bitrat | 9ea701c18c02ed5f5c0f9a2f095c0b568609f0735f2e39c572c67875071b01fc

Analysis

max time kernel
36s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-03-2024 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

5.6MB
MD5

a971f912044d0e4280b0e9b7c54765be
SHA1

ba9078e5a88f433414f6386bbbb4462173bdf254
SHA256

9d585faa0851666f34381200277b38a1bef136ecd062fc53b158aa1b323fdf10
SHA512

272a809f9f510e35763955a0af2814071ee95af51b6e95af3f25b144ed319cb7d47b7fbd409d393c532637836ef2252b1cef4d29c6b549b8eab585db3b43eaca
SSDEEP

98304:vyZ3LRUXR9GPj9rbdajRbINHkOeY7i8mRMoRLVkGqIf/m4BQ9K+3t2tVlsT/jCSr:vyZ3LRUXrATkItkOEbZL29K/t+K+QsTE

Score

10^/10

bitrat trojan upx

Malware Config

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

BitRAT payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2172-39-0x0000000000400000-0x0000000000DDC000-memory.dmp	family_bitrat
behavioral1/memory/2172-47-0x0000000000400000-0x0000000000DDC000-memory.dmp	family_bitrat
behavioral1/memory/2172-97-0x0000000000400000-0x0000000000DDC000-memory.dmp	family_bitrat
behavioral1/memory/2172-137-0x0000000000400000-0x0000000000DDC000-memory.dmp	family_bitrat
behavioral1/memory/2172-178-0x0000000000400000-0x0000000000DDC000-memory.dmp	family_bitrat
behavioral1/memory/2172-187-0x0000000000400000-0x0000000000DDC000-memory.dmp	family_bitrat
behavioral1/memory/2172-222-0x0000000000400000-0x0000000000DDC000-memory.dmp	family_bitrat
behavioral1/memory/2172-235-0x0000000000400000-0x0000000000DDC000-memory.dmp	family_bitrat
behavioral1/memory/2172-249-0x0000000000400000-0x0000000000DDC000-memory.dmp	family_bitrat

ACProtect 1.3x - 1.4x DLL software 8 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libssp-0.dll	acprotect
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libevent-2-1-6.dll	acprotect
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libgcc_s_sjlj-1.dll	acprotect
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libwinpthread-1.dll	acprotect
\Users\Admin\AppData\Local\18c4d7d0\tor\libgcc_s_sjlj-1.dll	acprotect
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\18c4d7d0\tor\zlib1.dll	acprotect

Executes dropped EXE 1 IoCs

Processes:

winsys64.exe

pid process

2992 winsys64.exe

pid	process
2992	winsys64.exe

Loads dropped DLL 9 IoCs

Processes:

sample.exewinsys64.exe

pid	process
2172	sample.exe
2172	sample.exe
2992	winsys64.exe
2992	winsys64.exe
2992	winsys64.exe
2992	winsys64.exe
2992	winsys64.exe
2992	winsys64.exe
2992	winsys64.exe

UPX packed file 42 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2172-0-0x0000000000400000-0x0000000000DDC000-memory.dmp	upx
\Users\Admin\AppData\Local\18c4d7d0\tor\winsys64.exe	upx
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libcrypto-1_1.dll	upx
behavioral1/memory/2992-21-0x00000000009F0000-0x0000000000DF4000-memory.dmp	upx
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libssp-0.dll	upx
behavioral1/memory/2992-25-0x0000000073CF0000-0x0000000073FBF000-memory.dmp	upx
behavioral1/memory/2992-27-0x0000000074250000-0x0000000074299000-memory.dmp	upx
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libevent-2-1-6.dll	upx
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libgcc_s_sjlj-1.dll	upx
behavioral1/memory/2992-30-0x0000000073C20000-0x0000000073CE8000-memory.dmp	upx
behavioral1/memory/2992-33-0x0000000073B10000-0x0000000073C1A000-memory.dmp	upx
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libwinpthread-1.dll	upx
\Users\Admin\AppData\Local\18c4d7d0\tor\libgcc_s_sjlj-1.dll	upx
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libssl-1_1.dll	upx
behavioral1/memory/2992-36-0x00000000741C0000-0x0000000074248000-memory.dmp	upx
C:\Users\Admin\AppData\Local\18c4d7d0\tor\zlib1.dll	upx
behavioral1/memory/2992-40-0x0000000073A40000-0x0000000073B0E000-memory.dmp	upx
behavioral1/memory/2172-39-0x0000000000400000-0x0000000000DDC000-memory.dmp	upx
behavioral1/memory/2992-42-0x00000000742F0000-0x0000000074314000-memory.dmp	upx
behavioral1/memory/2172-47-0x0000000000400000-0x0000000000DDC000-memory.dmp	upx
behavioral1/memory/2992-48-0x00000000009F0000-0x0000000000DF4000-memory.dmp	upx
behavioral1/memory/2992-49-0x0000000073CF0000-0x0000000073FBF000-memory.dmp	upx
behavioral1/memory/2992-50-0x0000000074250000-0x0000000074299000-memory.dmp	upx
behavioral1/memory/2992-52-0x0000000073B10000-0x0000000073C1A000-memory.dmp	upx
behavioral1/memory/2992-51-0x0000000073C20000-0x0000000073CE8000-memory.dmp	upx
behavioral1/memory/2992-53-0x00000000741C0000-0x0000000074248000-memory.dmp	upx
behavioral1/memory/2992-54-0x0000000073A40000-0x0000000073B0E000-memory.dmp	upx
behavioral1/memory/2992-55-0x00000000742F0000-0x0000000074314000-memory.dmp	upx
behavioral1/memory/2992-57-0x00000000009F0000-0x0000000000DF4000-memory.dmp	upx
behavioral1/memory/2172-97-0x0000000000400000-0x0000000000DDC000-memory.dmp	upx
behavioral1/memory/2992-106-0x00000000009F0000-0x0000000000DF4000-memory.dmp	upx
behavioral1/memory/2172-137-0x0000000000400000-0x0000000000DDC000-memory.dmp	upx
behavioral1/memory/2992-165-0x00000000009F0000-0x0000000000DF4000-memory.dmp	upx
behavioral1/memory/2172-178-0x0000000000400000-0x0000000000DDC000-memory.dmp	upx
behavioral1/memory/2992-179-0x00000000009F0000-0x0000000000DF4000-memory.dmp	upx
behavioral1/memory/2172-187-0x0000000000400000-0x0000000000DDC000-memory.dmp	upx
behavioral1/memory/2992-198-0x00000000009F0000-0x0000000000DF4000-memory.dmp	upx
behavioral1/memory/2172-222-0x0000000000400000-0x0000000000DDC000-memory.dmp	upx
behavioral1/memory/2992-227-0x00000000009F0000-0x0000000000DF4000-memory.dmp	upx
behavioral1/memory/2172-235-0x0000000000400000-0x0000000000DDC000-memory.dmp	upx
behavioral1/memory/2992-238-0x00000000009F0000-0x0000000000DF4000-memory.dmp	upx
behavioral1/memory/2172-249-0x0000000000400000-0x0000000000DDC000-memory.dmp	upx

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

40 myexternalip.com
41 myexternalip.com
47 myexternalip.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

sample.exe

pid process

2172 sample.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
40	myexternalip.com
41	myexternalip.com
47	myexternalip.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

NTFS ADS 2 IoCs

Processes:

sample.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local:08-03-2024	sample.exe
File opened for modification	C:\Users\Admin\AppData\Local:08-03-2024	sample.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2408 chrome.exe
2408 chrome.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

sample.exechrome.exe

description	pid	process
Token: SeShutdownPrivilege	2172	sample.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

sample.exe

pid process

2172 sample.exe
2172 sample.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sample.exechrome.exe

description	pid	process	target process
PID 2172 wrote to memory of 2992	2172	sample.exe	winsys64.exe
PID 2172 wrote to memory of 2992	2172	sample.exe	winsys64.exe
PID 2172 wrote to memory of 2992	2172	sample.exe	winsys64.exe
PID 2172 wrote to memory of 2992	2172	sample.exe	winsys64.exe
PID 2408 wrote to memory of 2436	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 2436	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 2436	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 744	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 940	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 940	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 940	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 2336	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 2336	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 2336	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 2336	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 2336	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 2336	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 2336	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 2336	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 2336	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 2336	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 2336	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 2336	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 2336	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 2336	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 2336	2408	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172

C:\Users\Admin\AppData\Local\18c4d7d0\tor\winsys64.exe
"C:\Users\Admin\AppData\Local\18c4d7d0\tor\winsys64.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef66b9758,0x7fef66b9768,0x7fef66b9778
2⤵
PID:2436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 --field-trial-handle=1216,i,3617067480209239345,10703050275549801414,131072 /prefetch:2
2⤵
PID:744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1216,i,3617067480209239345,10703050275549801414,131072 /prefetch:8
2⤵
PID:940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1580 --field-trial-handle=1216,i,3617067480209239345,10703050275549801414,131072 /prefetch:8
2⤵
PID:2336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2188 --field-trial-handle=1216,i,3617067480209239345,10703050275549801414,131072 /prefetch:1
2⤵
PID:2228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2200 --field-trial-handle=1216,i,3617067480209239345,10703050275549801414,131072 /prefetch:1
2⤵
PID:2208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1444 --field-trial-handle=1216,i,3617067480209239345,10703050275549801414,131072 /prefetch:2
2⤵
PID:960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1372 --field-trial-handle=1216,i,3617067480209239345,10703050275549801414,131072 /prefetch:1
2⤵
PID:2960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3772 --field-trial-handle=1216,i,3617067480209239345,10703050275549801414,131072 /prefetch:1
2⤵
PID:2768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3812 --field-trial-handle=1216,i,3617067480209239345,10703050275549801414,131072 /prefetch:8
2⤵
PID:2280

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2452

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\18c4d7d0\tor\data\cached-microdesc-consensus.tmp
Filesize
2.6MB

MD5
1cd3fc8b27accdf673dbc86754ed39c8

SHA1
a86e2603516493ca6c6165cc37f897bc21972e27

SHA256
1156e69fed66356296fef86ef033e4e2814b85c3da02493d7764fdbb38f6590b

SHA512
934bc4ac9e1559d7de9d306f814510d40de41ac8c39bdce36c736fc7b13fafa6b3f72c4bd2cbd8451dbcd8f5d91ed9c5553cca2ee3c2692a93d591aff1352359

Download Submit
C:\Users\Admin\AppData\Local\18c4d7d0\tor\data\cached-microdescs.new
Filesize
8.8MB

MD5
6018a5234b18591c29dadcd3cb26dedd

SHA1
628f4f2fa0b5211d1fcca9049eb7c3b080ad2821

SHA256
4b7bf56121b2dc6d71e26885cdb9b7005735f4dfc8ba3a36adaba84bc89a15c3

SHA512
aa4f46ffd26fb566056519ccb1a1dec2d600f8c1e5b9d00f30e6c2a7c17e888c79f8b44b4d37067f58215848414d3e2a5ac2eb7adfd433f9f4db6dadc130e0a8

Download Submit
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libcrypto-1_1.dll
Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libevent-2-1-6.dll
Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libgcc_s_sjlj-1.dll
Filesize
256KB

MD5
861000f9633aa5296df72d30b82509fa

SHA1
b85ef6fa34de7ce6b89f2d232ef5363cdc17c7d5

SHA256
057b865da559069d93afe49164cbf0202fed0fda0cd49f1602d7b99b90603613

SHA512
b2b898f136f4f436452d135d598e9d7764a5596647f1b002d74e351117d0a01ae0eda91f7989467336c01d09cca41ab9b7dd0075e3d1ef245721959fb9f37d8b

Download Submit
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libssp-0.dll
Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libwinpthread-1.dll
Filesize
64KB

MD5
a66be4f3f9f8bd5a687c36244c9dd297

SHA1
dc0f5a3d1fd66efff485015d9eef442702f910a0

SHA256
120daa2b87c2b489014dc1763aa7816491c81df854dec2e8773dba4beda33b52

SHA512
eb0cfdacb705f93ae1f22f4a793be4c36197ec7c2cc5b406df23e69477bcca43d5a85c4ab6adacf188c25bc4d9467553fbf77901fa3a99e0133520e93f2188b1

Download Submit
C:\Users\Admin\AppData\Local\18c4d7d0\tor\torrc
Filesize
139B

MD5
810ca57a4541aa0915723dd9a878a4f8

SHA1
bf5cbb30e140282febea89ade1b6f3c01a1614c4

SHA256
87d1de959d834f83a63d7b707ae81dceb521ed5169697e25797815e1025fdfd7

SHA512
833aaec0564f7a0a5f12643dc3cd90e581bea671a94162c899ab32b557c52ad6bd3f2b9195ae205051c5d46eb4d4a7b644f119dec5f041658d2a99c1cfe8662a

Download Submit
C:\Users\Admin\AppData\Local\18c4d7d0\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001
Filesize
194KB

MD5
f5b4137b040ec6bd884feee514f7c176

SHA1
7897677377a9ced759be35a66fdee34b391ab0ff

SHA256
845aa24ba38524f33f097b0d9bae7d9112b01fa35c443be5ec1f7b0da23513e6

SHA512
813b764a5650e4e3d1574172dd5d6a26f72c0ba5c8af7b0d676c62bc1b245e4563952bf33663bffc02089127b76a67f9977b0a8f18eaef22d9b4aa3abaaa7c40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
168B

MD5
916970a80eb4bf43bb6c600468971849

SHA1
c9f8ada4b4eb31c2fa764703911bce6be448a540

SHA256
54c32a5900206f4db0679c492f5183a39720cebbc1c2a3a116860aca448fbfc6

SHA512
a8931b8b7fcee8151337ddb34b4f483a235c4bf5daaac9556d9f72b8547ceca33d59690ac4b011558abc7aac61096316d2f4afea6249e13e708c1c3f4469ed9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
273b75d9de30012d00d8106f35f242b6

SHA1
082bffb73f275695f0b4a5e6eb7f111b3cd47bf5

SHA256
1a813bdcc95d7cc05ecc6a380f49bbf3a48578ceca06fb49b11d7d8761bafcf9

SHA512
94b271ed7adea8b17a5b5bda5ae9be59bae6513d862466fffd2cd29ae6715578f7b4c50f1074e3b27e6b1ec3b12ba23e31a0566f3496f5fef0d2a7777dea8df1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
f0f8badcefc177244b167c97c40b3949

SHA1
cfc215e0c0b3fb36ef652bc29665e43acf133924

SHA256
22f6f1153054f51631f7e9ae15587ee410ff59ddb731ac5ef30d33f379f69a62

SHA512
515ad698703ac0c8e4ef330bde1a838b81d9689ca471184947fb46f794f12889d4461944d3c7f95bf40c2ceda739c14c96b0fd6177a019005d9dd940d1643190

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
6ec95ad5b6d3521a6fe2515649acae56

SHA1
84e3024506be401d9a67e448b95e3babade1b5f4

SHA256
6753ac15076e13635ae1052576cd08ac84fc1e0e3806ca166a6361111d6fade6

SHA512
6cb0a89525a1ec2d21a6d25b1e89838b4dbf6d54291bcf11d900bc410f3ae543c63ae55822475ae2f28ec71237ededba2a048efe0f93ae56eb145ef0bf90f645

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
7156690058581aeb3de54a5d871f3680

SHA1
e1c3da3302e0597baa4c0e6b67e6adee7df91a93

SHA256
2e72e1015dabe25dd287a3a9b3de7cbf31992cdbaa076fb1b7f9feb3630924c0

SHA512
679c0472ee6ed868e4bdf25b8a2830720b0c24e776fc04ee42dfa9bfbcad14c0580e071c41cf1cc25e84f3d2fee07ac0dbf9525e92084e673e1333acdde591f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
258KB

MD5
30b4e2802595bab0d6ca9cd27bb99de8

SHA1
7c8cb59c16f5cad4e246c642c891fd0539ce7ff5

SHA256
d64b6eaf4c6637e9ffd06607153ac019fac95b3269907c226f143e6753eef2c4

SHA512
a03da4526b7ae8e07fa0f5fc3da952268d83c98634b6721bf29bc14fcb79e5930b3a6fa024f61ec0a82f746d7bc4f69550256b0a8cdaeaa98ce0f35369a307e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\e196bdbe-b479-4c37-ba33-f3b84081bfcd.tmp
Filesize
258KB

MD5
4c7fd4ec877faff33c5f4a3f91544197

SHA1
12c41dcb3ed1b351b0283f11715351dc475607c4

SHA256
05090e886a2f8bc6bf1f62fa09211774b4d6eb4e83785d935a474a50a2cb991f

SHA512
d8e9f9f27b4deaac86fcad0f06e853d9d9d1aa620d022ce17bfc8139f7bf81c819ae969dfb3b172a7d187414f98ff67fee29d802b5a4222a63b2a6b0d945da10

Download Submit
\??\pipe\crashpad_2408_UMGVWGBSFWESHMPZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\18c4d7d0\tor\libgcc_s_sjlj-1.dll
Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
\Users\Admin\AppData\Local\18c4d7d0\tor\winsys64.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
memory/2172-187-0x0000000000400000-0x0000000000DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-137-0x0000000000400000-0x0000000000DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-17-0x0000000003D80000-0x0000000004184000-memory.dmp

Filesize
4.0MB

Download
memory/2172-409-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2172-394-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2172-20-0x0000000003D80000-0x0000000004184000-memory.dmp

Filesize
4.0MB

Download
memory/2172-249-0x0000000000400000-0x0000000000DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-235-0x0000000000400000-0x0000000000DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-222-0x0000000000400000-0x0000000000DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-56-0x0000000003D80000-0x0000000004184000-memory.dmp

Filesize
4.0MB

Download
memory/2172-0-0x0000000000400000-0x0000000000DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-47-0x0000000000400000-0x0000000000DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-46-0x0000000003D80000-0x0000000004184000-memory.dmp

Filesize
4.0MB

Download
memory/2172-97-0x0000000000400000-0x0000000000DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-178-0x0000000000400000-0x0000000000DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-39-0x0000000000400000-0x0000000000DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2992-57-0x00000000009F0000-0x0000000000DF4000-memory.dmp

Filesize
4.0MB

Download
memory/2992-54-0x0000000073A40000-0x0000000073B0E000-memory.dmp

Filesize
824KB

Download
memory/2992-165-0x00000000009F0000-0x0000000000DF4000-memory.dmp

Filesize
4.0MB

Download
memory/2992-42-0x00000000742F0000-0x0000000074314000-memory.dmp

Filesize
144KB

Download
memory/2992-179-0x00000000009F0000-0x0000000000DF4000-memory.dmp

Filesize
4.0MB

Download
memory/2992-48-0x00000000009F0000-0x0000000000DF4000-memory.dmp

Filesize
4.0MB

Download
memory/2992-40-0x0000000073A40000-0x0000000073B0E000-memory.dmp

Filesize
824KB

Download
memory/2992-198-0x00000000009F0000-0x0000000000DF4000-memory.dmp

Filesize
4.0MB

Download
memory/2992-36-0x00000000741C0000-0x0000000074248000-memory.dmp

Filesize
544KB

Download
memory/2992-55-0x00000000742F0000-0x0000000074314000-memory.dmp

Filesize
144KB

Download
memory/2992-227-0x00000000009F0000-0x0000000000DF4000-memory.dmp

Filesize
4.0MB

Download
memory/2992-106-0x00000000009F0000-0x0000000000DF4000-memory.dmp

Filesize
4.0MB

Download
memory/2992-238-0x00000000009F0000-0x0000000000DF4000-memory.dmp

Filesize
4.0MB

Download
memory/2992-53-0x00000000741C0000-0x0000000074248000-memory.dmp

Filesize
544KB

Download
memory/2992-33-0x0000000073B10000-0x0000000073C1A000-memory.dmp

Filesize
1.0MB

Download
memory/2992-30-0x0000000073C20000-0x0000000073CE8000-memory.dmp

Filesize
800KB

Download
memory/2992-27-0x0000000074250000-0x0000000074299000-memory.dmp

Filesize
292KB

Download
memory/2992-25-0x0000000073CF0000-0x0000000073FBF000-memory.dmp

Filesize
2.8MB

Download
memory/2992-21-0x00000000009F0000-0x0000000000DF4000-memory.dmp

Filesize
4.0MB

Download
memory/2992-51-0x0000000073C20000-0x0000000073CE8000-memory.dmp

Filesize
800KB

Download
memory/2992-52-0x0000000073B10000-0x0000000073C1A000-memory.dmp

Filesize
1.0MB

Download
memory/2992-50-0x0000000074250000-0x0000000074299000-memory.dmp

Filesize
292KB

Download
memory/2992-49-0x0000000073CF0000-0x0000000073FBF000-memory.dmp

Filesize
2.8MB

Download