1b9c4646b8840ef2d2a24603ffa2efa695ee29002c0057d4ba558080f2c485b6

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/02/2024, 21:20 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7613e5c267e7f270918ef87fcb1e45c.exe
Size

7.8MB
MD5

a7613e5c267e7f270918ef87fcb1e45c
SHA1

5ce965496ce1d9eea2d78548854bd486c11329d1
SHA256

1b9c4646b8840ef2d2a24603ffa2efa695ee29002c0057d4ba558080f2c485b6
SHA512

19888cf9937c44770dff47027ada8ef8eaa46cc849717ec0fb46bb32d07434b3b851efa708decd2fa18c07333cc247d35e03d71fbd386caea839bf44cdd7c0d2
SSDEEP

196608:LIRcbH4jSteTGvCxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOf:LdHsfuCxwZ6v1CPwDv3uFteg2EeJUO9E

Score

7^/10

persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 9 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0031000000015b77-18.dat	acprotect
behavioral1/files/0x0007000000015c86-22.dat	acprotect
behavioral1/files/0x0007000000015c9c-24.dat	acprotect
behavioral1/files/0x00070000000160f8-27.dat	acprotect
behavioral1/files/0x0008000000015ca5-28.dat	acprotect
behavioral1/files/0x0006000000016411-30.dat	acprotect
behavioral1/files/0x0008000000015cad-21.dat	acprotect
behavioral1/files/0x0031000000015b77-324.dat	acprotect
behavioral1/files/0x0008000000015ca5-329.dat	acprotect

Executes dropped EXE 9 IoCs

pid	Process
2552	windows32.exe
1200	windows32.exe
608	windows32.exe
2572	windows32.exe
1508	windows32.exe
848	windows32.exe
1684	windows32.exe
656	windows32.exe
2276	windows32.exe

Loads dropped DLL 64 IoCs

pid	Process
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2552	windows32.exe
2552	windows32.exe
2552	windows32.exe
2552	windows32.exe
2552	windows32.exe
2552	windows32.exe
2552	windows32.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
1200	windows32.exe
1200	windows32.exe
1200	windows32.exe
1200	windows32.exe
1200	windows32.exe
1200	windows32.exe
1200	windows32.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
608	windows32.exe
608	windows32.exe
608	windows32.exe
608	windows32.exe
608	windows32.exe
608	windows32.exe
608	windows32.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2572	windows32.exe
2572	windows32.exe
2572	windows32.exe
2572	windows32.exe
2572	windows32.exe
2572	windows32.exe
2572	windows32.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
1508	windows32.exe
1508	windows32.exe
1508	windows32.exe
1508	windows32.exe
1508	windows32.exe
1508	windows32.exe
1508	windows32.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
848	windows32.exe
848	windows32.exe
848	windows32.exe
848	windows32.exe
848	windows32.exe
848	windows32.exe
848	windows32.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
1684	windows32.exe
1684	windows32.exe
1684	windows32.exe
1684	windows32.exe
1684	windows32.exe
1684	windows32.exe
1684	windows32.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
656	windows32.exe
656	windows32.exe
656	windows32.exe
656	windows32.exe
656	windows32.exe
656	windows32.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000016277-14.dat	upx
behavioral1/memory/2984-16-0x0000000003EA0000-0x00000000042A4000-memory.dmp	upx
behavioral1/files/0x0031000000015b77-18.dat	upx
behavioral1/files/0x0007000000015c86-22.dat	upx
behavioral1/files/0x0007000000015c9c-24.dat	upx
behavioral1/files/0x00070000000160f8-27.dat	upx
behavioral1/files/0x0008000000015ca5-28.dat	upx
behavioral1/files/0x0006000000016411-30.dat	upx
behavioral1/memory/2552-32-0x0000000001240000-0x0000000001644000-memory.dmp	upx
behavioral1/memory/2552-33-0x0000000074E90000-0x0000000074ED9000-memory.dmp	upx
behavioral1/memory/2552-35-0x00000000747C0000-0x00000000748CA000-memory.dmp	upx
behavioral1/memory/2552-34-0x0000000074DC0000-0x0000000074E88000-memory.dmp	upx
behavioral1/memory/2552-39-0x0000000074730000-0x00000000747B8000-memory.dmp	upx
behavioral1/memory/2552-40-0x0000000074660000-0x000000007472E000-memory.dmp	upx
behavioral1/files/0x0008000000015cad-21.dat	upx
behavioral1/memory/2552-41-0x0000000075330000-0x0000000075354000-memory.dmp	upx
behavioral1/memory/2552-43-0x00000000748D0000-0x0000000074B9F000-memory.dmp	upx
behavioral1/memory/2552-52-0x0000000001240000-0x0000000001644000-memory.dmp	upx
behavioral1/memory/2552-55-0x0000000074DC0000-0x0000000074E88000-memory.dmp	upx
behavioral1/memory/2552-58-0x0000000074660000-0x000000007472E000-memory.dmp	upx
behavioral1/memory/2552-61-0x0000000001240000-0x0000000001644000-memory.dmp	upx
behavioral1/memory/2552-62-0x0000000001240000-0x0000000001644000-memory.dmp	upx
behavioral1/memory/2552-77-0x0000000001240000-0x0000000001644000-memory.dmp	upx
behavioral1/memory/2552-89-0x0000000001240000-0x0000000001644000-memory.dmp	upx
behavioral1/memory/2984-119-0x0000000004AE0000-0x0000000004EE4000-memory.dmp	upx
behavioral1/memory/1200-122-0x0000000001240000-0x0000000001644000-memory.dmp	upx
behavioral1/memory/1200-124-0x0000000001240000-0x0000000001644000-memory.dmp	upx
behavioral1/memory/1200-125-0x00000000748D0000-0x0000000074B9F000-memory.dmp	upx
behavioral1/memory/1200-130-0x0000000074E90000-0x0000000074ED9000-memory.dmp	upx
behavioral1/memory/1200-133-0x0000000074DC0000-0x0000000074E88000-memory.dmp	upx
behavioral1/memory/1200-136-0x00000000747C0000-0x00000000748CA000-memory.dmp	upx
behavioral1/memory/1200-138-0x0000000074730000-0x00000000747B8000-memory.dmp	upx
behavioral1/memory/1200-139-0x0000000074660000-0x000000007472E000-memory.dmp	upx
behavioral1/memory/1200-141-0x0000000075330000-0x0000000075354000-memory.dmp	upx
behavioral1/memory/2552-103-0x0000000001240000-0x0000000001644000-memory.dmp	upx
behavioral1/memory/608-158-0x0000000074600000-0x00000000748CF000-memory.dmp	upx
behavioral1/memory/2984-150-0x0000000004AE0000-0x0000000004EE4000-memory.dmp	upx
behavioral1/memory/608-166-0x0000000074AD0000-0x0000000074B98000-memory.dmp	upx
behavioral1/memory/608-167-0x00000000749C0000-0x0000000074ACA000-memory.dmp	upx
behavioral1/memory/608-168-0x0000000074DB0000-0x0000000074E38000-memory.dmp	upx
behavioral1/memory/608-169-0x0000000074EB0000-0x0000000074ED4000-memory.dmp	upx
behavioral1/memory/608-170-0x0000000001240000-0x0000000001644000-memory.dmp	upx
behavioral1/memory/608-172-0x00000000748F0000-0x00000000749BE000-memory.dmp	upx
behavioral1/memory/608-161-0x0000000074E40000-0x0000000074E89000-memory.dmp	upx
behavioral1/memory/608-179-0x0000000001240000-0x0000000001644000-memory.dmp	upx
behavioral1/memory/608-180-0x0000000074600000-0x00000000748CF000-memory.dmp	upx
behavioral1/memory/608-187-0x0000000001240000-0x0000000001644000-memory.dmp	upx
behavioral1/memory/608-195-0x0000000001240000-0x0000000001644000-memory.dmp	upx
behavioral1/memory/2984-292-0x0000000005D20000-0x0000000006124000-memory.dmp	upx
behavioral1/memory/2572-295-0x0000000001240000-0x0000000001644000-memory.dmp	upx
behavioral1/memory/2572-300-0x0000000074E40000-0x0000000074E89000-memory.dmp	upx
behavioral1/memory/2572-302-0x0000000074AD0000-0x0000000074B98000-memory.dmp	upx
behavioral1/memory/2572-305-0x00000000749C0000-0x0000000074ACA000-memory.dmp	upx
behavioral1/memory/2572-298-0x0000000074600000-0x00000000748CF000-memory.dmp	upx
behavioral1/memory/2572-313-0x0000000074EB0000-0x0000000074ED4000-memory.dmp	upx
behavioral1/memory/2572-310-0x00000000748F0000-0x00000000749BE000-memory.dmp	upx
behavioral1/memory/608-315-0x0000000001240000-0x0000000001644000-memory.dmp	upx
behavioral1/memory/2572-308-0x0000000074DB0000-0x0000000074E38000-memory.dmp	upx
behavioral1/files/0x0031000000015b77-324.dat	upx
behavioral1/files/0x0006000000016277-323.dat	upx
behavioral1/memory/1508-330-0x0000000001240000-0x0000000001644000-memory.dmp	upx
behavioral1/files/0x0008000000015ca5-329.dat	upx
behavioral1/memory/1508-334-0x0000000074A00000-0x0000000074AC8000-memory.dmp	upx
behavioral1/memory/1508-331-0x0000000073AE0000-0x0000000073DAF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\win32 = "C:\\Users\\Admin\\AppData\\Local\\windir\\win32.exe"	a7613e5c267e7f270918ef87fcb1e45c.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	myexternalip.com
19	myexternalip.com
40	myexternalip.com
48	myexternalip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	a7613e5c267e7f270918ef87fcb1e45c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	a7613e5c267e7f270918ef87fcb1e45c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	a7613e5c267e7f270918ef87fcb1e45c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	a7613e5c267e7f270918ef87fcb1e45c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	a7613e5c267e7f270918ef87fcb1e45c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	a7613e5c267e7f270918ef87fcb1e45c.exe

Suspicious behavior: RenamesItself 25 IoCs

pid	Process
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	a7613e5c267e7f270918ef87fcb1e45c.exe
Token: SeShutdownPrivilege	2984	a7613e5c267e7f270918ef87fcb1e45c.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2984	a7613e5c267e7f270918ef87fcb1e45c.exe
2984	a7613e5c267e7f270918ef87fcb1e45c.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2552	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	28
PID 2984 wrote to memory of 2552	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	28
PID 2984 wrote to memory of 2552	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	28
PID 2984 wrote to memory of 2552	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	28
PID 2984 wrote to memory of 1200	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	31
PID 2984 wrote to memory of 1200	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	31
PID 2984 wrote to memory of 1200	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	31
PID 2984 wrote to memory of 1200	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	31
PID 2984 wrote to memory of 608	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	32
PID 2984 wrote to memory of 608	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	32
PID 2984 wrote to memory of 608	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	32
PID 2984 wrote to memory of 608	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	32
PID 2984 wrote to memory of 2572	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	35
PID 2984 wrote to memory of 2572	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	35
PID 2984 wrote to memory of 2572	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	35
PID 2984 wrote to memory of 2572	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	35
PID 2984 wrote to memory of 1508	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	36
PID 2984 wrote to memory of 1508	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	36
PID 2984 wrote to memory of 1508	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	36
PID 2984 wrote to memory of 1508	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	36
PID 2984 wrote to memory of 848	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	38
PID 2984 wrote to memory of 848	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	38
PID 2984 wrote to memory of 848	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	38
PID 2984 wrote to memory of 848	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	38
PID 2984 wrote to memory of 1684	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	39
PID 2984 wrote to memory of 1684	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	39
PID 2984 wrote to memory of 1684	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	39
PID 2984 wrote to memory of 1684	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	39
PID 2984 wrote to memory of 656	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	41
PID 2984 wrote to memory of 656	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	41
PID 2984 wrote to memory of 656	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	41
PID 2984 wrote to memory of 656	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	41
PID 2984 wrote to memory of 2276	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	42
PID 2984 wrote to memory of 2276	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	42
PID 2984 wrote to memory of 2276	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	42
PID 2984 wrote to memory of 2276	2984	a7613e5c267e7f270918ef87fcb1e45c.exe	42

C:\Users\Admin\AppData\Local\Temp\a7613e5c267e7f270918ef87fcb1e45c.exe
"C:\Users\Admin\AppData\Local\Temp\a7613e5c267e7f270918ef87fcb1e45c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2552
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1200
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:608
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2572
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1508
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:848
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1684
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:656
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:2276

Network

DNS

myexternalip.com

a7613e5c267e7f270918ef87fcb1e45c.exe

Remote address:

8.8.8.8:53

Request

myexternalip.com

IN A

Response

myexternalip.com

IN A

34.117.118.44
GET

https://myexternalip.com/raw

a7613e5c267e7f270918ef87fcb1e45c.exe

Remote address:

34.117.118.44:443

Request

GET /raw HTTP/1.1
User-Agent: xz07OF1YPA8HIjl3K56l5cynMW7JnQLS
Host: myexternalip.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

server: fasthttp
date: Mon, 26 Feb 2024 21:22:08 GMT
content-type: text/plain; charset=utf-8
Content-Length: 12
access-control-allow-origin: *
via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

apps.identrust.com

a7613e5c267e7f270918ef87fcb1e45c.exe

Remote address:

8.8.8.8:53

Request

apps.identrust.com

IN A

Response

apps.identrust.com

IN CNAME

identrust.edgesuite.net

identrust.edgesuite.net

IN CNAME

a1952.dscq.akamai.net

a1952.dscq.akamai.net

IN A

96.17.179.205

a1952.dscq.akamai.net

IN A

96.17.179.184
GET

http://apps.identrust.com/roots/dstrootcax3.p7c

a7613e5c267e7f270918ef87fcb1e45c.exe

Remote address:

96.17.179.205:80

Request

GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com

Response

HTTP/1.1 200 OK

X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Robots-Tag: noindex
Referrer-Policy: same-origin
Last-Modified: Fri, 13 Oct 2023 16:28:31 GMT
ETag: "37d-6079b8c0929c0"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Mon, 26 Feb 2024 22:22:07 GMT
Date: Mon, 26 Feb 2024 21:22:07 GMT
Connection: keep-alive
GET

https://myexternalip.com/raw

a7613e5c267e7f270918ef87fcb1e45c.exe

Remote address:

34.117.118.44:443

Request

GET /raw HTTP/1.1
User-Agent: gF4dFD62ZuPDXrNcUlUZPj0lAyPrSh4o
Host: myexternalip.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

server: fasthttp
date: Mon, 26 Feb 2024 21:22:40 GMT
content-type: text/plain; charset=utf-8
Content-Length: 12
access-control-allow-origin: *
via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://myexternalip.com/raw

a7613e5c267e7f270918ef87fcb1e45c.exe

Remote address:

34.117.118.44:443

Request

GET /raw HTTP/1.1
User-Agent: D4dD9qtr0mEoUXF6VlHikaMgsTVUwMBY
Host: myexternalip.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

server: fasthttp
date: Mon, 26 Feb 2024 21:23:09 GMT
content-type: text/plain; charset=utf-8
Content-Length: 12
access-control-allow-origin: *
via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

185.100.86.128:9001

www.5gq6i2fj7wqb6ejckhft.com

tls

windows32.exe

40.2kB
744.2kB
330
549
127.0.0.1:49227

windows32.exe
212.47.233.250:9001

windows32.exe

152 B
3
50.7.74.174:9001

windows32.exe

152 B
3
127.0.0.1:45808

a7613e5c267e7f270918ef87fcb1e45c.exe
172.105.242.117:443

www.xlx7wmjllrdf6wi.com

tls

windows32.exe

724.7kB
8.8MB
4206
6441
178.17.171.113:443

www.hqu2lrmvs22oz3ywufgafppqb.com

tls

windows32.exe

341.3kB
4.2MB
1800
3094
127.0.0.1:45808

a7613e5c267e7f270918ef87fcb1e45c.exe
172.105.242.117:443

www.cffa2rob6rygt4p2.com

tls

windows32.exe

13.7kB
16.4kB
31
35
178.17.171.113:443

www.aogsf4l4lohd.com

tls

windows32.exe

3.6kB
5.5kB
13
13
127.0.0.1:49321

windows32.exe
127.0.0.1:49364

windows32.exe
88.99.2.111:9001

www.snuz.com

tls

windows32.exe

19.4kB
25.7kB
45
55
23.88.75.121:9001

www.anwr7tee5xhr2mtc4y.com

tls

windows32.exe

17.7kB
23.2kB
44
55
127.0.0.1:45808

a7613e5c267e7f270918ef87fcb1e45c.exe
34.117.118.44:443

https://myexternalip.com/raw

tls, http

a7613e5c267e7f270918ef87fcb1e45c.exe

982 B
5.5kB
11
11

HTTP Request

GET https://myexternalip.com/raw

HTTP Response

200
96.17.179.205:80

http://apps.identrust.com/roots/dstrootcax3.p7c

http

a7613e5c267e7f270918ef87fcb1e45c.exe

323 B
1.6kB
4
4

HTTP Request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

HTTP Response

200
127.0.0.1:49499

windows32.exe
51.158.148.230:995

www.7bol6.com

tls

windows32.exe

14.1kB
22.2kB
35
48
127.0.0.1:49549

windows32.exe
88.99.2.111:9001

www.e3p3x3oehsssypc.com

tls

windows32.exe

16.6kB
20.9kB
42
51
168.138.68.23:443

www.cpp5jvqukx2s7ri.com

tls

windows32.exe

7.7kB
10.1kB
21
22
127.0.0.1:45808

a7613e5c267e7f270918ef87fcb1e45c.exe
34.117.118.44:443

https://myexternalip.com/raw

tls, http

a7613e5c267e7f270918ef87fcb1e45c.exe

962 B
5.4kB
10
10

HTTP Request

GET https://myexternalip.com/raw

HTTP Response

200
127.0.0.1:49639

windows32.exe
127.0.0.1:49672

windows32.exe
198.244.212.57:443

www.ppghnud7dn7npewc4.com

tls

windows32.exe

20.5kB
28.2kB
47
64
51.15.116.168:443

www.2m37mam7pg5tsxc6x.com

tls

windows32.exe

6.0kB
9.0kB
18
21
88.99.2.111:9001

www.26lehicovuvz.com

tls

windows32.exe

14.7kB
17.5kB
35
45
127.0.0.1:45808

a7613e5c267e7f270918ef87fcb1e45c.exe
34.117.118.44:443

https://myexternalip.com/raw

tls, http

a7613e5c267e7f270918ef87fcb1e45c.exe

962 B
5.4kB
10
10

HTTP Request

GET https://myexternalip.com/raw

HTTP Response

200
127.0.0.1:49763

windows32.exe
127.0.0.1:49793

windows32.exe
85.235.250.88:443

windows32.exe

52 B
1
198.244.212.57:443

www.fxk7i2xq6.com

tls

windows32.exe

3.0kB
6.2kB
11
15
88.99.2.111:9001

www.zgzwpsv.com

tls

windows32.exe

2.9kB
5.5kB
9
12

8.8.8.8:53

myexternalip.com

dns

a7613e5c267e7f270918ef87fcb1e45c.exe

62 B
78 B
1
1

DNS Request

myexternalip.com

DNS Response

34.117.118.44
8.8.8.8:53

apps.identrust.com

dns

a7613e5c267e7f270918ef87fcb1e45c.exe

64 B
165 B
1
1

DNS Request

apps.identrust.com

DNS Response

96.17.179.205

96.17.179.184

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9b80e31d2e71738027b7865d9cd4dd31

SHA1
be35fe35e116b454664b0d3201d8493a940940d7

SHA256
52a8dcbd0417cb7b60730e624c732cc1cb867fd4bc864c68c09d30ff3fbc551e

SHA512
fdf199114a221ff209cacebcc0d37edadb6c613a937edde52b90ec11c14be4a8a84f6ab1ae7cb37981af02ca07b0e21406e5d751bc903bf880ff42c2581d303f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab43C6.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4494.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\data\cached-certs

Filesize
20KB

MD5
efb6b50d02db6b004d129e3cc04c3952

SHA1
50efde597caa890cdc211ddbbaaa70b6065a910a

SHA256
5a0808a700af9e7c4d5fe144d01881ba1aa668d33cbf203a4ff41b01d77cb986

SHA512
25a805fee1f36b4ef514dca11ec247fe52e46c67f1ed41fcc7c3e56c2d211d3a4700e4f2ad5a66d774296bc639d5a9bc96d5031fb3b662f9e34d7ce0f5c73a2e

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\data\cached-microdesc-consensus.tmp

Filesize
2.5MB

MD5
74fd1de13c691d4b33e2c97f32e1c8fe

SHA1
0880f72a45d3a0dbd9990f1d235d6954a6a539dc

SHA256
8ab20b215f1293e774d7552ae9b7b5009b2988ab67602e25fc49bb76dab749da

SHA512
ec079b0d3c4f1af8228ef50f24d4fd036dc790deef1320d7394e757f4904eb3b6ff81eb5ab76c72b1e81bd6fee3ff01eb9a7a21ec3c38d2fbb5b28fb6507324a

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\data\cached-microdescs.new

Filesize
5.2MB

MD5
c1827a705797d4e7939f51a1ff0890ff

SHA1
84ba460e38e179b0feaab690df762e85c58a7402

SHA256
7695b7570b4bba25d023dfe00f440622d27b5cb98d67abd7381caed9d37341d6

SHA512
a0e65a4aed0c9f6a2eb6033dfd93da4583e64cd3ee1e1885e9e1d01c88d365ff986259e1f13f2433a18f7b083e536eff21ea4ecaa934c9efede1ee8d59455f03

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\data\cached-microdescs.new

Filesize
1.6MB

MD5
6af46d3dc8a509cd5cb712cc2dd67c87

SHA1
8fb8d134dd76c29b8ba8549e179e284df2776cf1

SHA256
98680a4098e0b1b223fc7519514a344a9db871a78223aa62c806ce0a8428edc0

SHA512
40f0df8badf6a019e5310a7e019e86da8ef9658c8f4cf389b1036ea5fb0e4c49a30ce37ed6f5ecd716a98cdbc4cfdea3cd154a9a51a142d3334f3e7cda048c22

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\data\state

Filesize
232B

MD5
347920ffbc910c85f06b742258ed0c2f

SHA1
753d4f1143f5654fce1b8ba8611a4b12b001e469

SHA256
dc1dacfabdfb60bf94ed1a5a866138ec917ef0d9613367ad2e9a0d84749bf779

SHA512
8cca54981096d45d1e7a7dbeb3643e8a3e264eb3f66e95e6892eded90d680e2e2cd9de2f6848ddb3015a1b25fbfb08ff3a76f079c9585212ef725dd2462de9d3

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libcrypto-1_1.dll

Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libevent-2-1-6.dll

Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libgcc_s_sjlj-1.dll

Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libssl-1_1.dll

Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libssl-1_1.dll

Filesize
256KB

MD5
24d770b27c33d9c2f9129fb21f444c81

SHA1
f43e4ca8a88b93bbc644528bbd5cabae4443491d

SHA256
a34c029d1cb60d52c0ba28ae42d0aadab63c060eaa9edbbeb151c22461b8c92f

SHA512
af9d1eb8c62932eb85a78228266985db5c5bc3c668824c5bac25d83e02478f08b147ea813f212c6fd4c06d38cc37b8008b09257adadd4bbf0d5251a7bc8bd1b1

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\torrc

Filesize
157B

MD5
d55bed9415496532e5333ecaff1e308d

SHA1
074dc0ad8d7b3f86679c321ec7377b3394659a52

SHA256
aacbccc1d0337c77cb4408cd9556b8e31d3a0390ab2ab6b17ad3bf30f2c93850

SHA512
69c492e32f75809ee12cf29a38d71435ec39e9327970dd7f108ce0599804008c0e3a462d244796a5592b587e1c8f1c1f78c2602d539f6d84bf33c18eb38276a5

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe

Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe

Filesize
832KB

MD5
62f141633858c58260659639c363d902

SHA1
d6b705c4e42da06295c36648674186482f13aefd

SHA256
ca81bbfa4bfefaa4b88254a599e20cfb540adc9010d739e400940591e4998158

SHA512
b644276cb03c3dbc25e6f1098cbf6361b04c81e5e3b5f4c073079c5dd25cf10a1bc345c5379634b490dffe70edc71297d5b834bf9a8a3b48d2a2aa47ed52981e

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\zlib1.dll

Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
\Users\Admin\AppData\Local\f7cf36c6\tor\libcrypto-1_1.dll

Filesize
640KB

MD5
0b52a4a354936fc997f11cb85f64fd20

SHA1
fc981bbcd48e52bf26a72c00269c7650f240ae26

SHA256
784d873b9c1292e9b306b5a1a2ca330cb46a68890dac315b5a4a1d154e347763

SHA512
ec54e47e588432bd8876e9fdecc4533e854dc86094f7e3617abb00388f14088041c5213c00856de132671bddc4dbc722568fd9c1d9820c7ec4569f226c5d222c

Download Submit
\Users\Admin\AppData\Local\f7cf36c6\tor\libssp-0.dll

Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
\Users\Admin\AppData\Local\f7cf36c6\tor\libwinpthread-1.dll

Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
memory/608-180-0x0000000074600000-0x00000000748CF000-memory.dmp

Filesize
2.8MB

Download
memory/608-166-0x0000000074AD0000-0x0000000074B98000-memory.dmp

Filesize
800KB

Download
memory/608-315-0x0000000001240000-0x0000000001644000-memory.dmp

Filesize
4.0MB

Download
memory/608-179-0x0000000001240000-0x0000000001644000-memory.dmp

Filesize
4.0MB

Download
memory/608-161-0x0000000074E40000-0x0000000074E89000-memory.dmp

Filesize
292KB

Download
memory/608-195-0x0000000001240000-0x0000000001644000-memory.dmp

Filesize
4.0MB

Download
memory/608-158-0x0000000074600000-0x00000000748CF000-memory.dmp

Filesize
2.8MB

Download
memory/608-172-0x00000000748F0000-0x00000000749BE000-memory.dmp

Filesize
824KB

Download
memory/608-170-0x0000000001240000-0x0000000001644000-memory.dmp

Filesize
4.0MB

Download
memory/608-187-0x0000000001240000-0x0000000001644000-memory.dmp

Filesize
4.0MB

Download
memory/608-169-0x0000000074EB0000-0x0000000074ED4000-memory.dmp

Filesize
144KB

Download
memory/608-168-0x0000000074DB0000-0x0000000074E38000-memory.dmp

Filesize
544KB

Download
memory/608-167-0x00000000749C0000-0x0000000074ACA000-memory.dmp

Filesize
1.0MB

Download
memory/848-417-0x0000000074DF0000-0x0000000074E39000-memory.dmp

Filesize
292KB

Download
memory/848-415-0x0000000073AE0000-0x0000000073DAF000-memory.dmp

Filesize
2.8MB

Download
memory/848-413-0x0000000001240000-0x0000000001644000-memory.dmp

Filesize
4.0MB

Download
memory/848-419-0x0000000074A00000-0x0000000074AC8000-memory.dmp

Filesize
800KB

Download
memory/1200-138-0x0000000074730000-0x00000000747B8000-memory.dmp

Filesize
544KB

Download
memory/1200-122-0x0000000001240000-0x0000000001644000-memory.dmp

Filesize
4.0MB

Download
memory/1200-139-0x0000000074660000-0x000000007472E000-memory.dmp

Filesize
824KB

Download
memory/1200-141-0x0000000075330000-0x0000000075354000-memory.dmp

Filesize
144KB

Download
memory/1200-136-0x00000000747C0000-0x00000000748CA000-memory.dmp

Filesize
1.0MB

Download
memory/1200-133-0x0000000074DC0000-0x0000000074E88000-memory.dmp

Filesize
800KB

Download
memory/1200-130-0x0000000074E90000-0x0000000074ED9000-memory.dmp

Filesize
292KB

Download
memory/1200-125-0x00000000748D0000-0x0000000074B9F000-memory.dmp

Filesize
2.8MB

Download
memory/1200-124-0x0000000001240000-0x0000000001644000-memory.dmp

Filesize
4.0MB

Download
memory/1508-337-0x0000000074E60000-0x0000000074E84000-memory.dmp

Filesize
144KB

Download
memory/1508-365-0x0000000074A00000-0x0000000074AC8000-memory.dmp

Filesize
800KB

Download
memory/1508-364-0x0000000001240000-0x0000000001644000-memory.dmp

Filesize
4.0MB

Download
memory/1508-330-0x0000000001240000-0x0000000001644000-memory.dmp

Filesize
4.0MB

Download
memory/1508-355-0x0000000073AE0000-0x0000000073DAF000-memory.dmp

Filesize
2.8MB

Download
memory/1508-339-0x0000000074800000-0x00000000748CE000-memory.dmp

Filesize
824KB

Download
memory/1508-334-0x0000000074A00000-0x0000000074AC8000-memory.dmp

Filesize
800KB

Download
memory/1508-331-0x0000000073AE0000-0x0000000073DAF000-memory.dmp

Filesize
2.8MB

Download
memory/1508-335-0x00000000748F0000-0x00000000749FA000-memory.dmp

Filesize
1.0MB

Download
memory/1508-336-0x0000000074B10000-0x0000000074B98000-memory.dmp

Filesize
544KB

Download
memory/1508-338-0x0000000074DF0000-0x0000000074E39000-memory.dmp

Filesize
292KB

Download
memory/2552-61-0x0000000001240000-0x0000000001644000-memory.dmp

Filesize
4.0MB

Download
memory/2552-40-0x0000000074660000-0x000000007472E000-memory.dmp

Filesize
824KB

Download
memory/2552-32-0x0000000001240000-0x0000000001644000-memory.dmp

Filesize
4.0MB

Download
memory/2552-33-0x0000000074E90000-0x0000000074ED9000-memory.dmp

Filesize
292KB

Download
memory/2552-35-0x00000000747C0000-0x00000000748CA000-memory.dmp

Filesize
1.0MB

Download
memory/2552-34-0x0000000074DC0000-0x0000000074E88000-memory.dmp

Filesize
800KB

Download
memory/2552-39-0x0000000074730000-0x00000000747B8000-memory.dmp

Filesize
544KB

Download
memory/2552-41-0x0000000075330000-0x0000000075354000-memory.dmp

Filesize
144KB

Download
memory/2552-43-0x00000000748D0000-0x0000000074B9F000-memory.dmp

Filesize
2.8MB

Download
memory/2552-52-0x0000000001240000-0x0000000001644000-memory.dmp

Filesize
4.0MB

Download
memory/2552-55-0x0000000074DC0000-0x0000000074E88000-memory.dmp

Filesize
800KB

Download
memory/2552-58-0x0000000074660000-0x000000007472E000-memory.dmp

Filesize
824KB

Download
memory/2552-103-0x0000000001240000-0x0000000001644000-memory.dmp

Filesize
4.0MB

Download
memory/2552-62-0x0000000001240000-0x0000000001644000-memory.dmp

Filesize
4.0MB

Download
memory/2552-77-0x0000000001240000-0x0000000001644000-memory.dmp

Filesize
4.0MB

Download
memory/2552-89-0x0000000001240000-0x0000000001644000-memory.dmp

Filesize
4.0MB

Download
memory/2572-302-0x0000000074AD0000-0x0000000074B98000-memory.dmp

Filesize
800KB

Download
memory/2572-308-0x0000000074DB0000-0x0000000074E38000-memory.dmp

Filesize
544KB

Download
memory/2572-295-0x0000000001240000-0x0000000001644000-memory.dmp

Filesize
4.0MB

Download
memory/2572-310-0x00000000748F0000-0x00000000749BE000-memory.dmp

Filesize
824KB

Download
memory/2572-313-0x0000000074EB0000-0x0000000074ED4000-memory.dmp

Filesize
144KB

Download
memory/2572-298-0x0000000074600000-0x00000000748CF000-memory.dmp

Filesize
2.8MB

Download
memory/2572-305-0x00000000749C0000-0x0000000074ACA000-memory.dmp

Filesize
1.0MB

Download
memory/2572-300-0x0000000074E40000-0x0000000074E89000-memory.dmp

Filesize
292KB

Download
memory/2984-345-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/2984-366-0x0000000004AF0000-0x0000000004AFA000-memory.dmp

Filesize
40KB

Download
memory/2984-119-0x0000000004AE0000-0x0000000004EE4000-memory.dmp

Filesize
4.0MB

Download
memory/2984-354-0x0000000005D20000-0x0000000006124000-memory.dmp

Filesize
4.0MB

Download
memory/2984-196-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/2984-42-0x0000000003EA0000-0x00000000042A4000-memory.dmp

Filesize
4.0MB

Download
memory/2984-60-0x0000000003EA0000-0x00000000042A4000-memory.dmp

Filesize
4.0MB

Download
memory/2984-344-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/2984-367-0x0000000004AF0000-0x0000000004AFA000-memory.dmp

Filesize
40KB

Download
memory/2984-411-0x0000000005F20000-0x0000000006324000-memory.dmp

Filesize
4.0MB

Download
memory/2984-292-0x0000000005D20000-0x0000000006124000-memory.dmp

Filesize
4.0MB

Download
memory/2984-150-0x0000000004AE0000-0x0000000004EE4000-memory.dmp

Filesize
4.0MB

Download
memory/2984-197-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/2984-16-0x0000000003EA0000-0x00000000042A4000-memory.dmp

Filesize
4.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.