bitrat | 08b44be5d6721d2b20fa1de5fa8d1f80d84d9d424f6fefc06b01a9a81670aec8

General

Target

8924a53be46439d1c258a10b59596b77.exe
Size

3.0MB
MD5

8924a53be46439d1c258a10b59596b77
SHA1

6cf13347e475772a66e67f5f529a908956dfd00d
SHA256

08b44be5d6721d2b20fa1de5fa8d1f80d84d9d424f6fefc06b01a9a81670aec8
SHA512

b322d44280e7eff437d0c429f6cfd7af7cf05ea0a8598a9dd42a89b1b6712a1c5f80f1a676d7e1eaf71188f82b68e5c32078e3b376efea97c81df2d594b8eeab
SSDEEP

49152:YJXZRkXRxWCBu72E76E5jXVL5w9lmVOALga7n0Yy:Ky

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

194.33.45.3:4898

Attributes

communication_password
89ec00ac3524ab4f7edd70785d23e302
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Nirsoft 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8924a53be46439d1c258a10b59596b77.exeAdvancedRun.exeAdvancedRun.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	8924a53be46439d1c258a10b59596b77.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	AdvancedRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	AdvancedRun.exe

Executes dropped EXE 4 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe

pid process

1540 AdvancedRun.exe
4684 AdvancedRun.exe
4864 AdvancedRun.exe
5012 AdvancedRun.exe

pid	process
1540	AdvancedRun.exe
4684	AdvancedRun.exe
4864	AdvancedRun.exe
5012	AdvancedRun.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

8924a53be46439d1c258a10b59596b77.exe

pid	process
244	8924a53be46439d1c258a10b59596b77.exe
244	8924a53be46439d1c258a10b59596b77.exe
244	8924a53be46439d1c258a10b59596b77.exe
244	8924a53be46439d1c258a10b59596b77.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8924a53be46439d1c258a10b59596b77.exe

description pid process target process

PID 3996 set thread context of 244 3996 8924a53be46439d1c258a10b59596b77.exe 8924a53be46439d1c258a10b59596b77.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 3996 set thread context of 244	3996	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

Processes:

powershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe8924a53be46439d1c258a10b59596b77.exepowershell.exe

pid	process
2956	powershell.exe
2956	powershell.exe
696	powershell.exe
696	powershell.exe
2904	powershell.exe
2904	powershell.exe
1540	AdvancedRun.exe
1540	AdvancedRun.exe
1540	AdvancedRun.exe
1540	AdvancedRun.exe
4684	AdvancedRun.exe
4684	AdvancedRun.exe
4684	AdvancedRun.exe
4684	AdvancedRun.exe
4864	AdvancedRun.exe
4864	AdvancedRun.exe
4864	AdvancedRun.exe
4864	AdvancedRun.exe
5012	AdvancedRun.exe
5012	AdvancedRun.exe
5012	AdvancedRun.exe
5012	AdvancedRun.exe
3996	8924a53be46439d1c258a10b59596b77.exe
3996	8924a53be46439d1c258a10b59596b77.exe
3996	8924a53be46439d1c258a10b59596b77.exe
3996	8924a53be46439d1c258a10b59596b77.exe
3996	8924a53be46439d1c258a10b59596b77.exe
3996	8924a53be46439d1c258a10b59596b77.exe
3996	8924a53be46439d1c258a10b59596b77.exe
3996	8924a53be46439d1c258a10b59596b77.exe
3996	8924a53be46439d1c258a10b59596b77.exe
3996	8924a53be46439d1c258a10b59596b77.exe
3996	8924a53be46439d1c258a10b59596b77.exe
3996	8924a53be46439d1c258a10b59596b77.exe
3996	8924a53be46439d1c258a10b59596b77.exe
3996	8924a53be46439d1c258a10b59596b77.exe
3996	8924a53be46439d1c258a10b59596b77.exe
3996	8924a53be46439d1c258a10b59596b77.exe
3996	8924a53be46439d1c258a10b59596b77.exe
3996	8924a53be46439d1c258a10b59596b77.exe
3996	8924a53be46439d1c258a10b59596b77.exe
3996	8924a53be46439d1c258a10b59596b77.exe
3996	8924a53be46439d1c258a10b59596b77.exe
3996	8924a53be46439d1c258a10b59596b77.exe
3996	8924a53be46439d1c258a10b59596b77.exe
3996	8924a53be46439d1c258a10b59596b77.exe
3996	8924a53be46439d1c258a10b59596b77.exe
624	powershell.exe
624	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

8924a53be46439d1c258a10b59596b77.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exepowershell.exe8924a53be46439d1c258a10b59596b77.exe

description	pid	process
Token: SeDebugPrivilege	3996	8924a53be46439d1c258a10b59596b77.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1540	AdvancedRun.exe
Token: SeImpersonatePrivilege	1540	AdvancedRun.exe
Token: SeDebugPrivilege	4684	AdvancedRun.exe
Token: SeImpersonatePrivilege	4684	AdvancedRun.exe
Token: SeDebugPrivilege	4864	AdvancedRun.exe
Token: SeImpersonatePrivilege	4864	AdvancedRun.exe
Token: SeDebugPrivilege	5012	AdvancedRun.exe
Token: SeImpersonatePrivilege	5012	AdvancedRun.exe
Token: SeDebugPrivilege	624	powershell.exe
Token: SeShutdownPrivilege	244	8924a53be46439d1c258a10b59596b77.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

8924a53be46439d1c258a10b59596b77.exe

pid process

244 8924a53be46439d1c258a10b59596b77.exe
244 8924a53be46439d1c258a10b59596b77.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

8924a53be46439d1c258a10b59596b77.exeAdvancedRun.exeAdvancedRun.exe

description	pid	process	target process
PID 3996 wrote to memory of 2956	3996	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 3996 wrote to memory of 2956	3996	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 3996 wrote to memory of 2956	3996	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 3996 wrote to memory of 696	3996	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 3996 wrote to memory of 696	3996	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 3996 wrote to memory of 696	3996	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 3996 wrote to memory of 2904	3996	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 3996 wrote to memory of 2904	3996	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 3996 wrote to memory of 2904	3996	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 3996 wrote to memory of 1540	3996	8924a53be46439d1c258a10b59596b77.exe	AdvancedRun.exe
PID 3996 wrote to memory of 1540	3996	8924a53be46439d1c258a10b59596b77.exe	AdvancedRun.exe
PID 3996 wrote to memory of 1540	3996	8924a53be46439d1c258a10b59596b77.exe	AdvancedRun.exe
PID 1540 wrote to memory of 4684	1540	AdvancedRun.exe	AdvancedRun.exe
PID 1540 wrote to memory of 4684	1540	AdvancedRun.exe	AdvancedRun.exe
PID 1540 wrote to memory of 4684	1540	AdvancedRun.exe	AdvancedRun.exe
PID 3996 wrote to memory of 4864	3996	8924a53be46439d1c258a10b59596b77.exe	AdvancedRun.exe
PID 3996 wrote to memory of 4864	3996	8924a53be46439d1c258a10b59596b77.exe	AdvancedRun.exe
PID 3996 wrote to memory of 4864	3996	8924a53be46439d1c258a10b59596b77.exe	AdvancedRun.exe
PID 4864 wrote to memory of 5012	4864	AdvancedRun.exe	AdvancedRun.exe
PID 4864 wrote to memory of 5012	4864	AdvancedRun.exe	AdvancedRun.exe
PID 4864 wrote to memory of 5012	4864	AdvancedRun.exe	AdvancedRun.exe
PID 3996 wrote to memory of 624	3996	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 3996 wrote to memory of 624	3996	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 3996 wrote to memory of 624	3996	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 3996 wrote to memory of 4100	3996	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe
PID 3996 wrote to memory of 4100	3996	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe
PID 3996 wrote to memory of 4100	3996	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe
PID 3996 wrote to memory of 244	3996	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe
PID 3996 wrote to memory of 244	3996	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe
PID 3996 wrote to memory of 244	3996	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe
PID 3996 wrote to memory of 244	3996	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe
PID 3996 wrote to memory of 244	3996	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe
PID 3996 wrote to memory of 244	3996	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe
PID 3996 wrote to memory of 244	3996	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe
PID 3996 wrote to memory of 244	3996	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe
PID 3996 wrote to memory of 244	3996	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe
PID 3996 wrote to memory of 244	3996	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe
PID 3996 wrote to memory of 244	3996	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe

C:\Users\Admin\AppData\Local\Temp\8924a53be46439d1c258a10b59596b77.exe
"C:\Users\Admin\AppData\Local\Temp\8924a53be46439d1c258a10b59596b77.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 1540
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 4864
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\8924a53be46439d1c258a10b59596b77.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Users\Admin\AppData\Local\Temp\8924a53be46439d1c258a10b59596b77.exe
C:\Users\Admin\AppData\Local\Temp\8924a53be46439d1c258a10b59596b77.exe
2⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\8924a53be46439d1c258a10b59596b77.exe
C:\Users\Admin\AppData\Local\Temp\8924a53be46439d1c258a10b59596b77.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
b022611eea90381b5ca48efb17df14d6

SHA1
b29639a9712e1a00d122e90a5731a41fce4842f9

SHA256
225d6236815aa88f653457487c036215e89c2e9c474ee0ca76bf02ef94a0c5dd

SHA512
8b58dc2112b524c094b83a458e8686225027051e93eb038a5f1d87935b6bac595e93f73d397fa4755bed63538150fa3e2d2e77c7d2afdf90124f82db06c70baf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
d66ba96f064931f532efcdd7d1cad3a2

SHA1
2cb46e4a5b108d774bd5d6d58790bf2170ed050e

SHA256
438ffef6590f7bc79ef72d000937eea907b98c251861a95b91700633edfe579f

SHA512
b1dde20f21c374c969ab3b81daae9eca7bde6fda06a7fa44780255f386d054b6d93ba677f4f1779eedad6a057fe21083df24840664bf7b00ea8c78f355f9bc22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
5d649685014806eb58733f9d8f83a599

SHA1
8bb0ce8af559dc45c627ec0fb6de731eb459fab3

SHA256
82f7f0023949f044b9c9a25082862b3507c478f87a8cf80ee0752249a889bad5

SHA512
863841254d6a5940c3cd47d275a20ee183476e06e8615ad349e7482ecf90822a8babac0eae23f4f13a13d6940b1eb92a2bf1a89939b90ae92c90aa1a41163a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lsqevhni.wos.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/244-102-0x0000000071600000-0x0000000071639000-memory.dmp

Filesize
228KB

Download
memory/244-97-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/244-78-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/244-74-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/244-72-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/244-108-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/244-109-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/244-101-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/244-96-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/244-107-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/244-100-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/244-110-0x0000000074F00000-0x0000000074F39000-memory.dmp

Filesize
228KB

Download
memory/244-98-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/244-76-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/244-111-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/244-112-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/244-113-0x0000000074F00000-0x0000000074F39000-memory.dmp

Filesize
228KB

Download
memory/244-94-0x00000000716C0000-0x00000000716F9000-memory.dmp

Filesize
228KB

Download
memory/244-95-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/244-99-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/624-103-0x0000000006E10000-0x0000000006EA6000-memory.dmp

Filesize
600KB

Download
memory/624-71-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/624-106-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/624-80-0x0000000005590000-0x00000000058E4000-memory.dmp

Filesize
3.3MB

Download
memory/624-104-0x00000000060E0000-0x0000000006102000-memory.dmp

Filesize
136KB

Download
memory/624-77-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/624-92-0x0000000005E00000-0x0000000005E4C000-memory.dmp

Filesize
304KB

Download
memory/624-75-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/696-30-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/696-31-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/696-29-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/696-43-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2904-45-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/2904-44-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2904-58-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2956-24-0x0000000006470000-0x000000000648A000-memory.dmp

Filesize
104KB

Download
memory/2956-8-0x0000000004FC0000-0x0000000004FE2000-memory.dmp

Filesize
136KB

Download
memory/2956-3-0x0000000002640000-0x0000000002676000-memory.dmp

Filesize
216KB

Download
memory/2956-6-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/2956-5-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/2956-4-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2956-7-0x0000000005140000-0x0000000005768000-memory.dmp

Filesize
6.2MB

Download
memory/2956-9-0x00000000058E0000-0x0000000005946000-memory.dmp

Filesize
408KB

Download
memory/2956-27-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2956-23-0x00000000077C0000-0x0000000007E3A000-memory.dmp

Filesize
6.5MB

Download
memory/2956-10-0x0000000005950000-0x00000000059B6000-memory.dmp

Filesize
408KB

Download
memory/2956-22-0x0000000005FB0000-0x0000000005FFC000-memory.dmp

Filesize
304KB

Download
memory/2956-21-0x0000000005F50000-0x0000000005F6E000-memory.dmp

Filesize
120KB

Download
memory/2956-20-0x0000000005AC0000-0x0000000005E14000-memory.dmp

Filesize
3.3MB

Download
memory/3996-0-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/3996-56-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/3996-81-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/3996-59-0x0000000005950000-0x0000000005B46000-memory.dmp

Filesize
2.0MB

Download
memory/3996-60-0x0000000006B50000-0x0000000006D2A000-memory.dmp

Filesize
1.9MB

Download
memory/3996-68-0x0000000006D30000-0x0000000006DC2000-memory.dmp

Filesize
584KB

Download
memory/3996-69-0x0000000007380000-0x0000000007924000-memory.dmp

Filesize
5.6MB

Download
memory/3996-2-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/3996-1-0x0000000000310000-0x0000000000606000-memory.dmp

Filesize
3.0MB

Download
memory/4100-73-0x0000000000400000-0x0000000000400000-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads