bitrat | 2d49873798ab5ee10992f377ebb27ee940b1f354b9ec4ebebe687177ea2b214c

max time kernel
1192s
max time network
1203s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
Size

7.6MB
MD5

9b035bad2b8a21fb2c57fd784c89b8d5
SHA1

ee15fad65f3f22df7f54e218176c45d369ebb70f
SHA256

2d49873798ab5ee10992f377ebb27ee940b1f354b9ec4ebebe687177ea2b214c
SHA512

96c0189aba67db2f1c38affa5ac44665566ea17e20e5f749aef771739c81beb96bbcac8ea35aad80cffc9d492e23fcbaefbf03f72011d9bd1ccac36182466dde
SSDEEP

196608:imEljesxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQUDxtw3iFFrS6XOfTV73cP:balxwZ6v1CPwDv3uFteg2EeJUO9WLjD/

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.32

7ix5nfolcp4ta4mk2dtihev73rw7d2edpbd5tp7sf7zgmpv66fpxnwqd.onion:80

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
dllhost

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

BitRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2304-0-0x0000000000400000-0x0000000000BAA000-memory.dmp	family_bitrat
behavioral1/memory/2304-53-0x0000000000400000-0x0000000000BAA000-memory.dmp	family_bitrat

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libssp-0.dll	acprotect
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libevent-2-1-6.dll	acprotect
\Users\Admin\AppData\Local\07fa2a3b\tor\zlib1.dll	acprotect
\Users\Admin\AppData\Local\07fa2a3b\tor\libssl-1_1.dll	acprotect
\Users\Admin\AppData\Local\07fa2a3b\tor\libwinpthread-1.dll	acprotect
\Users\Admin\AppData\Local\07fa2a3b\tor\libgcc_s_sjlj-1.dll	acprotect

Executes dropped EXE 53 IoCs

Processes:

dllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

pid	process
2136	dllhost.exe
1520	dllhost.exe
2812	dllhost.exe
2096	dllhost.exe
588	dllhost.exe
2068	dllhost.exe
2840	dllhost.exe
2472	dllhost.exe
1112	dllhost.exe
1544	dllhost.exe
2044	dllhost.exe
2296	dllhost.exe
2552	dllhost.exe
2472	dllhost.exe
1656	dllhost.exe
3056	dllhost.exe
1404	dllhost.exe
2448	dllhost.exe
2472	dllhost.exe
1612	dllhost.exe
1068	dllhost.exe
1812	dllhost.exe
972	dllhost.exe
2096	dllhost.exe
1492	dllhost.exe
1232	dllhost.exe
1124	dllhost.exe
2620	dllhost.exe
2732	dllhost.exe
1028	dllhost.exe
2284	dllhost.exe
2576	dllhost.exe
2116	dllhost.exe
540	dllhost.exe
3068	dllhost.exe
2132	dllhost.exe
580	dllhost.exe
2140	dllhost.exe
2728	dllhost.exe
1776	dllhost.exe
2632	dllhost.exe
1960	dllhost.exe
3064	dllhost.exe
2572	dllhost.exe
2748	dllhost.exe
1740	dllhost.exe
2072	dllhost.exe
1596	dllhost.exe
1964	dllhost.exe
2660	dllhost.exe
1080	dllhost.exe
1064	dllhost.exe
2816	dllhost.exe

Loads dropped DLL 64 IoCs

Processes:

9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

pid	process
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2136	dllhost.exe
2136	dllhost.exe
2136	dllhost.exe
2136	dllhost.exe
2136	dllhost.exe
2136	dllhost.exe
2136	dllhost.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
1520	dllhost.exe
1520	dllhost.exe
1520	dllhost.exe
1520	dllhost.exe
1520	dllhost.exe
1520	dllhost.exe
1520	dllhost.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2812	dllhost.exe
2812	dllhost.exe
2812	dllhost.exe
2812	dllhost.exe
2812	dllhost.exe
2812	dllhost.exe
2812	dllhost.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2096	dllhost.exe
2096	dllhost.exe
2096	dllhost.exe
2096	dllhost.exe
2096	dllhost.exe
2096	dllhost.exe
2096	dllhost.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
588	dllhost.exe
588	dllhost.exe
588	dllhost.exe
588	dllhost.exe
588	dllhost.exe
588	dllhost.exe
588	dllhost.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2068	dllhost.exe
2068	dllhost.exe
2068	dllhost.exe
2068	dllhost.exe
2068	dllhost.exe
2068	dllhost.exe
2068	dllhost.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2840	dllhost.exe
2840	dllhost.exe
2840	dllhost.exe
2840	dllhost.exe
2840	dllhost.exe
2840	dllhost.exe
2840	dllhost.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2472	dllhost.exe
2472	dllhost.exe
2472	dllhost.exe
2472	dllhost.exe
2472	dllhost.exe
2472	dllhost.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe	upx
behavioral1/memory/2304-17-0x0000000003AD0000-0x0000000003ED4000-memory.dmp	upx
behavioral1/memory/2136-20-0x00000000009C0000-0x0000000000DC4000-memory.dmp	upx
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libssp-0.dll	upx
behavioral1/memory/2136-24-0x0000000074280000-0x000000007454F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libevent-2-1-6.dll	upx
behavioral1/memory/2136-27-0x00000000747E0000-0x0000000074829000-memory.dmp	upx
behavioral1/memory/2136-37-0x00000000740A0000-0x00000000741AA000-memory.dmp	upx
\Users\Admin\AppData\Local\07fa2a3b\tor\zlib1.dll	upx
\Users\Admin\AppData\Local\07fa2a3b\tor\libssl-1_1.dll	upx
\Users\Admin\AppData\Local\07fa2a3b\tor\libwinpthread-1.dll	upx
\Users\Admin\AppData\Local\07fa2a3b\tor\libgcc_s_sjlj-1.dll	upx
behavioral1/memory/2136-38-0x0000000074750000-0x00000000747D8000-memory.dmp	upx
behavioral1/memory/2136-39-0x0000000073FD0000-0x000000007409E000-memory.dmp	upx
behavioral1/memory/2136-40-0x0000000074880000-0x00000000748A4000-memory.dmp	upx
behavioral1/memory/2136-41-0x00000000741B0000-0x0000000074278000-memory.dmp	upx
behavioral1/memory/2136-45-0x00000000009C0000-0x0000000000DC4000-memory.dmp	upx
behavioral1/memory/2136-46-0x0000000074280000-0x000000007454F000-memory.dmp	upx
behavioral1/memory/2136-47-0x00000000747E0000-0x0000000074829000-memory.dmp	upx
behavioral1/memory/2136-48-0x00000000741B0000-0x0000000074278000-memory.dmp	upx
behavioral1/memory/2136-49-0x00000000740A0000-0x00000000741AA000-memory.dmp	upx
behavioral1/memory/2136-51-0x0000000073FD0000-0x000000007409E000-memory.dmp	upx
behavioral1/memory/2136-55-0x00000000009C0000-0x0000000000DC4000-memory.dmp	upx
behavioral1/memory/2136-57-0x00000000009C0000-0x0000000000DC4000-memory.dmp	upx
behavioral1/memory/2136-78-0x00000000009C0000-0x0000000000DC4000-memory.dmp	upx
behavioral1/memory/2136-102-0x00000000009C0000-0x0000000000DC4000-memory.dmp	upx
behavioral1/memory/2136-110-0x00000000009C0000-0x0000000000DC4000-memory.dmp	upx
behavioral1/memory/1520-135-0x0000000074280000-0x000000007454F000-memory.dmp	upx
behavioral1/memory/1520-134-0x00000000009C0000-0x0000000000DC4000-memory.dmp	upx
behavioral1/memory/2304-131-0x00000000047F0000-0x0000000004BF4000-memory.dmp	upx
behavioral1/memory/1520-142-0x0000000074880000-0x00000000748A4000-memory.dmp	upx
behavioral1/memory/1520-141-0x0000000073FD0000-0x000000007409E000-memory.dmp	upx
behavioral1/memory/1520-140-0x0000000074750000-0x00000000747D8000-memory.dmp	upx
behavioral1/memory/1520-139-0x00000000740A0000-0x00000000741AA000-memory.dmp	upx
behavioral1/memory/1520-138-0x00000000009C0000-0x0000000000DC4000-memory.dmp	upx
behavioral1/memory/1520-137-0x00000000741B0000-0x0000000074278000-memory.dmp	upx
behavioral1/memory/1520-136-0x00000000747E0000-0x0000000074829000-memory.dmp	upx
behavioral1/memory/2812-157-0x00000000011C0000-0x00000000015C4000-memory.dmp	upx
behavioral1/memory/2812-158-0x0000000074790000-0x00000000747D9000-memory.dmp	upx
behavioral1/memory/2812-159-0x0000000074480000-0x0000000074548000-memory.dmp	upx
behavioral1/memory/2812-160-0x0000000074370000-0x000000007447A000-memory.dmp	upx
behavioral1/memory/2812-161-0x00000000742E0000-0x0000000074368000-memory.dmp	upx
behavioral1/memory/2812-162-0x0000000073FB0000-0x000000007427F000-memory.dmp	upx
behavioral1/memory/2812-165-0x0000000073E50000-0x0000000073F1E000-memory.dmp	upx
behavioral1/memory/2812-166-0x0000000074800000-0x0000000074824000-memory.dmp	upx
behavioral1/memory/2812-179-0x00000000011C0000-0x00000000015C4000-memory.dmp	upx
behavioral1/memory/2812-180-0x0000000073FB0000-0x000000007427F000-memory.dmp	upx
behavioral1/memory/2812-181-0x0000000074790000-0x00000000747D9000-memory.dmp	upx
behavioral1/memory/2812-182-0x0000000074480000-0x0000000074548000-memory.dmp	upx
behavioral1/memory/2812-183-0x0000000074370000-0x000000007447A000-memory.dmp	upx
behavioral1/memory/2812-184-0x00000000742E0000-0x0000000074368000-memory.dmp	upx
behavioral1/memory/2812-185-0x0000000073E50000-0x0000000073F1E000-memory.dmp	upx
behavioral1/memory/2812-189-0x00000000011C0000-0x00000000015C4000-memory.dmp	upx
behavioral1/memory/2812-197-0x00000000011C0000-0x00000000015C4000-memory.dmp	upx
behavioral1/memory/2304-207-0x0000000000270000-0x000000000027A000-memory.dmp	upx
behavioral1/memory/2304-234-0x0000000005550000-0x0000000005954000-memory.dmp	upx
behavioral1/memory/2096-244-0x0000000073FB0000-0x000000007427F000-memory.dmp	upx
behavioral1/memory/2096-248-0x0000000074480000-0x0000000074548000-memory.dmp	upx
behavioral1/memory/2096-246-0x0000000074790000-0x00000000747D9000-memory.dmp	upx
behavioral1/memory/2096-256-0x0000000073E50000-0x0000000073F1E000-memory.dmp	upx
behavioral1/memory/2096-255-0x00000000742E0000-0x0000000074368000-memory.dmp	upx
behavioral1/memory/2096-254-0x0000000074370000-0x000000007447A000-memory.dmp	upx
behavioral1/memory/2096-258-0x0000000074800000-0x0000000074824000-memory.dmp	upx

Looks up external IP address via web service 19 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
183	myexternalip.com
203	myexternalip.com
47	myexternalip.com
75	myexternalip.com
88	myexternalip.com
131	myexternalip.com
26	myexternalip.com
40	myexternalip.com
123	myexternalip.com
139	myexternalip.com
159	myexternalip.com
175	myexternalip.com
211	myexternalip.com
55	myexternalip.com
102	myexternalip.com
167	myexternalip.com
218	myexternalip.com
25	myexternalip.com
110	myexternalip.com

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Suspicious use of NtSetInformationThreadHideFromDebugger 40 IoCs

Processes:

9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

pid	process
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

description pid process

Token: SeShutdownPrivilege 2304 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

pid process

2304 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
2304 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

description	pid	process
Token: SeShutdownPrivilege	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

description	pid	process	target process
PID 2304 wrote to memory of 2136	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2136	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2136	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2136	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 1520	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 1520	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 1520	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 1520	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2812	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2812	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2812	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2812	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2096	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2096	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2096	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2096	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 588	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 588	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 588	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 588	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2068	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2068	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2068	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2068	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2840	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2840	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2840	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2840	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2472	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2472	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2472	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2472	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 1112	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 1112	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 1112	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 1112	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 1544	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 1544	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 1544	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 1544	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2044	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2044	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2044	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2044	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2296	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2296	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2296	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2296	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2552	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2552	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2552	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2552	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2472	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2472	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2472	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 2472	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 1656	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 1656	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 1656	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 1656	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 3056	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 3056	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 3056	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 2304 wrote to memory of 3056	2304	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:588

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1112

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1544

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2044

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2296

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2552

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2472

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1656

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3056

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1404

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2448

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2472

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1612

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1068

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1812

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:972

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2096

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1492

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1232

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1124

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2620

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2732

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1028

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2284

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2576

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2116

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:540

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3068

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2132

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:580

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2140

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2728

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1776

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2632

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1960

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3064

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2572

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2748

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1740

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2072

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1596

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1964

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2660

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1080

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1064

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2816

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Proxy

T1090

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\07fa2a3b\tor\data\cached-certs
Filesize
20KB

MD5
7ed58abcd9d3d913e0f91c69fd4c5170

SHA1
b527336e3d03c3ecbf6c8dfcc6acab74c23fd6f6

SHA256
802878173b16588781702bf77dee15424f6919a03a01ba713ede4581fd523b98

SHA512
5c7cb4154ade5e6b69cc2e9801888bec0e06f0e545530c18f18799753879d1d00143f6a0925ac0dc192b98f75d05ddfb4477c14d2d031faf5da8cdd579101fea

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\data\cached-microdesc-consensus.tmp
Filesize
2.6MB

MD5
fc3cdf12d74519dbccc3ae86a7606462

SHA1
d7d97bfa3973e176ef10b2390c4e199d1f654f54

SHA256
d8f554fcc8c53f1040c8ca606fd59b0b00ecdc7b4f448be0890723b93c3cd5fa

SHA512
89c78c310f2aa3626381e01bf4c865efc83aec3831faee42e8c8c0cd8d4c19c2eacf7cdf0fc10e18f4ebf92aae5f59f00ba6b1e6774bcda3dceb4c552368f3af

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\data\cached-microdescs
Filesize
20.4MB

MD5
95a422bc679ef3ca62aea334c259eef2

SHA1
e3d1d21aa550cb41ec902107025db9e2e15c0788

SHA256
b70b65a2cfe804b5580382d833be38c5930a5c22f2fd463c5337c5bef3a65a7c

SHA512
dfebcb2dc2f3d284684b76a1faea469f36a6e56d0df10ec433dffe56b8312635c570139477d2f8953c9dc0dcc2f2846d735f91407d0c9059b18717215573f8b8

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\data\cached-microdescs.new
Filesize
541B

MD5
e2238c4ea6285408329b68b018f91ab5

SHA1
437d1e46a90cdd2313bfed9d3e4b47b1abaac615

SHA256
99a2051448d30d5f2cfd979320f540cb97d554456ded5f878496d4ac7acaa426

SHA512
7bc052c058748934a5cbea4c77262f63fdf928220c1faf44bb2dc4e2f1621bf529f77add8636bc4a6126ac9d36f24009ea5f2341e46d5cf151c7755ce6b0e3c6

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\data\cached-microdescs.new
Filesize
20.4MB

MD5
fa15563738d44a0e2c505c81fd5b62e9

SHA1
d86853e0a75746503fce43d3adbf66c91196d3db

SHA256
8ddf7cc65d7001e8c0a964de705eb723ecb9f33f3c7b0bf9c8098d882f89338c

SHA512
41a0b4991af278a1cd6d4ca1b67e4f258806bb4079500251587c91c67e241b8b2eb9d7917e2a8cea2fb60fa5d992b7b36a2ba145b4388df2182f2992de469c5f

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\data\cached-microdescs.new
Filesize
9.9MB

MD5
2bc7f4b5128b2d87f58c6cd047f217ed

SHA1
82bef2e2ba118e7c4e88fcb9892389afbc536a1d

SHA256
223c5afdabeedc3d3642da639d2c31dd73fb1c5b0e04cd61762cddee73f59366

SHA512
edc3be170d07142defac41dd4071b948e7ce5612516b9961c5467906f3b15b5f3aa21c900959685dfc864b5876944973fe61057f2f0965af3293f5965b8de170

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\data\state
Filesize
232B

MD5
b906fbf04d1bdf6f56bb58e2fab3096c

SHA1
42047e76e657d6f56bbf8829890893d8a0f2442d

SHA256
e8614346bc394ba5be417cc4ccfbdb09d48636c0c1b88fb3d6323617b1bce112

SHA512
c79d7a05efb02df0c93c5f7900d9d7164541f6283f5230b1dcf705fcfc5ef5fda4d009de6a432af874141af34f27c3d994a392ecaed0b59a83edd14f26c5a2e0

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\data\state
Filesize
9KB

MD5
af2d20fa014b6e7f255a1dc0d8f2e52a

SHA1
c0346fafb64aec51af0142cb48db501cbd912f3a

SHA256
0473c58bf9ff597b4f35e6498dee27fb9ba710ec14f11f97ff55b41737d7fc44

SHA512
976e6f2f140c6e6e56b12904974d2cac9b5cd579c7b9ed6e3848debd4a7adb52a1676307207ca8272aec0dca5c14c87e11bf26cf6bdadbb788a7873125ad241d

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libcrypto-1_1.dll
Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libevent-2-1-6.dll
Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libssp-0.dll
Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\torrc
Filesize
139B

MD5
dbd537e3da06f7d7aeaf58f4decc0c94

SHA1
7e740ea6dcf8545710f99519014e9bb029028a84

SHA256
349b36a467d778e29b96528cdd25d6c34a54be659a9ef516b3833106ceb679b2

SHA512
a84633c420c825b15ef2fc5cf83a6d75fcdddbb06d3b7dc74537d5bc98b5d910d3dec4838f30be3a06373662d2946f156f36bd2e033e0b6089753006ac327a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF1FF.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
\Users\Admin\AppData\Local\07fa2a3b\tor\libgcc_s_sjlj-1.dll
Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
\Users\Admin\AppData\Local\07fa2a3b\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
\Users\Admin\AppData\Local\07fa2a3b\tor\libwinpthread-1.dll
Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
\Users\Admin\AppData\Local\07fa2a3b\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
memory/588-329-0x0000000074480000-0x0000000074548000-memory.dmp

Filesize
800KB

Download
memory/588-357-0x00000000011C0000-0x00000000015C4000-memory.dmp

Filesize
4.0MB

Download
memory/588-359-0x0000000073E50000-0x0000000073F1E000-memory.dmp

Filesize
824KB

Download
memory/588-330-0x0000000074370000-0x000000007447A000-memory.dmp

Filesize
1.0MB

Download
memory/588-331-0x00000000742E0000-0x0000000074368000-memory.dmp

Filesize
544KB

Download
memory/588-327-0x0000000074790000-0x00000000747D9000-memory.dmp

Filesize
292KB

Download
memory/588-326-0x0000000073FB0000-0x000000007427F000-memory.dmp

Filesize
2.8MB

Download
memory/588-333-0x0000000074800000-0x0000000074824000-memory.dmp

Filesize
144KB

Download
memory/588-358-0x0000000074480000-0x0000000074548000-memory.dmp

Filesize
800KB

Download
memory/588-332-0x0000000073E50000-0x0000000073F1E000-memory.dmp

Filesize
824KB

Download
memory/588-356-0x0000000073FB0000-0x000000007427F000-memory.dmp

Filesize
2.8MB

Download
memory/588-328-0x00000000011C0000-0x00000000015C4000-memory.dmp

Filesize
4.0MB

Download
memory/1520-136-0x00000000747E0000-0x0000000074829000-memory.dmp

Filesize
292KB

Download
memory/1520-187-0x00000000741B0000-0x0000000074278000-memory.dmp

Filesize
800KB

Download
memory/1520-137-0x00000000741B0000-0x0000000074278000-memory.dmp

Filesize
800KB

Download
memory/1520-141-0x0000000073FD0000-0x000000007409E000-memory.dmp

Filesize
824KB

Download
memory/1520-138-0x00000000009C0000-0x0000000000DC4000-memory.dmp

Filesize
4.0MB

Download
memory/1520-139-0x00000000740A0000-0x00000000741AA000-memory.dmp

Filesize
1.0MB

Download
memory/1520-135-0x0000000074280000-0x000000007454F000-memory.dmp

Filesize
2.8MB

Download
memory/1520-134-0x00000000009C0000-0x0000000000DC4000-memory.dmp

Filesize
4.0MB

Download
memory/1520-140-0x0000000074750000-0x00000000747D8000-memory.dmp

Filesize
544KB

Download
memory/1520-142-0x0000000074880000-0x00000000748A4000-memory.dmp

Filesize
144KB

Download
memory/2096-259-0x00000000011C0000-0x00000000015C4000-memory.dmp

Filesize
4.0MB

Download
memory/2096-244-0x0000000073FB0000-0x000000007427F000-memory.dmp

Filesize
2.8MB

Download
memory/2096-325-0x00000000011C0000-0x00000000015C4000-memory.dmp

Filesize
4.0MB

Download
memory/2096-284-0x00000000011C0000-0x00000000015C4000-memory.dmp

Filesize
4.0MB

Download
memory/2096-283-0x0000000074480000-0x0000000074548000-memory.dmp

Filesize
800KB

Download
memory/2096-282-0x0000000073FB0000-0x000000007427F000-memory.dmp

Filesize
2.8MB

Download
memory/2096-258-0x0000000074800000-0x0000000074824000-memory.dmp

Filesize
144KB

Download
memory/2096-254-0x0000000074370000-0x000000007447A000-memory.dmp

Filesize
1.0MB

Download
memory/2096-255-0x00000000742E0000-0x0000000074368000-memory.dmp

Filesize
544KB

Download
memory/2096-256-0x0000000073E50000-0x0000000073F1E000-memory.dmp

Filesize
824KB

Download
memory/2096-246-0x0000000074790000-0x00000000747D9000-memory.dmp

Filesize
292KB

Download
memory/2096-248-0x0000000074480000-0x0000000074548000-memory.dmp

Filesize
800KB

Download
memory/2136-47-0x00000000747E0000-0x0000000074829000-memory.dmp

Filesize
292KB

Download
memory/2136-51-0x0000000073FD0000-0x000000007409E000-memory.dmp

Filesize
824KB

Download
memory/2136-20-0x00000000009C0000-0x0000000000DC4000-memory.dmp

Filesize
4.0MB

Download
memory/2136-55-0x00000000009C0000-0x0000000000DC4000-memory.dmp

Filesize
4.0MB

Download
memory/2136-24-0x0000000074280000-0x000000007454F000-memory.dmp

Filesize
2.8MB

Download
memory/2136-27-0x00000000747E0000-0x0000000074829000-memory.dmp

Filesize
292KB

Download
memory/2136-37-0x00000000740A0000-0x00000000741AA000-memory.dmp

Filesize
1.0MB

Download
memory/2136-38-0x0000000074750000-0x00000000747D8000-memory.dmp

Filesize
544KB

Download
memory/2136-39-0x0000000073FD0000-0x000000007409E000-memory.dmp

Filesize
824KB

Download
memory/2136-40-0x0000000074880000-0x00000000748A4000-memory.dmp

Filesize
144KB

Download
memory/2136-41-0x00000000741B0000-0x0000000074278000-memory.dmp

Filesize
800KB

Download
memory/2136-45-0x00000000009C0000-0x0000000000DC4000-memory.dmp

Filesize
4.0MB

Download
memory/2136-46-0x0000000074280000-0x000000007454F000-memory.dmp

Filesize
2.8MB

Download
memory/2136-110-0x00000000009C0000-0x0000000000DC4000-memory.dmp

Filesize
4.0MB

Download
memory/2136-102-0x00000000009C0000-0x0000000000DC4000-memory.dmp

Filesize
4.0MB

Download
memory/2136-78-0x00000000009C0000-0x0000000000DC4000-memory.dmp

Filesize
4.0MB

Download
memory/2136-57-0x00000000009C0000-0x0000000000DC4000-memory.dmp

Filesize
4.0MB

Download
memory/2136-48-0x00000000741B0000-0x0000000074278000-memory.dmp

Filesize
800KB

Download
memory/2136-49-0x00000000740A0000-0x00000000741AA000-memory.dmp

Filesize
1.0MB

Download
memory/2304-0-0x0000000000400000-0x0000000000BAA000-memory.dmp

Filesize
7.7MB

Download
memory/2304-131-0x00000000047F0000-0x0000000004BF4000-memory.dmp

Filesize
4.0MB

Download
memory/2304-17-0x0000000003AD0000-0x0000000003ED4000-memory.dmp

Filesize
4.0MB

Download
memory/2304-386-0x0000000005450000-0x0000000005854000-memory.dmp

Filesize
4.0MB

Download
memory/2304-371-0x00000000041D0000-0x00000000041DA000-memory.dmp

Filesize
40KB

Download
memory/2304-56-0x0000000003AD0000-0x0000000003ED4000-memory.dmp

Filesize
4.0MB

Download
memory/2304-21-0x0000000003AD0000-0x0000000003ED4000-memory.dmp

Filesize
4.0MB

Download
memory/2304-54-0x0000000003AD0000-0x0000000003ED4000-memory.dmp

Filesize
4.0MB

Download
memory/2304-234-0x0000000005550000-0x0000000005954000-memory.dmp

Filesize
4.0MB

Download
memory/2304-355-0x0000000005750000-0x0000000005B54000-memory.dmp

Filesize
4.0MB

Download
memory/2304-207-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/2304-271-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/2304-272-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/2304-281-0x0000000005550000-0x0000000005954000-memory.dmp

Filesize
4.0MB

Download
memory/2304-206-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/2304-346-0x0000000004800000-0x000000000480A000-memory.dmp

Filesize
40KB

Download
memory/2304-345-0x0000000004800000-0x000000000480A000-memory.dmp

Filesize
40KB

Download
memory/2304-296-0x0000000004800000-0x000000000480A000-memory.dmp

Filesize
40KB

Download
memory/2304-188-0x00000000047F0000-0x0000000004BF4000-memory.dmp

Filesize
4.0MB

Download
memory/2304-53-0x0000000000400000-0x0000000000BAA000-memory.dmp

Filesize
7.7MB

Download
memory/2812-197-0x00000000011C0000-0x00000000015C4000-memory.dmp

Filesize
4.0MB

Download
memory/2812-182-0x0000000074480000-0x0000000074548000-memory.dmp

Filesize
800KB

Download
memory/2812-162-0x0000000073FB0000-0x000000007427F000-memory.dmp

Filesize
2.8MB

Download
memory/2812-183-0x0000000074370000-0x000000007447A000-memory.dmp

Filesize
1.0MB

Download
memory/2812-166-0x0000000074800000-0x0000000074824000-memory.dmp

Filesize
144KB

Download
memory/2812-181-0x0000000074790000-0x00000000747D9000-memory.dmp

Filesize
292KB

Download
memory/2812-180-0x0000000073FB0000-0x000000007427F000-memory.dmp

Filesize
2.8MB

Download
memory/2812-179-0x00000000011C0000-0x00000000015C4000-memory.dmp

Filesize
4.0MB

Download
memory/2812-184-0x00000000742E0000-0x0000000074368000-memory.dmp

Filesize
544KB

Download
memory/2812-185-0x0000000073E50000-0x0000000073F1E000-memory.dmp

Filesize
824KB

Download
memory/2812-189-0x00000000011C0000-0x00000000015C4000-memory.dmp

Filesize
4.0MB

Download
memory/2812-157-0x00000000011C0000-0x00000000015C4000-memory.dmp

Filesize
4.0MB

Download
memory/2812-158-0x0000000074790000-0x00000000747D9000-memory.dmp

Filesize
292KB

Download
memory/2812-159-0x0000000074480000-0x0000000074548000-memory.dmp

Filesize
800KB

Download
memory/2812-160-0x0000000074370000-0x000000007447A000-memory.dmp

Filesize
1.0MB

Download
memory/2812-165-0x0000000073E50000-0x0000000073F1E000-memory.dmp

Filesize
824KB

Download
memory/2812-161-0x00000000742E0000-0x0000000074368000-memory.dmp

Filesize
544KB

Download