bitrat | 9a6e4a0945252684df6638c58bcc3f0eeb38923ab8b56972585692d43ecc532b

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97f1a585a7b4c15df61fa892fb3fc76d.exe
Size

7.1MB
MD5

97f1a585a7b4c15df61fa892fb3fc76d
SHA1

9d1564a02e8cd72e9cb188da42e05ae3511762c8
SHA256

9a6e4a0945252684df6638c58bcc3f0eeb38923ab8b56972585692d43ecc532b
SHA512

a2b74994062f45df13552d80ef6f21c2228fedde24b5913e528721389bcf3cc22c5a8f6ac741d309322ec6340648248d1bb6b4794f83f93a42e90f03c2776e38
SSDEEP

196608:9fXscaDbsQoXznnH/UAhB9ZOjy+puQqw/LMBkJzIDluZpK1:9fsOnfpDmKmTaMCloK

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

vbd3hiruwgcquiwrhpvaxann2ieo3tw3iznqlrp2z6mqyaonh4rswjqd.onion:80

Attributes

communication_password
a5b168cfbe7cfa4410a62b9965318077
tor_process
svchost

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000016d0e-47.dat	acprotect
behavioral1/files/0x0006000000017478-52.dat	acprotect
behavioral1/files/0x0008000000016d16-53.dat	acprotect
behavioral1/files/0x000600000001744e-55.dat	acprotect
behavioral1/files/0x0006000000017499-58.dat	acprotect
behavioral1/files/0x0031000000018646-67.dat	acprotect
behavioral1/files/0x0006000000017456-65.dat	acprotect

Executes dropped EXE 7 IoCs

pid	Process
1720	svchost.exe
2732	svchost.exe
2668	svchost.exe
1272	svchost.exe
1312	svchost.exe
2612	svchost.exe
2948	svchost.exe

Loads dropped DLL 57 IoCs

pid	Process
3008	97f1a585a7b4c15df61fa892fb3fc76d.exe
3008	97f1a585a7b4c15df61fa892fb3fc76d.exe
1720	svchost.exe
1720	svchost.exe
1720	svchost.exe
1720	svchost.exe
1720	svchost.exe
1720	svchost.exe
1720	svchost.exe
3008	97f1a585a7b4c15df61fa892fb3fc76d.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
3008	97f1a585a7b4c15df61fa892fb3fc76d.exe
2668	svchost.exe
2668	svchost.exe
2668	svchost.exe
2668	svchost.exe
2668	svchost.exe
2668	svchost.exe
2668	svchost.exe
3008	97f1a585a7b4c15df61fa892fb3fc76d.exe
1272	svchost.exe
1272	svchost.exe
1272	svchost.exe
1272	svchost.exe
1272	svchost.exe
1272	svchost.exe
1272	svchost.exe
3008	97f1a585a7b4c15df61fa892fb3fc76d.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
3008	97f1a585a7b4c15df61fa892fb3fc76d.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
3008	97f1a585a7b4c15df61fa892fb3fc76d.exe
2948	svchost.exe
2948	svchost.exe
2948	svchost.exe
2948	svchost.exe
2948	svchost.exe
2948	svchost.exe
2948	svchost.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001754e-39.dat	upx
behavioral1/memory/3008-45-0x0000000004B50000-0x0000000004F54000-memory.dmp	upx
behavioral1/memory/1720-48-0x0000000000BC0000-0x0000000000FC4000-memory.dmp	upx
behavioral1/files/0x0008000000016d0e-47.dat	upx
behavioral1/files/0x0006000000017478-52.dat	upx
behavioral1/files/0x0008000000016d16-53.dat	upx
behavioral1/files/0x000600000001744e-55.dat	upx
behavioral1/memory/1720-59-0x0000000074CB0000-0x0000000074CF9000-memory.dmp	upx
behavioral1/memory/1720-60-0x0000000074610000-0x000000007471A000-memory.dmp	upx
behavioral1/memory/1720-61-0x0000000074BE0000-0x0000000074CA8000-memory.dmp	upx
behavioral1/files/0x0006000000017499-58.dat	upx
behavioral1/memory/1720-56-0x0000000074720000-0x00000000749EF000-memory.dmp	upx
behavioral1/memory/1720-64-0x0000000074580000-0x0000000074608000-memory.dmp	upx
behavioral1/files/0x0031000000018646-67.dat	upx
behavioral1/memory/1720-69-0x00000000744B0000-0x000000007457E000-memory.dmp	upx
behavioral1/memory/1720-68-0x0000000074480000-0x00000000744A4000-memory.dmp	upx
behavioral1/files/0x0006000000017456-65.dat	upx
behavioral1/memory/1720-104-0x0000000000BC0000-0x0000000000FC4000-memory.dmp	upx
behavioral1/memory/1720-107-0x0000000074BE0000-0x0000000074CA8000-memory.dmp	upx
behavioral1/memory/1720-110-0x00000000744B0000-0x000000007457E000-memory.dmp	upx
behavioral1/memory/1720-109-0x0000000074580000-0x0000000074608000-memory.dmp	upx
behavioral1/memory/1720-108-0x0000000074610000-0x000000007471A000-memory.dmp	upx
behavioral1/memory/1720-112-0x0000000000BC0000-0x0000000000FC4000-memory.dmp	upx
behavioral1/memory/1720-106-0x0000000074CB0000-0x0000000074CF9000-memory.dmp	upx
behavioral1/memory/1720-105-0x0000000074720000-0x00000000749EF000-memory.dmp	upx
behavioral1/memory/1720-197-0x0000000000BC0000-0x0000000000FC4000-memory.dmp	upx
behavioral1/memory/1720-206-0x0000000000BC0000-0x0000000000FC4000-memory.dmp	upx
behavioral1/memory/1720-256-0x0000000000BC0000-0x0000000000FC4000-memory.dmp	upx
behavioral1/memory/2732-276-0x0000000074720000-0x00000000749EF000-memory.dmp	upx
behavioral1/memory/2732-278-0x0000000074CB0000-0x0000000074CF9000-memory.dmp	upx
behavioral1/memory/2732-282-0x0000000074BE0000-0x0000000074CA8000-memory.dmp	upx
behavioral1/memory/2732-285-0x0000000074610000-0x000000007471A000-memory.dmp	upx
behavioral1/memory/2732-288-0x0000000074580000-0x0000000074608000-memory.dmp	upx
behavioral1/memory/2732-290-0x00000000744B0000-0x000000007457E000-memory.dmp	upx
behavioral1/memory/2732-294-0x0000000074480000-0x00000000744A4000-memory.dmp	upx
behavioral1/memory/2732-274-0x0000000000BC0000-0x0000000000FC4000-memory.dmp	upx
behavioral1/memory/2668-318-0x0000000073620000-0x00000000738EF000-memory.dmp	upx
behavioral1/memory/2668-319-0x0000000074C60000-0x0000000074CA9000-memory.dmp	upx
behavioral1/memory/2668-320-0x0000000074920000-0x00000000749E8000-memory.dmp	upx
behavioral1/memory/2668-321-0x0000000074810000-0x000000007491A000-memory.dmp	upx
behavioral1/memory/2668-322-0x0000000074780000-0x0000000074808000-memory.dmp	upx
behavioral1/memory/2668-324-0x0000000074CD0000-0x0000000074CF4000-memory.dmp	upx
behavioral1/memory/2668-325-0x0000000001010000-0x0000000001414000-memory.dmp	upx
behavioral1/memory/2668-326-0x00000000746B0000-0x000000007477E000-memory.dmp	upx
behavioral1/memory/2668-401-0x0000000001010000-0x0000000001414000-memory.dmp	upx
behavioral1/memory/3008-418-0x0000000007020000-0x0000000007424000-memory.dmp	upx
behavioral1/memory/1272-423-0x0000000073620000-0x00000000738EF000-memory.dmp	upx
behavioral1/memory/1272-424-0x0000000074C60000-0x0000000074CA9000-memory.dmp	upx
behavioral1/memory/1272-427-0x0000000074920000-0x00000000749E8000-memory.dmp	upx
behavioral1/memory/1272-428-0x0000000074810000-0x000000007491A000-memory.dmp	upx
behavioral1/memory/1272-430-0x0000000074780000-0x0000000074808000-memory.dmp	upx
behavioral1/memory/1272-433-0x00000000746B0000-0x000000007477E000-memory.dmp	upx
behavioral1/memory/1272-435-0x0000000074CD0000-0x0000000074CF4000-memory.dmp	upx
behavioral1/memory/1272-421-0x0000000001010000-0x0000000001414000-memory.dmp	upx
behavioral1/memory/1272-442-0x0000000001010000-0x0000000001414000-memory.dmp	upx
behavioral1/memory/1272-443-0x0000000073620000-0x00000000738EF000-memory.dmp	upx

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
43	myexternalip.com
10	myexternalip.com
11	myexternalip.com
23	myexternalip.com
33	myexternalip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
3008	97f1a585a7b4c15df61fa892fb3fc76d.exe
3008	97f1a585a7b4c15df61fa892fb3fc76d.exe
3008	97f1a585a7b4c15df61fa892fb3fc76d.exe
3008	97f1a585a7b4c15df61fa892fb3fc76d.exe
3008	97f1a585a7b4c15df61fa892fb3fc76d.exe
3008	97f1a585a7b4c15df61fa892fb3fc76d.exe
3008	97f1a585a7b4c15df61fa892fb3fc76d.exe
3008	97f1a585a7b4c15df61fa892fb3fc76d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2000 set thread context of 3008	2000	97f1a585a7b4c15df61fa892fb3fc76d.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3024	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	97f1a585a7b4c15df61fa892fb3fc76d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	97f1a585a7b4c15df61fa892fb3fc76d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	97f1a585a7b4c15df61fa892fb3fc76d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	97f1a585a7b4c15df61fa892fb3fc76d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	97f1a585a7b4c15df61fa892fb3fc76d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	97f1a585a7b4c15df61fa892fb3fc76d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe
Token: SeShutdownPrivilege	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3008	97f1a585a7b4c15df61fa892fb3fc76d.exe
3008	97f1a585a7b4c15df61fa892fb3fc76d.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 3024	2000	97f1a585a7b4c15df61fa892fb3fc76d.exe	28
PID 2000 wrote to memory of 3024	2000	97f1a585a7b4c15df61fa892fb3fc76d.exe	28
PID 2000 wrote to memory of 3024	2000	97f1a585a7b4c15df61fa892fb3fc76d.exe	28
PID 2000 wrote to memory of 3024	2000	97f1a585a7b4c15df61fa892fb3fc76d.exe	28
PID 2000 wrote to memory of 3008	2000	97f1a585a7b4c15df61fa892fb3fc76d.exe	30
PID 2000 wrote to memory of 3008	2000	97f1a585a7b4c15df61fa892fb3fc76d.exe	30
PID 2000 wrote to memory of 3008	2000	97f1a585a7b4c15df61fa892fb3fc76d.exe	30
PID 2000 wrote to memory of 3008	2000	97f1a585a7b4c15df61fa892fb3fc76d.exe	30
PID 2000 wrote to memory of 3008	2000	97f1a585a7b4c15df61fa892fb3fc76d.exe	30
PID 2000 wrote to memory of 3008	2000	97f1a585a7b4c15df61fa892fb3fc76d.exe	30
PID 2000 wrote to memory of 3008	2000	97f1a585a7b4c15df61fa892fb3fc76d.exe	30
PID 2000 wrote to memory of 3008	2000	97f1a585a7b4c15df61fa892fb3fc76d.exe	30
PID 2000 wrote to memory of 3008	2000	97f1a585a7b4c15df61fa892fb3fc76d.exe	30
PID 2000 wrote to memory of 3008	2000	97f1a585a7b4c15df61fa892fb3fc76d.exe	30
PID 2000 wrote to memory of 3008	2000	97f1a585a7b4c15df61fa892fb3fc76d.exe	30
PID 2000 wrote to memory of 3008	2000	97f1a585a7b4c15df61fa892fb3fc76d.exe	30
PID 2000 wrote to memory of 3008	2000	97f1a585a7b4c15df61fa892fb3fc76d.exe	30
PID 3008 wrote to memory of 1720	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	31
PID 3008 wrote to memory of 1720	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	31
PID 3008 wrote to memory of 1720	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	31
PID 3008 wrote to memory of 1720	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	31
PID 3008 wrote to memory of 2732	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	37
PID 3008 wrote to memory of 2732	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	37
PID 3008 wrote to memory of 2732	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	37
PID 3008 wrote to memory of 2732	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	37
PID 3008 wrote to memory of 2668	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	38
PID 3008 wrote to memory of 2668	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	38
PID 3008 wrote to memory of 2668	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	38
PID 3008 wrote to memory of 2668	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	38
PID 3008 wrote to memory of 1272	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	40
PID 3008 wrote to memory of 1272	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	40
PID 3008 wrote to memory of 1272	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	40
PID 3008 wrote to memory of 1272	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	40
PID 3008 wrote to memory of 1312	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	41
PID 3008 wrote to memory of 1312	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	41
PID 3008 wrote to memory of 1312	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	41
PID 3008 wrote to memory of 1312	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	41
PID 3008 wrote to memory of 2612	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	43
PID 3008 wrote to memory of 2612	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	43
PID 3008 wrote to memory of 2612	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	43
PID 3008 wrote to memory of 2612	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	43
PID 3008 wrote to memory of 2948	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	44
PID 3008 wrote to memory of 2948	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	44
PID 3008 wrote to memory of 2948	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	44
PID 3008 wrote to memory of 2948	3008	97f1a585a7b4c15df61fa892fb3fc76d.exe	44

C:\Users\Admin\AppData\Local\Temp\97f1a585a7b4c15df61fa892fb3fc76d.exe
"C:\Users\Admin\AppData\Local\Temp\97f1a585a7b4c15df61fa892fb3fc76d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rkZqKaShx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA007.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3024
- C:\Users\Admin\AppData\Local\Temp\97f1a585a7b4c15df61fa892fb3fc76d.exe
  "{path}"
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Users\Admin\AppData\Local\d32839c8\tor\svchost.exe
    "C:\Users\Admin\AppData\Local\d32839c8\tor\svchost.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1720
- - C:\Users\Admin\AppData\Local\d32839c8\tor\svchost.exe
    "C:\Users\Admin\AppData\Local\d32839c8\tor\svchost.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2732
- - C:\Users\Admin\AppData\Local\d32839c8\tor\svchost.exe
    "C:\Users\Admin\AppData\Local\d32839c8\tor\svchost.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2668
- - C:\Users\Admin\AppData\Local\d32839c8\tor\svchost.exe
    "C:\Users\Admin\AppData\Local\d32839c8\tor\svchost.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1272
- - C:\Users\Admin\AppData\Local\d32839c8\tor\svchost.exe
    "C:\Users\Admin\AppData\Local\d32839c8\tor\svchost.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1312
- - C:\Users\Admin\AppData\Local\d32839c8\tor\svchost.exe
    "C:\Users\Admin\AppData\Local\d32839c8\tor\svchost.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2612
- - C:\Users\Admin\AppData\Local\d32839c8\tor\svchost.exe
    "C:\Users\Admin\AppData\Local\d32839c8\tor\svchost.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e17ad356c38b825a91267e8fb6a1b393

SHA1
259e078636fa5128bbd2df976b2029f5a4ddb3b5

SHA256
3883955e4de5e615541920dd46144e12ba21827f6dbb5cb71ff26c3db3d6cb99

SHA512
3b733212bf739d6ce5dd214419c102c4f9aebde639de3bd028054e8ac82e7f0aa7a75dafc54bd68881b8a434b0c4cfafc3061befb787bb2949444fa63e00acc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
a36ce89f0bd681206b075b006e4db033

SHA1
a4197381599b20a3450e13b1d2cfa527574b5162

SHA256
9b46b544f7ced2db83acb8f545125f0e95a887558e4db9ef34a2274f1350c043

SHA512
95ae17ea0e70c6d563ab5c92c8c49370f9a3dfa4fa55fdbd1180771d1841cf998a9c7df24816ade502d2b165a20ae595dc55e72063f1e9bf2d51eb9b375aff22

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFE3E.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFECE.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA007.tmp

Filesize
1KB

MD5
c7fa548676e0c0b5bac80b164f19b344

SHA1
0b408be20b4649b338c03b5287ca177b50b45144

SHA256
5319e34b2ea7c099777ec08bfcf05b5ec92dacdcc46fca39e0dec5f14248b5ed

SHA512
fd6e95adab8e91076818e3f0c3361d7d56c85b0c9f024958fd7fdd3f40cc1421f97659d9074b883fb66401dada2410609a505313db9cadc4e2efe0012f8165b9

Download Submit
C:\Users\Admin\AppData\Local\d32839c8\tor\data\cached-certs

Filesize
20KB

MD5
2ba51a0244fa51b71c619aff5dab29b6

SHA1
47bb983fe3ec4c913193073f2f5beea3227dd0a3

SHA256
aef8ce17a008060191b0ecd9a50db81c1493ccae285f019b9cce79220dba2033

SHA512
70854a2600224befea975388b290d600eae22ce8bb1666f0d1dce91303bf58810788e592493865fbaf9836c5b59d8c0eb453c685430e6c0a4577f13edac865f9

Download Submit
C:\Users\Admin\AppData\Local\d32839c8\tor\data\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
e7abc6934cb714f2728cd37ab9a5f543

SHA1
4142e6c2e538f0fc1d90776f254bcb116fe474ae

SHA256
4496bcbc97fb32777dfb90e1e50b7a00584c43bc3ac653120e1fcb04e642ec52

SHA512
64ec20f9105bead5244326b093078a927c2edc56792b4202dc1468aecbe78565a9d3cf73bc4b98776d92de76abcf1c306dc5f6ca60d44521b96d2ac11d6f5e2e

Download Submit
C:\Users\Admin\AppData\Local\d32839c8\tor\data\cached-microdescs.new

Filesize
20.5MB

MD5
11194ce3724ac346e5efee685d6e5203

SHA1
067748dd52bbe952b7a9ae5550ab4c56a8eb4bee

SHA256
2d46c592f615b37412509a387694d27a5dffbdc726e95eaa22bc4d176c7c1bba

SHA512
5224f3b92d7fdec78e73e121797678b70761be65a010634604696bbdc24645a4f5fdca4de859434ddc93bbf8bd5f06e7197a12a48cafd92f7fd83d51e4ebe3a2

Download Submit
C:\Users\Admin\AppData\Local\d32839c8\tor\data\cached-microdescs.new

Filesize
6.0MB

MD5
5f593f8bf11911c5884d2e239559a80e

SHA1
b8db0f6d5c77b5848f3156cffa59b96f07207764

SHA256
59aee5e17d46e4ac4c07a49ede9f2d10f5636dbaf913161d85c16084ceddb964

SHA512
ce4492111e23574246aec6d260978487634c2e81bf381eddd91ba26f6bc8254795022d296f4d778ee25c4611405752285d12635a1fb82e862ea94c0c132fb48e

Download Submit
C:\Users\Admin\AppData\Local\d32839c8\tor\data\state

Filesize
232B

MD5
703ba57c29f9ebac46187c39b3f62d49

SHA1
36d6a2e34904635af34cdeab3123dad3cc888845

SHA256
34928e866ed9c17aade4d9c9d2d2cb6bd00c0f326d94dedb40cb1c8931f56db8

SHA512
fddec1b2a4be06665ed12428d81a672d9d45841492c604bc0eed81d64fa0a6e6a507128a27dd02e838f3b004f6049433233c422c92cc5769632738da9eab3627

Download Submit
C:\Users\Admin\AppData\Local\d32839c8\tor\libcrypto-1_1.dll

Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\d32839c8\tor\libevent-2-1-6.dll

Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\d32839c8\tor\libgcc_s_sjlj-1.dll

Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\d32839c8\tor\libwinpthread-1.dll

Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\d32839c8\tor\torrc

Filesize
157B

MD5
eb6a94bb542c5eccbf6a69cb41eee37d

SHA1
17fa40a8ae0870316298d061563b79bd6681a439

SHA256
25350b0e59c5d4e1992f5f62f86db4885988481d98674c026321fe3704f6fb00

SHA512
cd940a918b09da62f4bb736329ddc37afeb15783ac047d1b6b56284c0daf298042cf396da95e660996466f7e48e5ac4f80861951da601e80667805aefd737502

Download Submit
\Users\Admin\AppData\Local\d32839c8\tor\libssl-1_1.dll

Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
\Users\Admin\AppData\Local\d32839c8\tor\libssp-0.dll

Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
\Users\Admin\AppData\Local\d32839c8\tor\svchost.exe

Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
\Users\Admin\AppData\Local\d32839c8\tor\zlib1.dll

Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
memory/1272-433-0x00000000746B0000-0x000000007477E000-memory.dmp

Filesize
824KB

Download
memory/1272-423-0x0000000073620000-0x00000000738EF000-memory.dmp

Filesize
2.8MB

Download
memory/1272-430-0x0000000074780000-0x0000000074808000-memory.dmp

Filesize
544KB

Download
memory/1272-424-0x0000000074C60000-0x0000000074CA9000-memory.dmp

Filesize
292KB

Download
memory/1272-435-0x0000000074CD0000-0x0000000074CF4000-memory.dmp

Filesize
144KB

Download
memory/1272-421-0x0000000001010000-0x0000000001414000-memory.dmp

Filesize
4.0MB

Download
memory/1272-427-0x0000000074920000-0x00000000749E8000-memory.dmp

Filesize
800KB

Download
memory/1272-442-0x0000000001010000-0x0000000001414000-memory.dmp

Filesize
4.0MB

Download
memory/1272-428-0x0000000074810000-0x000000007491A000-memory.dmp

Filesize
1.0MB

Download
memory/1272-443-0x0000000073620000-0x00000000738EF000-memory.dmp

Filesize
2.8MB

Download
memory/1720-64-0x0000000074580000-0x0000000074608000-memory.dmp

Filesize
544KB

Download
memory/1720-68-0x0000000074480000-0x00000000744A4000-memory.dmp

Filesize
144KB

Download
memory/1720-60-0x0000000074610000-0x000000007471A000-memory.dmp

Filesize
1.0MB

Download
memory/1720-61-0x0000000074BE0000-0x0000000074CA8000-memory.dmp

Filesize
800KB

Download
memory/1720-105-0x0000000074720000-0x00000000749EF000-memory.dmp

Filesize
2.8MB

Download
memory/1720-56-0x0000000074720000-0x00000000749EF000-memory.dmp

Filesize
2.8MB

Download
memory/1720-106-0x0000000074CB0000-0x0000000074CF9000-memory.dmp

Filesize
292KB

Download
memory/1720-48-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

Filesize
4.0MB

Download
memory/1720-69-0x00000000744B0000-0x000000007457E000-memory.dmp

Filesize
824KB

Download
memory/1720-104-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

Filesize
4.0MB

Download
memory/1720-112-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

Filesize
4.0MB

Download
memory/1720-108-0x0000000074610000-0x000000007471A000-memory.dmp

Filesize
1.0MB

Download
memory/1720-109-0x0000000074580000-0x0000000074608000-memory.dmp

Filesize
544KB

Download
memory/1720-59-0x0000000074CB0000-0x0000000074CF9000-memory.dmp

Filesize
292KB

Download
memory/1720-256-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

Filesize
4.0MB

Download
memory/1720-206-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

Filesize
4.0MB

Download
memory/1720-197-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

Filesize
4.0MB

Download
memory/1720-110-0x00000000744B0000-0x000000007457E000-memory.dmp

Filesize
824KB

Download
memory/1720-107-0x0000000074BE0000-0x0000000074CA8000-memory.dmp

Filesize
800KB

Download
memory/2000-0-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/2000-1-0x00000000012F0000-0x0000000001A0C000-memory.dmp

Filesize
7.1MB

Download
memory/2000-2-0x0000000005560000-0x00000000055A0000-memory.dmp

Filesize
256KB

Download
memory/2000-3-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/2000-4-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/2000-5-0x0000000005560000-0x00000000055A0000-memory.dmp

Filesize
256KB

Download
memory/2000-25-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/2000-7-0x0000000009F10000-0x000000000A6E4000-memory.dmp

Filesize
7.8MB

Download
memory/2000-6-0x000000000CDE0000-0x000000000D426000-memory.dmp

Filesize
6.3MB

Download
memory/2668-319-0x0000000074C60000-0x0000000074CA9000-memory.dmp

Filesize
292KB

Download
memory/2668-318-0x0000000073620000-0x00000000738EF000-memory.dmp

Filesize
2.8MB

Download
memory/2668-401-0x0000000001010000-0x0000000001414000-memory.dmp

Filesize
4.0MB

Download
memory/2668-326-0x00000000746B0000-0x000000007477E000-memory.dmp

Filesize
824KB

Download
memory/2668-325-0x0000000001010000-0x0000000001414000-memory.dmp

Filesize
4.0MB

Download
memory/2668-324-0x0000000074CD0000-0x0000000074CF4000-memory.dmp

Filesize
144KB

Download
memory/2668-322-0x0000000074780000-0x0000000074808000-memory.dmp

Filesize
544KB

Download
memory/2668-321-0x0000000074810000-0x000000007491A000-memory.dmp

Filesize
1.0MB

Download
memory/2668-320-0x0000000074920000-0x00000000749E8000-memory.dmp

Filesize
800KB

Download
memory/2732-276-0x0000000074720000-0x00000000749EF000-memory.dmp

Filesize
2.8MB

Download
memory/2732-274-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

Filesize
4.0MB

Download
memory/2732-294-0x0000000074480000-0x00000000744A4000-memory.dmp

Filesize
144KB

Download
memory/2732-290-0x00000000744B0000-0x000000007457E000-memory.dmp

Filesize
824KB

Download
memory/2732-288-0x0000000074580000-0x0000000074608000-memory.dmp

Filesize
544KB

Download
memory/2732-285-0x0000000074610000-0x000000007471A000-memory.dmp

Filesize
1.0MB

Download
memory/2732-282-0x0000000074BE0000-0x0000000074CA8000-memory.dmp

Filesize
800KB

Download
memory/2732-278-0x0000000074CB0000-0x0000000074CF9000-memory.dmp

Filesize
292KB

Download
memory/3008-254-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3008-313-0x0000000007090000-0x0000000007494000-memory.dmp

Filesize
4.0MB

Download
memory/3008-82-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3008-114-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3008-252-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3008-214-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download
memory/3008-215-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download
memory/3008-84-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3008-205-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3008-300-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/3008-303-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/3008-85-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3008-81-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3008-196-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3008-194-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3008-86-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3008-93-0x0000000004B50000-0x0000000004F54000-memory.dmp

Filesize
4.0MB

Download
memory/3008-113-0x0000000004B50000-0x0000000004F54000-memory.dmp

Filesize
4.0MB

Download
memory/3008-49-0x0000000004B50000-0x0000000004F54000-memory.dmp

Filesize
4.0MB

Download
memory/3008-45-0x0000000004B50000-0x0000000004F54000-memory.dmp

Filesize
4.0MB

Download
memory/3008-28-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3008-272-0x0000000007090000-0x0000000007494000-memory.dmp

Filesize
4.0MB

Download
memory/3008-115-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/3008-341-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download
memory/3008-342-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download
memory/3008-343-0x0000000007090000-0x0000000007494000-memory.dmp

Filesize
4.0MB

Download
memory/3008-345-0x0000000000F00000-0x0000000000F0A000-memory.dmp

Filesize
40KB

Download
memory/3008-116-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/3008-418-0x0000000007020000-0x0000000007424000-memory.dmp

Filesize
4.0MB

Download
memory/3008-27-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3008-26-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3008-23-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3008-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3008-20-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3008-18-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3008-19-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3008-17-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3008-16-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3008-15-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3008-454-0x0000000006EC0000-0x00000000072C4000-memory.dmp

Filesize
4.0MB

Download
memory/3008-13-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3008-11-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads