bitrat | 29c7a3ada8baf686277bc18e5cadf37083b76aa56e5ab0f279fc7d13fdbdc062

Analysis

max time kernel
165s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b8fb7d7a2593534a55488146dc93f43.exe
Size

7.6MB
MD5

5b8fb7d7a2593534a55488146dc93f43
SHA1

7b4c89ed2038f106d109a68cd8bf6ae9f8adfd16
SHA256

29c7a3ada8baf686277bc18e5cadf37083b76aa56e5ab0f279fc7d13fdbdc062
SHA512

c1985985f7832fc21e335799150f11a92699356bd31b6980f6192140df4f888221f99ea3e7ff1ee5adb7fd5a7feb2ca12eef32c14d08aca314b46206a9181446
SSDEEP

196608:zYTeu2ZxHNDxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOfTV73c:UTeuIPxwZ6v1CPwDv3uFteg2EeJUO9Wq

Score

10^/10

bitrat persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.30

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

BitRAT payload 3 IoCs

resource	yara_rule
behavioral2/memory/4100-0-0x0000000000400000-0x0000000000BA8000-memory.dmp	family_bitrat
behavioral2/memory/4100-1-0x0000000000400000-0x0000000000BA8000-memory.dmp	family_bitrat
behavioral2/memory/4100-46-0x0000000000400000-0x0000000000BA8000-memory.dmp	family_bitrat

ACProtect 1.3x - 1.4x DLL software 14 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0008000000023216-19.dat	acprotect
behavioral2/files/0x000600000002321b-22.dat	acprotect
behavioral2/files/0x000800000002321a-28.dat	acprotect
behavioral2/files/0x0009000000023219-27.dat	acprotect
behavioral2/files/0x0009000000023219-35.dat	acprotect
behavioral2/files/0x0008000000023216-40.dat	acprotect
behavioral2/files/0x0008000000023216-39.dat	acprotect
behavioral2/files/0x000600000002321c-34.dat	acprotect
behavioral2/files/0x000600000002321e-32.dat	acprotect
behavioral2/files/0x000600000002321c-29.dat	acprotect
behavioral2/files/0x000800000002321a-21.dat	acprotect
behavioral2/files/0x000600000002321b-26.dat	acprotect
behavioral2/files/0x0008000000023217-24.dat	acprotect
behavioral2/files/0x0008000000023217-20.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	5b8fb7d7a2593534a55488146dc93f43.exe

Executes dropped EXE 1 IoCs

pid	Process
4952	java.exe

Loads dropped DLL 8 IoCs

pid	Process
4952	java.exe
4952	java.exe
4952	java.exe
4952	java.exe
4952	java.exe
4952	java.exe
4952	java.exe
4952	java.exe

UPX packed file 41 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002321d-15.dat	upx
behavioral2/files/0x000600000002321d-17.dat	upx
behavioral2/memory/4952-23-0x00000000008D0000-0x0000000000CD4000-memory.dmp	upx
behavioral2/files/0x0008000000023216-19.dat	upx
behavioral2/files/0x000600000002321d-18.dat	upx
behavioral2/files/0x000600000002321b-22.dat	upx
behavioral2/memory/4952-30-0x0000000073E70000-0x0000000073F38000-memory.dmp	upx
behavioral2/files/0x000800000002321a-28.dat	upx
behavioral2/files/0x0009000000023219-27.dat	upx
behavioral2/memory/4952-36-0x0000000073C90000-0x0000000073D18000-memory.dmp	upx
behavioral2/files/0x0009000000023219-35.dat	upx
behavioral2/files/0x0008000000023216-40.dat	upx
behavioral2/files/0x0008000000023216-39.dat	upx
behavioral2/memory/4952-41-0x00000000738B0000-0x0000000073B7F000-memory.dmp	upx
behavioral2/memory/4952-38-0x0000000073D20000-0x0000000073D44000-memory.dmp	upx
behavioral2/memory/4952-37-0x0000000073B80000-0x0000000073C8A000-memory.dmp	upx
behavioral2/files/0x000600000002321c-34.dat	upx
behavioral2/memory/4952-33-0x0000000073E20000-0x0000000073E69000-memory.dmp	upx
behavioral2/files/0x000600000002321e-32.dat	upx
behavioral2/files/0x000600000002321c-29.dat	upx
behavioral2/memory/4952-31-0x0000000073D50000-0x0000000073E1E000-memory.dmp	upx
behavioral2/files/0x000800000002321a-21.dat	upx
behavioral2/files/0x000600000002321b-26.dat	upx
behavioral2/files/0x0008000000023217-24.dat	upx
behavioral2/files/0x0008000000023217-20.dat	upx
behavioral2/memory/4952-66-0x0000000073D20000-0x0000000073D44000-memory.dmp	upx
behavioral2/memory/4952-69-0x00000000738B0000-0x0000000073B7F000-memory.dmp	upx
behavioral2/memory/4952-68-0x0000000073B80000-0x0000000073C8A000-memory.dmp	upx
behavioral2/memory/4952-67-0x0000000073C90000-0x0000000073D18000-memory.dmp	upx
behavioral2/memory/4952-65-0x0000000073D50000-0x0000000073E1E000-memory.dmp	upx
behavioral2/memory/4952-64-0x0000000073E20000-0x0000000073E69000-memory.dmp	upx
behavioral2/memory/4952-63-0x0000000073E70000-0x0000000073F38000-memory.dmp	upx
behavioral2/memory/4952-62-0x00000000008D0000-0x0000000000CD4000-memory.dmp	upx
behavioral2/memory/4952-81-0x00000000008D0000-0x0000000000CD4000-memory.dmp	upx
behavioral2/memory/4952-82-0x00000000008D0000-0x0000000000CD4000-memory.dmp	upx
behavioral2/memory/4952-94-0x00000000008D0000-0x0000000000CD4000-memory.dmp	upx
behavioral2/memory/4952-111-0x00000000008D0000-0x0000000000CD4000-memory.dmp	upx
behavioral2/memory/4952-119-0x00000000008D0000-0x0000000000CD4000-memory.dmp	upx
behavioral2/memory/4952-127-0x00000000008D0000-0x0000000000CD4000-memory.dmp	upx
behavioral2/memory/4952-139-0x00000000008D0000-0x0000000000CD4000-memory.dmp	upx
behavioral2/memory/4952-150-0x00000000008D0000-0x0000000000CD4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Local\\java\\java.exe"	5b8fb7d7a2593534a55488146dc93f43.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Local\\java\\java.exe攀"	5b8fb7d7a2593534a55488146dc93f43.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Local\\java\\java.exe\ue800"	5b8fb7d7a2593534a55488146dc93f43.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Local\\java\\java.exeЀ"	5b8fb7d7a2593534a55488146dc93f43.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	myexternalip.com
38	myexternalip.com
46	myexternalip.com
75	myexternalip.com
77	myexternalip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 28 IoCs

pid	Process
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4100	5b8fb7d7a2593534a55488146dc93f43.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4100	5b8fb7d7a2593534a55488146dc93f43.exe
4100	5b8fb7d7a2593534a55488146dc93f43.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 4952	4100	5b8fb7d7a2593534a55488146dc93f43.exe	93
PID 4100 wrote to memory of 4952	4100	5b8fb7d7a2593534a55488146dc93f43.exe	93
PID 4100 wrote to memory of 4952	4100	5b8fb7d7a2593534a55488146dc93f43.exe	93

C:\Users\Admin\AppData\Local\Temp\5b8fb7d7a2593534a55488146dc93f43.exe
"C:\Users\Admin\AppData\Local\Temp\5b8fb7d7a2593534a55488146dc93f43.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Users\Admin\AppData\Local\230c72a1\tor\java.exe
  "C:\Users\Admin\AppData\Local\230c72a1\tor\java.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\230c72a1\tor\data\cached-microdesc-consensus.tmp

Filesize
207KB

MD5
ad1b24b295cce76d9587d21f4bfeb9c3

SHA1
1977014c388b5a2b0925782bbfe4983e8f253637

SHA256
72ee4d16ee31c40c6d942894d3f5780dd96bfbc32e0e3c48afc1c9e9437f9e82

SHA512
e3ac216708106865c4290f08250c7560fe2967da2a1d61f040badd4545cea5a25645c9043e7d40e06c4467a9f18394404744b5eed464f1fd52b36f92238cadd4

Download Submit
C:\Users\Admin\AppData\Local\230c72a1\tor\data\cached-microdescs.new

Filesize
157KB

MD5
6bddd8343898a6f9006e0d12ad13d852

SHA1
46212cd4fba6301c418bed43f457f001dd07a864

SHA256
d7771bb75ee6df9b7e071eaec0e52313a2ae5f6d86d2d5e406cf679ae3777804

SHA512
72795f42f398e1d144143578406f6a800c44009542e54421271e881ffb085ad645ff5d7b67a627bac36458641cde9932c7cc9d597067500657fb14ac86c1e91a

Download Submit
C:\Users\Admin\AppData\Local\230c72a1\tor\java.exe

Filesize
88KB

MD5
12d71a70083797ffbbb9292030d687f7

SHA1
ca4cacb3ca9dd4f6675adcceef110ef76b62e971

SHA256
056007c3a09c16fded1f6ee584acc3da1be75e8662b8904714973f5100504847

SHA512
5054413d2a463de4244e2f468e597b99924c0723a796033950956d2f9b5bd8b41d92bd0a41cc8cc7a2fdd26556499b97f99e5ee0cf63f41c3e094c0682cfba95

Download Submit
C:\Users\Admin\AppData\Local\230c72a1\tor\java.exe

Filesize
39KB

MD5
fcc1e20a7e187180ba84fbdd792d7342

SHA1
040232438253897e76a2d657f97e4fa52a9c5a31

SHA256
2b28b2d694853a4aa830c5253b360bb02fd3370dbe9b35f2d62c5ea647def426

SHA512
40bb6a4f1bc25157e780bf572bc25506793d263ed661555856e7673bca356abff6326a75b85325463873d842e0e76c4749a220dec1f00829194ee91db4a862ac

Download Submit
C:\Users\Admin\AppData\Local\230c72a1\tor\java.exe

Filesize
29KB

MD5
7570a858e9e98c615de1b9aa82dc462f

SHA1
6683ffa68cd2682ac56ea8d2343f564cebef802a

SHA256
ac2c3bc8855bc714ec867d32e3411fe43c5e136504e07e3c79442b8db253ec26

SHA512
8cd7fa6f923331948fdf3d4fd5ad8db0786b19a8bc973711d69963d7c6bc7b358448bce1bcabe54148a41c20f7b23d6760c374db9b84cfd710ac537ebb3f9f3c

Download Submit
C:\Users\Admin\AppData\Local\230c72a1\tor\libcrypto-1_1.dll

Filesize
19KB

MD5
b23d38f64838e661198cbf29dcfdeb59

SHA1
87be7d6d19f25727b662de3ae3d65d0c912eed6c

SHA256
fcb6532f0c2ee238b8fdd36f0c1b71a8bda8955bad98ecd824c5f5247e8ba07c

SHA512
8f1910609858df380811195e2198097728e80e6c8d8c090d5b7e46d726fb09e63fb6eef03e138b15f73f5934f9ff87d9c6be77e79cd86c4ddcfeb015df846db1

Download Submit
C:\Users\Admin\AppData\Local\230c72a1\tor\libcrypto-1_1.dll

Filesize
128KB

MD5
b4938c9573a5cea5bea234cd483bc59d

SHA1
0790530848493f08cd384112ea6bab36317cc05a

SHA256
abc651f4ecbbdff7390c58ee6fc3305a839e9d28948272218c6f478ca6795d71

SHA512
14c59d3f387fba92b9f6d728c74517c61b7ecbb711af44ae07a238895e5e9c9895c523705590f80403ae443e71c4849bbdd34833ad76b871e3281f3d74438b2f

Download Submit
C:\Users\Admin\AppData\Local\230c72a1\tor\libcrypto-1_1.dll

Filesize
135KB

MD5
49eeeddd137d242951d59592cad7c1af

SHA1
6c4dc1246e15f760cb7f92559f0b27b6260bff2e

SHA256
fa155f8d9bcffc4d8be4a4b761175851b02dab0127f70aa96ac35b9f36c55a0b

SHA512
ea163c30f54dde2125b08a676facacb94762d4395760084ad861faf90afd1e98b5685beea52165390d5bc9ba49d3eb3834d845a70ef6455c7ed1e030e0c76fd9

Download Submit
C:\Users\Admin\AppData\Local\230c72a1\tor\libevent-2-1-6.dll

Filesize
139KB

MD5
da42c1d54b4f1402b4b0defdd85bbed8

SHA1
f058a7259634312dd4e3984076a566acce7648f8

SHA256
95917cb83d21a9cb8005335512c37b30c2682c04b0afb6898a1cf411085de9b0

SHA512
fe90a8ee319e0e7cb5a53969d990488ad4f95dddc4284e66bd041bfb6588ccc96d8954aabee3d325d9142e70015440a676171acfedce867120dc04d3f9407858

Download Submit
C:\Users\Admin\AppData\Local\230c72a1\tor\libevent-2-1-6.dll

Filesize
149KB

MD5
813a1713e444c7662ac7929b739afffd

SHA1
ffa633e3445515979d5ce535d98e6a089d09955e

SHA256
a9258071e63eb5c334f7dc591c1b06f24d2f2dceff6634c18692ff9f8b1d97a3

SHA512
2730ec6444d5769ad180c34b930e9eb9317f979d05b8cbc4e7f361d12a20bad849e87ea33eab45b527cbd3492d080b812dadd036755f8313d9460d068581fde7

Download Submit
C:\Users\Admin\AppData\Local\230c72a1\tor\libgcc_s_sjlj-1.dll

Filesize
1KB

MD5
667379ab150a4abba307317172a1279c

SHA1
a59d95e9c96a66bea029a3d64c2aabf3af936653

SHA256
edc0653489536f7d44a8ed6f64c5cf87b8e8e9b2ae65cb6f99241095893898d7

SHA512
7ad8c6f180a7533b5d4b60a7f26d949694fe58d3b3d98eea12892248a733fc3509e3a99d37d5bc621f975f97bf5e232f5e88e12a9e97fa36d31352329d8484ca

Download Submit
C:\Users\Admin\AppData\Local\230c72a1\tor\libgcc_s_sjlj-1.dll

Filesize
140KB

MD5
90171711af2c72d9ce4cd644f385c223

SHA1
a9fcfa4866595fcc73e81b9b68a8c015bc6449c8

SHA256
0ab0259cdd7d7a2263dd7653a8225216c31153cf00849621294c3afcf59349a7

SHA512
cbc16e33e94d133402f3e636b01f3e774893f56ddc5acf90e43dca35b23f4eee6adc8c15ff680d404c51a0e5a7f86c56c99c02a0fe4d2d37863f04171b2c1a27

Download Submit
C:\Users\Admin\AppData\Local\230c72a1\tor\libssl-1_1.dll

Filesize
124KB

MD5
82c071314a62ea18332bdbdae447f522

SHA1
ccfd6ec1a4683272ceec9021345b8d47c365e146

SHA256
2dfb074635450beca029617e5cf0d1018a0b28604dc835343e42744f64e81866

SHA512
ec4da2ea82bee0be543770b1dbda6cf0f7cbc7a563d90fb264f9931423fb5793ed9d392f2ae3e0fdb6cb5757859c418b1ae2b1a7e60ad9276c75fdd2f2688512

Download Submit
C:\Users\Admin\AppData\Local\230c72a1\tor\libssl-1_1.dll

Filesize
5KB

MD5
1c1ba3d52453d3330d53dc10d54656d0

SHA1
0eefed009660755444dea707933f39c118dcd4cd

SHA256
3ecc2be64f1e318545c1596d0b40c648e76c79cc610a9d7dcd7499e7f1eb77da

SHA512
dcfc2f93bad2dff2a8ed141c1b25e195b697856ff9399d09a13b273b8e115521dd1f16c3bd6c160bd65b993e79b2b550dda1420811141207019fb3025c9608f9

Download Submit
C:\Users\Admin\AppData\Local\230c72a1\tor\libssp-0.dll

Filesize
22KB

MD5
cef0c944afc5e522933b283c217353f7

SHA1
383872cb2f6f09603b73a45186a2fca7d8e22af8

SHA256
dec68360f1323cbb7402ea402b17699511613f31d0c421d5b043ce89892b6341

SHA512
669a2a5b504bda49e13f1ce762b50a3b3afeb96f66637cf491311a21da92ad98ba7b8af8adf3f0ccd50e45a7e717cf5143e87b56f054d8f5f76f0935ee878e02

Download Submit
C:\Users\Admin\AppData\Local\230c72a1\tor\libssp-0.dll

Filesize
57KB

MD5
b105ff353bc093a8a2d90aa74c41b310

SHA1
fe4c560a2390d89c518e90f3eb4b1ff75d135040

SHA256
b73259e3bbac0db31b7e61ed2dcf6fe21f15c0144497967e7cd8841622a9dc9f

SHA512
ec1a980f4c60950158cb996e9602c4d56819f9887e8ba0e178505b028cebbd49a33cc8fa45a5efc3395043f1de3e20c9a5cac0ad98a631097ca3e13708e30927

Download Submit
C:\Users\Admin\AppData\Local\230c72a1\tor\libwinpthread-1.dll

Filesize
133KB

MD5
da95e03d204a3f0fbaa6d2a61b67cea9

SHA1
d71296ad3146a1e74da5ea3138ccdf17384d1ed3

SHA256
3f2d44b17df5f759481bcb285735c5d3d8229b1ed4119cfa406ad8a598ef4663

SHA512
96ec93acf25593762bee95df85a5be5a8954736ff510ad76265fe0cd511f33f32b5c849b3b5c6425c6ec81afdafa8723a6aee39e0a2f7aaa906b173e17613715

Download Submit
C:\Users\Admin\AppData\Local\230c72a1\tor\libwinpthread-1.dll

Filesize
102KB

MD5
179805cbef9f143a88f7140260096672

SHA1
2e3cb848ad117d93eaa132d39e3ac9b5872abd50

SHA256
f90973babec139cc0994659f2542137e721cf52ab0bed1bab6c9ac001d99e054

SHA512
d363b0d6613b6accea4181239b6b8a3c42a90de08fc52e784f37e2313f2db8f3abc5d43de4f781ff67665c1c3c33e946a9bae6a46b507a758ecec911c7541070

Download Submit
C:\Users\Admin\AppData\Local\230c72a1\tor\torrc

Filesize
139B

MD5
31cc422ce83cab0acfc091f41a59fc42

SHA1
ee55b2b4f0e0946b6b5be5ef75543f6fae7b7569

SHA256
c77372e430efec15bb22ccb84345e23a9203bda0dc730504820a32b3528a21ba

SHA512
da0f9b3e897773a2d8c96da3ff2dec2ab91c6e58913539bf5948c0919aa77dec899f3984c51323f8cb08cf63d7b8dc5491fb5816ddd1bd666d0577e14daabbb9

Download Submit
C:\Users\Admin\AppData\Local\230c72a1\tor\zlib1.dll

Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
memory/4100-0-0x0000000000400000-0x0000000000BA8000-memory.dmp

Filesize
7.7MB

Download
memory/4100-138-0x0000000072BA0000-0x0000000072BD9000-memory.dmp

Filesize
228KB

Download
memory/4100-1-0x0000000000400000-0x0000000000BA8000-memory.dmp

Filesize
7.7MB

Download
memory/4100-2-0x00000000749F0000-0x0000000074A29000-memory.dmp

Filesize
228KB

Download
memory/4100-47-0x00000000734A0000-0x00000000734D9000-memory.dmp

Filesize
228KB

Download
memory/4100-46-0x0000000000400000-0x0000000000BA8000-memory.dmp

Filesize
7.7MB

Download
memory/4952-66-0x0000000073D20000-0x0000000073D44000-memory.dmp

Filesize
144KB

Download
memory/4952-64-0x0000000073E20000-0x0000000073E69000-memory.dmp

Filesize
292KB

Download
memory/4952-30-0x0000000073E70000-0x0000000073F38000-memory.dmp

Filesize
800KB

Download
memory/4952-23-0x00000000008D0000-0x0000000000CD4000-memory.dmp

Filesize
4.0MB

Download
memory/4952-31-0x0000000073D50000-0x0000000073E1E000-memory.dmp

Filesize
824KB

Download
memory/4952-33-0x0000000073E20000-0x0000000073E69000-memory.dmp

Filesize
292KB

Download
memory/4952-37-0x0000000073B80000-0x0000000073C8A000-memory.dmp

Filesize
1.0MB

Download
memory/4952-38-0x0000000073D20000-0x0000000073D44000-memory.dmp

Filesize
144KB

Download
memory/4952-41-0x00000000738B0000-0x0000000073B7F000-memory.dmp

Filesize
2.8MB

Download
memory/4952-69-0x00000000738B0000-0x0000000073B7F000-memory.dmp

Filesize
2.8MB

Download
memory/4952-68-0x0000000073B80000-0x0000000073C8A000-memory.dmp

Filesize
1.0MB

Download
memory/4952-67-0x0000000073C90000-0x0000000073D18000-memory.dmp

Filesize
544KB

Download
memory/4952-65-0x0000000073D50000-0x0000000073E1E000-memory.dmp

Filesize
824KB

Download
memory/4952-36-0x0000000073C90000-0x0000000073D18000-memory.dmp

Filesize
544KB

Download
memory/4952-63-0x0000000073E70000-0x0000000073F38000-memory.dmp

Filesize
800KB

Download
memory/4952-62-0x00000000008D0000-0x0000000000CD4000-memory.dmp

Filesize
4.0MB

Download
memory/4952-81-0x00000000008D0000-0x0000000000CD4000-memory.dmp

Filesize
4.0MB

Download
memory/4952-82-0x00000000008D0000-0x0000000000CD4000-memory.dmp

Filesize
4.0MB

Download
memory/4952-93-0x00000000017D0000-0x0000000001A9F000-memory.dmp

Filesize
2.8MB

Download
memory/4952-94-0x00000000008D0000-0x0000000000CD4000-memory.dmp

Filesize
4.0MB

Download
memory/4952-111-0x00000000008D0000-0x0000000000CD4000-memory.dmp

Filesize
4.0MB

Download
memory/4952-119-0x00000000008D0000-0x0000000000CD4000-memory.dmp

Filesize
4.0MB

Download
memory/4952-127-0x00000000008D0000-0x0000000000CD4000-memory.dmp

Filesize
4.0MB

Download
memory/4952-42-0x00000000017D0000-0x0000000001A9F000-memory.dmp

Filesize
2.8MB

Download
memory/4952-139-0x00000000008D0000-0x0000000000CD4000-memory.dmp

Filesize
4.0MB

Download
memory/4952-150-0x00000000008D0000-0x0000000000CD4000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads