bitrat | hxxp://45[.]95[.]169[.]45[:]23205/

Resubmissions

22-11-2022 00:51

221122-a7gqmagg5y 8

21-11-2022 23:09

21-11-2022 21:54

21-11-2022 21:30

21-11-2022 20:42

21-11-2022 19:29

Analysis

max time kernel
636s
max time network
645s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://45.95.169.45:23205/

Score

10^/10

bitrat xmrig miner persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

45.95.168.128:23202

Attributes

communication_password
ed99c23d77796aac877ce1f91481dc28
install_dir
Oracle
install_file
java.exe
tor_process
tor

Extracted

Family

bitrat

Version

1.34

45.95.168.128:23202

Attributes

communication_password
ed99c23d77796aac877ce1f91481dc28
install_dir
test
install_file
test.exe
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 4 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\GoogleUpdate.exe	xmrig
C:\Users\Admin\AppData\Local\Temp\RarSFX0\GoogleUpdate.exe	xmrig
behavioral1/memory/2024-160-0x00007FF6197E0000-0x00007FF619EEA000-memory.dmp	xmrig
behavioral1/memory/2024-181-0x00007FF6197E0000-0x00007FF619EEA000-memory.dmp	xmrig

Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

rat (1).exetest.exe1 (1).exeGoogleUpdate.execs.exerat.exe

pid process

3680 rat (1).exe
5108 test.exe
4692 1 (1).exe
2024 GoogleUpdate.exe
3460 cs.exe
4592 rat.exe

pid	process
3680	rat (1).exe
5108	test.exe
4692	1 (1).exe
2024	GoogleUpdate.exe
3460	cs.exe
4592	rat.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\test.exe	upx
C:\Users\Admin\Downloads\test.exe	upx
behavioral1/memory/5108-143-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5108-147-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe1 (1).exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	1 (1).exe

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

test.exerat (1).exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Users\\Admin\\AppData\\Local\\test\\test.exe"	test.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Local\\Oracle\\java.exe\uf800"	rat (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Users\\Admin\\AppData\\Local\\test\\test.exe\ue800"	test.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Local\\Oracle\\java.exe먀"	rat (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Local\\Oracle\\java.exe꜀"	rat (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Local\\Oracle\\java.exeȀ"	rat (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Local\\Oracle\\java.exe"	rat (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Local\\Oracle\\java.exe꼀"	rat (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Local\\Oracle\\java.exeꠀ"	rat (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Local\\Oracle\\java.exeꘀ"	rat (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Local\\Oracle\\java.exe준"	rat (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Users\\Admin\\AppData\\Local\\test\\test.exeЀ"	test.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Local\\Oracle\\java.exe\ue000"	rat (1).exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

Processes:

rat (1).exetest.exerat.exe

pid process

3680 rat (1).exe
3680 rat (1).exe
3680 rat (1).exe
3680 rat (1).exe
5108 test.exe
5108 test.exe
5108 test.exe
5108 test.exe
4592 rat.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3680	rat (1).exe
3680	rat (1).exe
3680	rat (1).exe
3680	rat (1).exe
5108	test.exe
5108	test.exe
5108	test.exe
5108	test.exe
4592	rat.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exe1 (1).exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	1 (1).exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.execs.exechrome.exe

pid	process
3116	chrome.exe
3116	chrome.exe
808	chrome.exe
808	chrome.exe
2492	chrome.exe
2492	chrome.exe
4964	chrome.exe
4964	chrome.exe
2256	chrome.exe
2256	chrome.exe
5004	chrome.exe
5004	chrome.exe
1852	chrome.exe
1852	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
4560	chrome.exe
4560	chrome.exe
1168	chrome.exe
1168	chrome.exe
3460	cs.exe
3460	cs.exe
3460	cs.exe
3460	cs.exe
3460	cs.exe
3460	cs.exe
4744	chrome.exe
4744	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

808 chrome.exe
808 chrome.exe
808 chrome.exe
808 chrome.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

rat (1).exetest.exe7zG.exe7zG.exerat.exe

description	pid	process
Token: SeShutdownPrivilege	3680	rat (1).exe
Token: SeShutdownPrivilege	5108	test.exe
Token: SeRestorePrivilege	2432	7zG.exe
Token: 35	2432	7zG.exe
Token: SeSecurityPrivilege	2432	7zG.exe
Token: SeSecurityPrivilege	2432	7zG.exe
Token: SeRestorePrivilege	2420	7zG.exe
Token: 35	2420	7zG.exe
Token: SeSecurityPrivilege	2420	7zG.exe
Token: SeSecurityPrivilege	2420	7zG.exe
Token: SeShutdownPrivilege	4592	rat.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

rat (1).exetest.exe

pid process

3680 rat (1).exe
3680 rat (1).exe
5108 test.exe
5108 test.exe

pid	process
3680	rat (1).exe
3680	rat (1).exe
5108	test.exe
5108	test.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 808 wrote to memory of 3756	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 3756	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 2396	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 3116	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 3116	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 1080	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 1080	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 1080	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 1080	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 1080	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 1080	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 1080	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 1080	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 1080	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 1080	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 1080	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 1080	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 1080	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 1080	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 1080	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 1080	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 1080	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 1080	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 1080	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 1080	808	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" http://45.95.169.45:23205/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe7f3f4f50,0x7ffe7f3f4f60,0x7ffe7f3f4f70
2⤵
PID:3756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1692 /prefetch:2
2⤵
PID:2396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2028 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2280 /prefetch:8
2⤵
PID:1080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
2⤵
PID:4100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
2⤵
PID:1488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4356 /prefetch:8
2⤵
PID:3796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5024 /prefetch:8
2⤵
PID:4104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
2⤵
PID:3212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2140 /prefetch:1
2⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5256 /prefetch:8
2⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5392 /prefetch:8
2⤵
PID:3680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5748 /prefetch:8
2⤵
PID:4752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5736 /prefetch:8
2⤵
PID:224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5724 /prefetch:8
2⤵
PID:340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5712 /prefetch:8
2⤵
PID:1520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5700 /prefetch:8
2⤵
PID:4184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5688 /prefetch:8
2⤵
PID:2632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6064 /prefetch:8
2⤵
PID:4956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4684 /prefetch:8
2⤵
PID:3472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6136 /prefetch:8
2⤵
PID:2244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6176 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5360 /prefetch:8
2⤵
PID:4692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2612 /prefetch:8
2⤵
PID:996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6224 /prefetch:8
2⤵
PID:4916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5220 /prefetch:8
2⤵
PID:1972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
2⤵
PID:1812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6312 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6248 /prefetch:8
2⤵
PID:2136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6080 /prefetch:8
2⤵
PID:820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6216 /prefetch:8
2⤵
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5992 /prefetch:8
2⤵
PID:4776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6216 /prefetch:8
2⤵
PID:4264

C:\Users\Admin\Downloads\rat (1).exe
"C:\Users\Admin\Downloads\rat (1).exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3680

C:\Users\Admin\Downloads\test.exe
"C:\Users\Admin\Downloads\test.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4740 /prefetch:8
2⤵
PID:3896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=916 /prefetch:8
2⤵
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4348 /prefetch:8
2⤵
PID:2420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1332 /prefetch:8
2⤵
PID:1172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5476 /prefetch:8
2⤵
PID:4328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5248 /prefetch:8
2⤵
PID:3368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4608 /prefetch:8
2⤵
PID:3896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5520 /prefetch:8
2⤵
PID:3416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5392 /prefetch:8
2⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5364 /prefetch:8
2⤵
PID:4124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
2⤵
PID:4692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2848 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5996 /prefetch:8
2⤵
PID:436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2888 /prefetch:8
2⤵
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4992 /prefetch:8
2⤵
PID:2288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4928 /prefetch:8
2⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,17327516179222062956,639702564235353681,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4276 /prefetch:8
2⤵
PID:4104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4432

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\1 (1)\" -spe -an -ai#7zMap20470:72:7zEvent8481
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Users\Admin\Downloads\1 (1).exe
"C:\Users\Admin\Downloads\1 (1).exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:4692

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.vbs"
2⤵
- Checks computer location settings
PID:3480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat" "
3⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\RarSFX0\GoogleUpdate.exe
googleupdate
4⤵
- Executes dropped EXE
PID:2024

C:\Users\Admin\Downloads\cs.exe
"C:\Users\Admin\Downloads\cs.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3460

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\rat\" -spe -an -ai#7zMap31493:68:7zEvent22315
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Users\Admin\Downloads\rat.exe
"C:\Users\Admin\Downloads\rat.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\GoogleUpdate.exe

Filesize
3.9MB

MD5
273e2fbc0a4fdf5100eff76cdc72f292

SHA1
f5d61a4a3154b1ec7a32e5cd5df9ce4c2d873bf1

SHA256
219325a1f600be24dd8e265e1d21efcdba85c7ae849031e8b8746928fdf41bc7

SHA512
4db326187be98be9ea8db28feefb71cfcbf435698b8516c742beb821cdf2655b938a8ca4da7331ee66957359f0bb0408aeedf8dad87ceba546d19e831054cab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\GoogleUpdate.exe

Filesize
3.9MB

MD5
273e2fbc0a4fdf5100eff76cdc72f292

SHA1
f5d61a4a3154b1ec7a32e5cd5df9ce4c2d873bf1

SHA256
219325a1f600be24dd8e265e1d21efcdba85c7ae849031e8b8746928fdf41bc7

SHA512
4db326187be98be9ea8db28feefb71cfcbf435698b8516c742beb821cdf2655b938a8ca4da7331ee66957359f0bb0408aeedf8dad87ceba546d19e831054cab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat

Filesize
143B

MD5
ba3893cad10edcb4a0572156a83a9c4c

SHA1
8564d3d2c10f89893f233b7b14934e1ca95baf4f

SHA256
94fab46d5bca4f4a74eb8686d21f49e34a05ec79ffeb14d57275434fab7e4bd9

SHA512
abf280586542e79248e88c3cb776f049acd1a9334a9fa8c78debb218a80068a0629a8abf16b61a19e11c1b8f0d80e4429d8ea0061ef14eb5f34f5d82397b4f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.vbs

Filesize
117B

MD5
8099c67a9631789db03e90d7b7bf0980

SHA1
4fbf9f44825a1184b24a0d957b20a850f3b07c42

SHA256
88a4ed5c8caad58c8eda0d4ed6e36c98ce5b7545529da0cf41ffea4015b71206

SHA512
c2ce0931eed4925e9b808250aa1335e234470571f4e2c95ffc16af972656fb0c3c8b383327d38ec7d1a5d6290e5c6800715b14c0cb93f8ec2092f8e9c3a26043

Download Submit
C:\Users\Admin\Downloads\1 (1).exe

Filesize
1.7MB

MD5
f3bf68a03f822eee0d1821a0e075e7d8

SHA1
f7f6bf88372c7f140a89868a9f53c5cc629a1013

SHA256
3306914d482a4580384fc75e7036115773c074a38060ff2ace9505980ddd2a6b

SHA512
0784fafb8a41ef3740a95e6cf7e898f2915bc10d6c5364d577a7c02b6e5fbd8303a241ffa769f9a7780d3d46ccbd7d0f2b5424371b6fac5c75db4cc0edc72cfa

Download Submit
C:\Users\Admin\Downloads\1 (1).exe

Filesize
1.7MB

MD5
f3bf68a03f822eee0d1821a0e075e7d8

SHA1
f7f6bf88372c7f140a89868a9f53c5cc629a1013

SHA256
3306914d482a4580384fc75e7036115773c074a38060ff2ace9505980ddd2a6b

SHA512
0784fafb8a41ef3740a95e6cf7e898f2915bc10d6c5364d577a7c02b6e5fbd8303a241ffa769f9a7780d3d46ccbd7d0f2b5424371b6fac5c75db4cc0edc72cfa

Download Submit
C:\Users\Admin\Downloads\cs.exe

Filesize
332KB

MD5
9f58be8d27bef7912e54734c9011e5dd

SHA1
3f788e3c803849ffeacdd3bd315a73ffd7555237

SHA256
d68fc328e4aafbb35d64f35ee9534d0b3a8b36cd9f2c6f36d495cf44937d1f8c

SHA512
ac57c5d990666bf81e23ae95cb43274f6b25f2314832ae33477cca1dfef2bc62b772dfab0e51e70aa1d686e50e405b49fbe96b677e611d61475c6b273d44222e

Download Submit
C:\Users\Admin\Downloads\cs.exe

Filesize
332KB

MD5
9f58be8d27bef7912e54734c9011e5dd

SHA1
3f788e3c803849ffeacdd3bd315a73ffd7555237

SHA256
d68fc328e4aafbb35d64f35ee9534d0b3a8b36cd9f2c6f36d495cf44937d1f8c

SHA512
ac57c5d990666bf81e23ae95cb43274f6b25f2314832ae33477cca1dfef2bc62b772dfab0e51e70aa1d686e50e405b49fbe96b677e611d61475c6b273d44222e

Download Submit
C:\Users\Admin\Downloads\rat (1).exe

Filesize
3.8MB

MD5
c1fae73665efdc6c694b8e5539b98288

SHA1
a326cce74d10355c9bf1bc9c22d522a65962a570

SHA256
30e96177e8d7b657bcc304b1a1a44748124b1aa057b649225d1c5a7bf2be5a62

SHA512
47049d9a82943c1043c5b72132cc25013f1b745068a552f1dd1ac87670194ffa07ffe4244736601b3abd98f8bf0471f3ed950abb89bf5a43fcbedae472a768ce

Download Submit
C:\Users\Admin\Downloads\rat (1).exe

Filesize
3.8MB

MD5
c1fae73665efdc6c694b8e5539b98288

SHA1
a326cce74d10355c9bf1bc9c22d522a65962a570

SHA256
30e96177e8d7b657bcc304b1a1a44748124b1aa057b649225d1c5a7bf2be5a62

SHA512
47049d9a82943c1043c5b72132cc25013f1b745068a552f1dd1ac87670194ffa07ffe4244736601b3abd98f8bf0471f3ed950abb89bf5a43fcbedae472a768ce

Download Submit
C:\Users\Admin\Downloads\test.exe

Filesize
1.4MB

MD5
80dcf02bf5150c7454004c0f71a57d51

SHA1
6f016319bb003159fba7653a055991e52a0fc19f

SHA256
49c4bb55e3da9afcbdf23a5b97ac10ea941131e590d4bab1df93c98bac83f3f0

SHA512
cfd55538df1447b8548da422da4f55e0204458b9459f76f4d7fa2d3aebc1c611762001e7260a6060210b08921036b21c875c15da57372f0d7edd8e1ed60ab243

Download Submit
C:\Users\Admin\Downloads\test.exe

Filesize
1.4MB

MD5
80dcf02bf5150c7454004c0f71a57d51

SHA1
6f016319bb003159fba7653a055991e52a0fc19f

SHA256
49c4bb55e3da9afcbdf23a5b97ac10ea941131e590d4bab1df93c98bac83f3f0

SHA512
cfd55538df1447b8548da422da4f55e0204458b9459f76f4d7fa2d3aebc1c611762001e7260a6060210b08921036b21c875c15da57372f0d7edd8e1ed60ab243

Download Submit
\??\pipe\crashpad_808_TSXIDDUUDMHWDDMY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1996-155-0x0000000000000000-mapping.dmp

Download
memory/2024-156-0x0000000000000000-mapping.dmp

Download
memory/2024-159-0x000002C106CB0000-0x000002C106CD0000-memory.dmp

Filesize
128KB

Download
memory/2024-160-0x00007FF6197E0000-0x00007FF619EEA000-memory.dmp

Filesize
7.0MB

Download
memory/2024-181-0x00007FF6197E0000-0x00007FF619EEA000-memory.dmp

Filesize
7.0MB

Download
memory/3480-152-0x0000000000000000-mapping.dmp

Download
memory/3680-210-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-138-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-149-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-205-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-206-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-209-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-184-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-213-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-142-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-161-0x0000000072950000-0x0000000072989000-memory.dmp

Filesize
228KB

Download
memory/3680-201-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-163-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-198-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-165-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-215-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-202-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-168-0x00000000743B0000-0x00000000743E9000-memory.dmp

Filesize
228KB

Download
memory/3680-169-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-197-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-171-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-194-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-137-0x00000000743B0000-0x00000000743E9000-memory.dmp

Filesize
228KB

Download
memory/3680-192-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-175-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-190-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-177-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-188-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-179-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-186-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/3680-134-0x0000000000000000-mapping.dmp

Download
memory/3680-182-0x0000000072950000-0x0000000072989000-memory.dmp

Filesize
228KB

Download
memory/5108-173-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-183-0x0000000072900000-0x0000000072939000-memory.dmp

Filesize
228KB

Download
memory/5108-185-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-180-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-187-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-178-0x0000000073B70000-0x0000000073BA9000-memory.dmp

Filesize
228KB

Download
memory/5108-189-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-176-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-191-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-174-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-193-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-172-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-195-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-196-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-170-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-164-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-199-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-200-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-162-0x0000000072900000-0x0000000072939000-memory.dmp

Filesize
228KB

Download
memory/5108-151-0x0000000073B70000-0x0000000073BA9000-memory.dmp

Filesize
228KB

Download
memory/5108-203-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-204-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-147-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5108-146-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-207-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-208-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-145-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-144-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-211-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-212-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-143-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5108-214-0x0000000074070000-0x00000000740A9000-memory.dmp

Filesize
228KB

Download
memory/5108-139-0x0000000000000000-mapping.dmp

Download