa2b5da39e1adf145c9e6c2f75a33560da23c9b2b774fb38718bde066eafcad9d

Download Submit
C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe

Filesize
1.7MB

MD5
e6641a7a0c61243081e9342c2e5076c6

SHA1
035914a1d0244039d43c48cadcab0439ed6855d0

SHA256
07a3e0b0b46beba9fcf603b62237748395cb801229e19500ff0e5cb38c12c067

SHA512
fe6049ed585272f8dac944bfdb402241c0f0e844c2e210c2f61a1d96fbeb451e5bddc3e69b22febd2c1dffc5357b951d28710fcde61bab31e11b6f5ff8b0ceda

Download Submit
C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe

Filesize
1.7MB

MD5
e6641a7a0c61243081e9342c2e5076c6

SHA1
035914a1d0244039d43c48cadcab0439ed6855d0

SHA256
07a3e0b0b46beba9fcf603b62237748395cb801229e19500ff0e5cb38c12c067

SHA512
fe6049ed585272f8dac944bfdb402241c0f0e844c2e210c2f61a1d96fbeb451e5bddc3e69b22febd2c1dffc5357b951d28710fcde61bab31e11b6f5ff8b0ceda

Download Submit
C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe

Filesize
1.7MB

MD5
e6641a7a0c61243081e9342c2e5076c6

SHA1
035914a1d0244039d43c48cadcab0439ed6855d0

SHA256
07a3e0b0b46beba9fcf603b62237748395cb801229e19500ff0e5cb38c12c067

SHA512
fe6049ed585272f8dac944bfdb402241c0f0e844c2e210c2f61a1d96fbeb451e5bddc3e69b22febd2c1dffc5357b951d28710fcde61bab31e11b6f5ff8b0ceda

Download Submit
C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe

Filesize
1.7MB

MD5
e6641a7a0c61243081e9342c2e5076c6

SHA1
035914a1d0244039d43c48cadcab0439ed6855d0

SHA256
07a3e0b0b46beba9fcf603b62237748395cb801229e19500ff0e5cb38c12c067

SHA512
fe6049ed585272f8dac944bfdb402241c0f0e844c2e210c2f61a1d96fbeb451e5bddc3e69b22febd2c1dffc5357b951d28710fcde61bab31e11b6f5ff8b0ceda

Download Submit
memory/1472-132-0x0000000000A10000-0x0000000000BC0000-memory.dmp

Filesize
1.7MB

Download
memory/1472-133-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/2196-181-0x0000000000900000-0x0000000000CE4000-memory.dmp

Filesize
3.9MB

Download
memory/2196-182-0x0000000000900000-0x0000000000CE4000-memory.dmp

Filesize
3.9MB

Download
memory/4924-171-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/4924-174-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/4924-172-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/4924-170-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/4924-168-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/5008-148-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5008-146-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5008-177-0x0000000074940000-0x0000000074979000-memory.dmp

Filesize
228KB

Download
memory/5008-147-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5008-176-0x00000000745C0000-0x00000000745F9000-memory.dmp

Filesize
228KB

Download
memory/5008-156-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5008-155-0x0000000074940000-0x0000000074979000-memory.dmp

Filesize
228KB

Download
memory/5008-154-0x00000000745C0000-0x00000000745F9000-memory.dmp

Filesize
228KB

Download
memory/5008-145-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5008-153-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5048-163-0x0000000000A00000-0x0000000000DE4000-memory.dmp

Filesize
3.9MB

Download
memory/5048-162-0x0000000000A00000-0x0000000000DE4000-memory.dmp

Filesize
3.9MB

Download
memory/5060-140-0x0000000000B60000-0x0000000000F44000-memory.dmp

Filesize
3.9MB

Download
memory/5060-139-0x0000000000B60000-0x0000000000F44000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads