bitrat | 66fdb47c24f569d7fae5707024809698812a40458216414827d3ea57cfb19dbb

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9874cdde692f485a1c609aeafd075c3.exe
Size

16.5MB
MD5

b9874cdde692f485a1c609aeafd075c3
SHA1

8806ac9b20eaa78f89b5dfd1b78a3c7fb5cbffce
SHA256

66fdb47c24f569d7fae5707024809698812a40458216414827d3ea57cfb19dbb
SHA512

955e5e731e2d3fe9299fb90995fba95409d5b6086306960defbdc17f855175c63ccdb713f16b3e6ac3ee007f2317461d2e8693afefc56e7de494d879a3fd0aee
SSDEEP

98304:AQC5lSLCSHP8Z2HOR0mW1LCjqOMKmxE6G:LC5R0mh

Score

10^/10

bitrat hiverat quasar et rat spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

orcus.dyndns.org:1605

lsdw.dyndns.org:1606

labeokunta.dynnds.org:1606

xpert.dyndns.biz:1605

qz.dyndns.org:1605

imageline.dyndns.org:1606

kontakt-update.selfip.net:1606

Mutex

QSR_MUTEX_X8N0tEAk1p1Gbe9ioj

Attributes

encryption_key
jVpAHlJqCIQYSDZsOYMx
install_name
Client.exe
log_directory
db.xlm
reconnect_delay
30000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

bitrat

Version

1.38

hiv.dyndns.org:2222

Attributes

communication_password
194dd40edef1873b88c241057bb55f1b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

Quasar RAT 3 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

flow	ioc	pid	Process
60	ip-api.com		Process not Found
		2724	PING.EXE
101	ip-api.com		Process not Found

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/4336-5-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

HiveRAT payload 11 IoCs

resource	yara_rule
behavioral2/memory/4352-6-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral2/memory/4352-9-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral2/memory/4352-23-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral2/memory/4352-19-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral2/memory/4352-25-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral2/memory/4352-27-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral2/memory/4352-36-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral2/memory/4352-42-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral2/memory/4352-44-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral2/memory/4352-46-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral2/memory/2484-134-0x0000000001550000-0x00000000015DE000-memory.dmp	family_hiverat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	b9874cdde692f485a1c609aeafd075c3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	b9874cdde692f485a1c609aeafd075c3.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
60	ip-api.com
101	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
3516	b9874cdde692f485a1c609aeafd075c3.exe
3516	b9874cdde692f485a1c609aeafd075c3.exe
3516	b9874cdde692f485a1c609aeafd075c3.exe
3516	b9874cdde692f485a1c609aeafd075c3.exe
384	b9874cdde692f485a1c609aeafd075c3.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3244 set thread context of 4336	3244	b9874cdde692f485a1c609aeafd075c3.exe	103
PID 3244 set thread context of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	104
PID 3244 set thread context of 3516	3244	b9874cdde692f485a1c609aeafd075c3.exe	105
PID 3668 set thread context of 4312	3668	b9874cdde692f485a1c609aeafd075c3.exe	122
PID 3668 set thread context of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	123
PID 3668 set thread context of 384	3668	b9874cdde692f485a1c609aeafd075c3.exe	124

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5060	4336	WerFault.exe	103
4860	4312	WerFault.exe	122

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2724	PING.EXE
4940	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4352	b9874cdde692f485a1c609aeafd075c3.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4352	b9874cdde692f485a1c609aeafd075c3.exe
Token: SeShutdownPrivilege	3516	b9874cdde692f485a1c609aeafd075c3.exe
Token: SeDebugPrivilege	4336	b9874cdde692f485a1c609aeafd075c3.exe
Token: SeDebugPrivilege	2484	b9874cdde692f485a1c609aeafd075c3.exe
Token: SeDebugPrivilege	4312	b9874cdde692f485a1c609aeafd075c3.exe
Token: SeShutdownPrivilege	384	b9874cdde692f485a1c609aeafd075c3.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3516	b9874cdde692f485a1c609aeafd075c3.exe
3516	b9874cdde692f485a1c609aeafd075c3.exe
4336	b9874cdde692f485a1c609aeafd075c3.exe
4312	b9874cdde692f485a1c609aeafd075c3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 4336	3244	b9874cdde692f485a1c609aeafd075c3.exe	103
PID 3244 wrote to memory of 4336	3244	b9874cdde692f485a1c609aeafd075c3.exe	103
PID 3244 wrote to memory of 4336	3244	b9874cdde692f485a1c609aeafd075c3.exe	103
PID 3244 wrote to memory of 4336	3244	b9874cdde692f485a1c609aeafd075c3.exe	103
PID 3244 wrote to memory of 4336	3244	b9874cdde692f485a1c609aeafd075c3.exe	103
PID 3244 wrote to memory of 4336	3244	b9874cdde692f485a1c609aeafd075c3.exe	103
PID 3244 wrote to memory of 4336	3244	b9874cdde692f485a1c609aeafd075c3.exe	103
PID 3244 wrote to memory of 4336	3244	b9874cdde692f485a1c609aeafd075c3.exe	103
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	104
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	104
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	104
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	104
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	104
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	104
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	104
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	104
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	104
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	104
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	104
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	104
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	104
PID 3244 wrote to memory of 3516	3244	b9874cdde692f485a1c609aeafd075c3.exe	105
PID 3244 wrote to memory of 3516	3244	b9874cdde692f485a1c609aeafd075c3.exe	105
PID 3244 wrote to memory of 3516	3244	b9874cdde692f485a1c609aeafd075c3.exe	105
PID 3244 wrote to memory of 3516	3244	b9874cdde692f485a1c609aeafd075c3.exe	105
PID 3244 wrote to memory of 3516	3244	b9874cdde692f485a1c609aeafd075c3.exe	105
PID 3244 wrote to memory of 3516	3244	b9874cdde692f485a1c609aeafd075c3.exe	105
PID 3244 wrote to memory of 3516	3244	b9874cdde692f485a1c609aeafd075c3.exe	105
PID 3244 wrote to memory of 3516	3244	b9874cdde692f485a1c609aeafd075c3.exe	105
PID 3244 wrote to memory of 3516	3244	b9874cdde692f485a1c609aeafd075c3.exe	105
PID 3244 wrote to memory of 3516	3244	b9874cdde692f485a1c609aeafd075c3.exe	105
PID 3244 wrote to memory of 3516	3244	b9874cdde692f485a1c609aeafd075c3.exe	105
PID 4336 wrote to memory of 2936	4336	b9874cdde692f485a1c609aeafd075c3.exe	107
PID 4336 wrote to memory of 2936	4336	b9874cdde692f485a1c609aeafd075c3.exe	107
PID 4336 wrote to memory of 2936	4336	b9874cdde692f485a1c609aeafd075c3.exe	107
PID 2936 wrote to memory of 400	2936	cmd.exe	110
PID 2936 wrote to memory of 400	2936	cmd.exe	110
PID 2936 wrote to memory of 400	2936	cmd.exe	110
PID 2936 wrote to memory of 2724	2936	cmd.exe	111
PID 2936 wrote to memory of 2724	2936	cmd.exe	111
PID 2936 wrote to memory of 2724	2936	cmd.exe	111
PID 2936 wrote to memory of 3668	2936	cmd.exe	113
PID 2936 wrote to memory of 3668	2936	cmd.exe	113
PID 2936 wrote to memory of 3668	2936	cmd.exe	113
PID 3668 wrote to memory of 4312	3668	b9874cdde692f485a1c609aeafd075c3.exe	122
PID 3668 wrote to memory of 4312	3668	b9874cdde692f485a1c609aeafd075c3.exe	122
PID 3668 wrote to memory of 4312	3668	b9874cdde692f485a1c609aeafd075c3.exe	122
PID 3668 wrote to memory of 4312	3668	b9874cdde692f485a1c609aeafd075c3.exe	122
PID 3668 wrote to memory of 4312	3668	b9874cdde692f485a1c609aeafd075c3.exe	122
PID 3668 wrote to memory of 4312	3668	b9874cdde692f485a1c609aeafd075c3.exe	122
PID 3668 wrote to memory of 4312	3668	b9874cdde692f485a1c609aeafd075c3.exe	122
PID 3668 wrote to memory of 4312	3668	b9874cdde692f485a1c609aeafd075c3.exe	122
PID 3668 wrote to memory of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	123
PID 3668 wrote to memory of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	123
PID 3668 wrote to memory of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	123
PID 3668 wrote to memory of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	123
PID 3668 wrote to memory of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	123
PID 3668 wrote to memory of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	123
PID 3668 wrote to memory of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	123
PID 3668 wrote to memory of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	123
PID 3668 wrote to memory of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	123
PID 3668 wrote to memory of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	123
PID 3668 wrote to memory of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	123
PID 3668 wrote to memory of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	123

C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe
"C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe
  "C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAikTUecDnIX.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:400
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Quasar RAT
      Runs ping.exe
      PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe
      "C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3668
    - - C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe"
        5⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4312
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vemGXra0EGNF.bat" "
        6⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:4940
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 2248
        6⤵
        Program crash
        
        PID:4860
    - - C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
    - - C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe"
        5⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        
        PID:384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 2216
    3⤵
    - Program crash
    PID:5060
- C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe
  "C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:4352
- C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe
  "C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4336 -ip 4336
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4312 -ip 4312
1⤵
PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b9874cdde692f485a1c609aeafd075c3.exe.log

Filesize
323B

MD5
4af72c00db90b95c23cc32823c5b0453

SHA1
80f3754f05c09278987cba54e34b76f1ddbee5fd

SHA256
5a99dc099cb5297a4d7714af94b14f170d8a0506899c82d6b8231a220f8dba5d

SHA512
47aa798c4822bfd0b2a9110fcd1531494da99cf6e4aba5b59bfc36e21fcb1bdb5378189318bbb8519f0e8be732d90637f787ab63997d106bbcff31396155f9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAikTUecDnIX.bat

Filesize
229B

MD5
ade7d46d917f5b9c7d7783b244e82b79

SHA1
58fbb677f535c6215b3175e369379fa374591bff

SHA256
9a900ccbb36e27c0d68bf459c31c58961b3c4d05a18ed7893afa2629c914e7cb

SHA512
0d07599848acfe2809ce72bfad58ad834b84536e5f8bc6b9b6e1afe3f62dfda7f7ffc0c9f135b110a52d7a209adcd6cb54eba1e41aa3bf8b34912398fd52f0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vemGXra0EGNF.bat

Filesize
229B

MD5
d642bdd074037e7d4b23e7cf6652fd46

SHA1
eba2d857a6afb55270d6bc43224d5131cfcafe41

SHA256
23915628456f16ac12b6dc31a4e814379b33424bd555be010842360fd1c33b5f

SHA512
512f4e181d12a348cb17a4f7d2c65b9c8f6323b858247b05de472f8ebc4598dc6afe3c96192efad7f102cd62c6f095c17e6388a6bc3d3cf34316d0715cda3b69

Download Submit
C:\Users\Admin\AppData\Roaming\db.xlm\03-07-2024

Filesize
224B

MD5
b406aa4ee7f4bff372859eed790329d1

SHA1
426527561522ea4e846ddad0d0ecc269cd616228

SHA256
8a2bf4593a08843ff796bcfc951859dca414d0572d0ab661d03c5ac2fe7ce0fd

SHA512
84fde5df3ae7c793b58a42be2913c9f58015432a66da00fc279eef4fe5f4a520aafec1eec86910f503f135df2725ced5de254d8c04a0e75e0b7c34fc43abc6ed

Download Submit
memory/384-120-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/384-193-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/384-191-0x0000000075900000-0x0000000075939000-memory.dmp

Filesize
228KB

Download
memory/2484-133-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/2484-182-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/2484-181-0x00000000059F0000-0x0000000005A00000-memory.dmp

Filesize
64KB

Download
memory/2484-134-0x0000000001550000-0x00000000015DE000-memory.dmp

Filesize
568KB

Download
memory/3244-4-0x00000000024F0000-0x00000000024FE000-memory.dmp

Filesize
56KB

Download
memory/3244-3-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/3244-2-0x0000000006790000-0x000000000682C000-memory.dmp

Filesize
624KB

Download
memory/3244-0-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/3244-16-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/3244-1-0x0000000000D50000-0x0000000001DDC000-memory.dmp

Filesize
16.5MB

Download
memory/3516-100-0x0000000075900000-0x0000000075939000-memory.dmp

Filesize
228KB

Download
memory/3516-71-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-196-0x0000000075900000-0x0000000075939000-memory.dmp

Filesize
228KB

Download
memory/3516-8-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-14-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-10-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-84-0x0000000070990000-0x00000000709C9000-memory.dmp

Filesize
228KB

Download
memory/3516-107-0x0000000075900000-0x0000000075939000-memory.dmp

Filesize
228KB

Download
memory/3516-104-0x0000000075900000-0x0000000075939000-memory.dmp

Filesize
228KB

Download
memory/3516-83-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-97-0x0000000075900000-0x0000000075939000-memory.dmp

Filesize
228KB

Download
memory/3516-62-0x0000000071C80000-0x0000000071CB9000-memory.dmp

Filesize
228KB

Download
memory/3516-94-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-20-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-72-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-74-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-73-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-75-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-77-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-76-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-78-0x0000000070C00000-0x0000000070C39000-memory.dmp

Filesize
228KB

Download
memory/3516-82-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-92-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3668-93-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/3668-101-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/3668-119-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/4312-112-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/4312-115-0x0000000006680000-0x0000000006690000-memory.dmp

Filesize
64KB

Download
memory/4312-189-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/4336-5-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4336-22-0x00000000064A0000-0x00000000064B0000-memory.dmp

Filesize
64KB

Download
memory/4336-81-0x0000000007A50000-0x0000000007A5A000-memory.dmp

Filesize
40KB

Download
memory/4336-79-0x00000000076D0000-0x000000000770C000-memory.dmp

Filesize
240KB

Download
memory/4336-89-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/4336-63-0x0000000007050000-0x0000000007062000-memory.dmp

Filesize
72KB

Download
memory/4336-12-0x0000000006880000-0x0000000006E24000-memory.dmp

Filesize
5.6MB

Download
memory/4336-11-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/4336-31-0x0000000006410000-0x0000000006476000-memory.dmp

Filesize
408KB

Download
memory/4336-15-0x0000000006370000-0x0000000006402000-memory.dmp

Filesize
584KB

Download
memory/4352-96-0x0000000006260000-0x0000000006270000-memory.dmp

Filesize
64KB

Download
memory/4352-27-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4352-36-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4352-42-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4352-44-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4352-46-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4352-17-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/4352-23-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4352-9-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4352-25-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4352-70-0x0000000006260000-0x0000000006270000-memory.dmp

Filesize
64KB

Download
memory/4352-6-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4352-90-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/4352-19-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads