bitrat | cedeaa413faa17df7cc8b5ce69781ef7b1685019688b436202374b04d84ba707

Analysis

max time kernel
148s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
Size

4.0MB
MD5

67fbc520347261992e947a43e1448c58
SHA1

da1950a26358844a172909b032f728d0ea07d1eb
SHA256

cedeaa413faa17df7cc8b5ce69781ef7b1685019688b436202374b04d84ba707
SHA512

6e64138516359367b92a5f82205d54b5761fdddc038d968078198583e12cb8947112f0aa2ac2d9fbef46ecb2d0a3c5fcf9ad5709b612de2bd1051a7f4977e11f
SSDEEP

98304:A77Pmq33rE/JDLPWZADUGer7B6iY74M//mlwXVZzFB:++R/eZADUXR

Score

10^/10

bitrat discovery persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

51.222.69.215:8320

Attributes

communication_password
0040f2abc2cff0c8f59883b99ae9fab6
install_dir
Windows
install_file
svchost.exe
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Bitrat family
bitrat

Executes dropped EXE 29 IoCs

pid	Process
2304	svchost.exe
804	svchost.exe
392	svchost.exe
4456	svchost.exe
3868	svchost.exe
6064	svchost.exe
5204	svchost.exe
4976	svchost.exe
3612	svchost.exe
3852	svchost.exe
4884	svchost.exe
3776	svchost.exe
4620	svchost.exe
4684	svchost.exe
4140	svchost.exe
1168	svchost.exe
1004	svchost.exe
3388	svchost.exe
1200	svchost.exe
3456	svchost.exe
112	svchost.exe
1040	svchost.exe
4980	svchost.exe
740	svchost.exe
1132	svchost.exe
456	svchost.exe
4800	svchost.exe
4788	svchost.exe
4820	svchost.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Windows\\svchost.exe"	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Windows\\svchost.exe谀"	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Windows\\svchost.exe猀"	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Windows\\svchost.exe耀"	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Windows\\svchost.exe餀"	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Windows\\svchost.exe䜀"	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Windows\\svchost.exe瀀"	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Windows\\svchost.exe琀"	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 33 IoCs

pid	Process
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
4544	svchost.exe
2304	svchost.exe
804	svchost.exe
392	svchost.exe
4456	svchost.exe
3868	svchost.exe
6064	svchost.exe
5204	svchost.exe
4976	svchost.exe
3612	svchost.exe
3852	svchost.exe
4884	svchost.exe
3776	svchost.exe
4620	svchost.exe
4684	svchost.exe
4140	svchost.exe
1168	svchost.exe
1004	svchost.exe
3388	svchost.exe
1200	svchost.exe
3456	svchost.exe
112	svchost.exe
1040	svchost.exe
4980	svchost.exe
740	svchost.exe
1132	svchost.exe
456	svchost.exe
4800	svchost.exe
4788	svchost.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1748-0-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/4544-4-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/1748-5-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/files/0x0007000000024201-6.dat	upx
behavioral1/memory/1748-7-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/2304-9-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/804-12-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/392-16-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/4456-19-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/1748-22-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/3868-24-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/6064-27-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/5204-31-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/4976-34-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/3612-38-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/3852-40-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/3852-42-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/4884-46-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/3776-50-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/1748-53-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/4620-55-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/4684-58-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/4140-60-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/4140-63-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/1168-65-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/1168-67-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/1004-69-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/1004-72-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/3388-76-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/1748-79-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/1200-81-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/3456-84-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/112-88-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral1/memory/1748-98-0x0000000000400000-0x000000000080C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: RenamesItself 30 IoCs

pid	Process
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
Token: SeShutdownPrivilege	4544	svchost.exe
Token: SeShutdownPrivilege	2304	svchost.exe
Token: SeShutdownPrivilege	804	svchost.exe
Token: SeShutdownPrivilege	392	svchost.exe
Token: SeShutdownPrivilege	4456	svchost.exe
Token: SeShutdownPrivilege	3868	svchost.exe
Token: SeShutdownPrivilege	6064	svchost.exe
Token: SeShutdownPrivilege	5204	svchost.exe
Token: SeShutdownPrivilege	4976	svchost.exe
Token: SeShutdownPrivilege	3612	svchost.exe
Token: SeShutdownPrivilege	3852	svchost.exe
Token: SeShutdownPrivilege	4884	svchost.exe
Token: SeShutdownPrivilege	3776	svchost.exe
Token: SeShutdownPrivilege	4620	svchost.exe
Token: SeShutdownPrivilege	4684	svchost.exe
Token: SeShutdownPrivilege	4140	svchost.exe
Token: SeShutdownPrivilege	1168	svchost.exe
Token: SeShutdownPrivilege	1004	svchost.exe
Token: SeShutdownPrivilege	3388	svchost.exe
Token: SeShutdownPrivilege	1200	svchost.exe
Token: SeShutdownPrivilege	3456	svchost.exe
Token: SeShutdownPrivilege	112	svchost.exe
Token: SeShutdownPrivilege	1040	svchost.exe
Token: SeShutdownPrivilege	4980	svchost.exe
Token: SeShutdownPrivilege	740	svchost.exe
Token: SeShutdownPrivilege	1132	svchost.exe
Token: SeShutdownPrivilege	456	svchost.exe
Token: SeShutdownPrivilege	4800	svchost.exe
Token: SeShutdownPrivilege	4788	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
1748	2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5452 wrote to memory of 4544	5452	cmd.exe	91
PID 5452 wrote to memory of 4544	5452	cmd.exe	91
PID 5452 wrote to memory of 4544	5452	cmd.exe	91
PID 4676 wrote to memory of 2304	4676	cmd.exe	94
PID 4676 wrote to memory of 2304	4676	cmd.exe	94
PID 4676 wrote to memory of 2304	4676	cmd.exe	94
PID 4528 wrote to memory of 804	4528	cmd.exe	104
PID 4528 wrote to memory of 804	4528	cmd.exe	104
PID 4528 wrote to memory of 804	4528	cmd.exe	104
PID 4108 wrote to memory of 392	4108	cmd.exe	109
PID 4108 wrote to memory of 392	4108	cmd.exe	109
PID 4108 wrote to memory of 392	4108	cmd.exe	109
PID 5344 wrote to memory of 4456	5344	cmd.exe	112
PID 5344 wrote to memory of 4456	5344	cmd.exe	112
PID 5344 wrote to memory of 4456	5344	cmd.exe	112
PID 3576 wrote to memory of 3868	3576	cmd.exe	115
PID 3576 wrote to memory of 3868	3576	cmd.exe	115
PID 3576 wrote to memory of 3868	3576	cmd.exe	115
PID 6068 wrote to memory of 6064	6068	cmd.exe	120
PID 6068 wrote to memory of 6064	6068	cmd.exe	120
PID 6068 wrote to memory of 6064	6068	cmd.exe	120
PID 3676 wrote to memory of 5204	3676	cmd.exe	123
PID 3676 wrote to memory of 5204	3676	cmd.exe	123
PID 3676 wrote to memory of 5204	3676	cmd.exe	123
PID 3544 wrote to memory of 4976	3544	cmd.exe	126
PID 3544 wrote to memory of 4976	3544	cmd.exe	126
PID 3544 wrote to memory of 4976	3544	cmd.exe	126
PID 1964 wrote to memory of 3612	1964	cmd.exe	129
PID 1964 wrote to memory of 3612	1964	cmd.exe	129
PID 1964 wrote to memory of 3612	1964	cmd.exe	129
PID 2800 wrote to memory of 3852	2800	cmd.exe	132
PID 2800 wrote to memory of 3852	2800	cmd.exe	132
PID 2800 wrote to memory of 3852	2800	cmd.exe	132
PID 3068 wrote to memory of 4884	3068	cmd.exe	135
PID 3068 wrote to memory of 4884	3068	cmd.exe	135
PID 3068 wrote to memory of 4884	3068	cmd.exe	135
PID 5104 wrote to memory of 3776	5104	cmd.exe	139
PID 5104 wrote to memory of 3776	5104	cmd.exe	139
PID 5104 wrote to memory of 3776	5104	cmd.exe	139
PID 4588 wrote to memory of 4620	4588	cmd.exe	142
PID 4588 wrote to memory of 4620	4588	cmd.exe	142
PID 4588 wrote to memory of 4620	4588	cmd.exe	142
PID 4736 wrote to memory of 4684	4736	cmd.exe	145
PID 4736 wrote to memory of 4684	4736	cmd.exe	145
PID 4736 wrote to memory of 4684	4736	cmd.exe	145
PID 4304 wrote to memory of 4140	4304	cmd.exe	148
PID 4304 wrote to memory of 4140	4304	cmd.exe	148
PID 4304 wrote to memory of 4140	4304	cmd.exe	148
PID 5092 wrote to memory of 1168	5092	cmd.exe	151
PID 5092 wrote to memory of 1168	5092	cmd.exe	151
PID 5092 wrote to memory of 1168	5092	cmd.exe	151
PID 2388 wrote to memory of 1004	2388	cmd.exe	154
PID 2388 wrote to memory of 1004	2388	cmd.exe	154
PID 2388 wrote to memory of 1004	2388	cmd.exe	154
PID 2412 wrote to memory of 3388	2412	cmd.exe	158
PID 2412 wrote to memory of 3388	2412	cmd.exe	158
PID 2412 wrote to memory of 3388	2412	cmd.exe	158
PID 1216 wrote to memory of 1200	1216	cmd.exe	161
PID 1216 wrote to memory of 1200	1216	cmd.exe	161
PID 1216 wrote to memory of 1200	1216	cmd.exe	161
PID 6104 wrote to memory of 3456	6104	cmd.exe	164
PID 6104 wrote to memory of 3456	6104	cmd.exe	164
PID 6104 wrote to memory of 3456	6104	cmd.exe	164
PID 4940 wrote to memory of 112	4940	cmd.exe	167

C:\Users\Admin\AppData\Local\Temp\2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-03_67fbc520347261992e947a43e1448c58_bitrat_black-basta_coinminer_luca-stealer.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5452
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5344
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6068
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6104
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
PID:5204
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
PID:2948
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
PID:5444
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
PID:228
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
PID:1308
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
PID:5068
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
PID:4900
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Windows\svchost.exe
1⤵
PID:4488
- C:\Users\Admin\AppData\Local\Windows\svchost.exe
  C:\Users\Admin\AppData\Local\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Windows\svchost.exe

Filesize
4.0MB

MD5
67fbc520347261992e947a43e1448c58

SHA1
da1950a26358844a172909b032f728d0ea07d1eb

SHA256
cedeaa413faa17df7cc8b5ce69781ef7b1685019688b436202374b04d84ba707

SHA512
6e64138516359367b92a5f82205d54b5761fdddc038d968078198583e12cb8947112f0aa2ac2d9fbef46ecb2d0a3c5fcf9ad5709b612de2bd1051a7f4977e11f

Download Submit
memory/112-88-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/112-87-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/392-16-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/392-15-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/804-11-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/804-12-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/1004-72-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/1004-71-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/1004-69-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/1168-67-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/1168-65-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/1168-66-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/1200-80-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/1200-81-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/1748-22-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/1748-79-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/1748-0-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/1748-98-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/1748-96-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/1748-1-0x0000000074EA0000-0x0000000074ED9000-memory.dmp

Filesize
228KB

Download
memory/1748-2-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/1748-48-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/1748-5-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/1748-51-0x0000000074EA0000-0x0000000074ED9000-memory.dmp

Filesize
228KB

Download
memory/1748-78-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/1748-7-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/1748-53-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/1748-20-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/1748-74-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/2304-8-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/2304-9-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/3388-75-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/3388-76-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/3456-84-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/3456-83-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/3612-38-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/3612-37-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/3776-50-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/3776-49-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/3852-40-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/3852-42-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/3852-41-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/3868-23-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/3868-24-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/4140-60-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/4140-62-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/4140-63-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/4456-19-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/4456-18-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/4544-4-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/4544-3-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/4620-55-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/4620-54-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/4684-57-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/4684-58-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/4884-46-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/4884-45-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/4976-34-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/4976-33-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/5204-30-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download
memory/5204-31-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/6064-27-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/6064-26-0x0000000075240000-0x0000000075279000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads