bitrat | caf48b67e7bb94a178426fc7ce6b9ed50ffb2f3813a7c68900f21bfffb24e44f

max time kernel
598s
max time network
606s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
09/04/2024, 03:58 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stub_tor.exe
Size

7.8MB
MD5

c76390d9e1052d9e708940d67b5c135d
SHA1

a370a73a9dd746584428e8a939288ecffd3c80f7
SHA256

caf48b67e7bb94a178426fc7ce6b9ed50ffb2f3813a7c68900f21bfffb24e44f
SHA512

4d2d38d8719cdac8a406cfa96944ee99d2d926511e64d6b6aa964d40d0d9ddb1dc6e4e6253bcb1e77b32613c0b4409ab32ea54c476018fee963574edb043dd3b
SSDEEP

196608:oIRcbH4jSteTGvExwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOf:odHsfuExwZ6v1CPwDv3uFteg2EeJUO9E

Score

10^/10

bitrat persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

7sbl4dpbubwjjghdquwg47fyq7rookd4bgm2ypm2kjzkivd7tomvczqd.onion:440

Attributes

communication_password
4124bc0a9335c27f086f24ba207a4912
install_dir
Minecraft
install_file
Runtime_Broker
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral4/files/0x000600000002a742-18.dat	acprotect
behavioral4/files/0x000600000002a76c-19.dat	acprotect
behavioral4/files/0x000200000002a78d-20.dat	acprotect
behavioral4/files/0x000200000002a786-26.dat	acprotect
behavioral4/files/0x000100000002a792-36.dat	acprotect
behavioral4/files/0x000100000002a794-31.dat	acprotect
behavioral4/files/0x000100000002a791-25.dat	acprotect

Executes dropped EXE 22 IoCs

pid	Process
4916	tor.exe
3508	tor.exe
3040	tor.exe
4952	tor.exe
4872	tor.exe
2976	tor.exe
3124	tor.exe
2268	tor.exe
2640	tor.exe
4968	tor.exe
3480	tor.exe
1660	tor.exe
3704	tor.exe
4824	tor.exe
3676	tor.exe
4480	tor.exe
3236	tor.exe
1436	tor.exe
1140	tor.exe
4804	tor.exe
4524	tor.exe
956	tor.exe

Loads dropped DLL 64 IoCs

pid	Process
4916	tor.exe
4916	tor.exe
4916	tor.exe
4916	tor.exe
4916	tor.exe
4916	tor.exe
4916	tor.exe
4916	tor.exe
4916	tor.exe
3508	tor.exe
3508	tor.exe
3508	tor.exe
3508	tor.exe
3508	tor.exe
3508	tor.exe
3508	tor.exe
3040	tor.exe
3040	tor.exe
3040	tor.exe
3040	tor.exe
3040	tor.exe
3040	tor.exe
3040	tor.exe
4952	tor.exe
4952	tor.exe
4952	tor.exe
4952	tor.exe
4952	tor.exe
4952	tor.exe
4952	tor.exe
4872	tor.exe
4872	tor.exe
4872	tor.exe
4872	tor.exe
4872	tor.exe
4872	tor.exe
4872	tor.exe
2976	tor.exe
2976	tor.exe
2976	tor.exe
2976	tor.exe
2976	tor.exe
2976	tor.exe
2976	tor.exe
3124	tor.exe
3124	tor.exe
3124	tor.exe
3124	tor.exe
3124	tor.exe
3124	tor.exe
3124	tor.exe
3124	tor.exe
2268	tor.exe
2268	tor.exe
2268	tor.exe
2268	tor.exe
2268	tor.exe
2268	tor.exe
2268	tor.exe
2640	tor.exe
2640	tor.exe
2640	tor.exe
2640	tor.exe
2640	tor.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x000100000002a793-14.dat	upx
behavioral4/files/0x000600000002a742-18.dat	upx
behavioral4/files/0x000600000002a76c-19.dat	upx
behavioral4/files/0x000200000002a78d-20.dat	upx
behavioral4/memory/4916-30-0x0000000073460000-0x000000007352E000-memory.dmp	upx
behavioral4/files/0x000200000002a786-26.dat	upx
behavioral4/files/0x000100000002a792-36.dat	upx
behavioral4/files/0x000100000002a794-31.dat	upx
behavioral4/memory/4916-29-0x0000000073530000-0x0000000073579000-memory.dmp	upx
behavioral4/files/0x000100000002a791-25.dat	upx
behavioral4/memory/4916-22-0x0000000000AF0000-0x0000000000EF4000-memory.dmp	upx
behavioral4/memory/4916-40-0x0000000073320000-0x000000007342A000-memory.dmp	upx
behavioral4/memory/4916-42-0x0000000073050000-0x000000007331F000-memory.dmp	upx
behavioral4/memory/4916-45-0x0000000073580000-0x0000000073648000-memory.dmp	upx
behavioral4/memory/4916-46-0x0000000073430000-0x0000000073454000-memory.dmp	upx
behavioral4/memory/4916-43-0x0000000072FC0000-0x0000000073048000-memory.dmp	upx
behavioral4/memory/4916-48-0x0000000000AF0000-0x0000000000EF4000-memory.dmp	upx
behavioral4/memory/4916-50-0x0000000073530000-0x0000000073579000-memory.dmp	upx
behavioral4/memory/4916-51-0x0000000073460000-0x000000007352E000-memory.dmp	upx
behavioral4/memory/4916-56-0x0000000000AF0000-0x0000000000EF4000-memory.dmp	upx
behavioral4/memory/4916-57-0x0000000000AF0000-0x0000000000EF4000-memory.dmp	upx
behavioral4/memory/4916-66-0x0000000001860000-0x00000000018E8000-memory.dmp	upx
behavioral4/memory/4916-92-0x0000000000AF0000-0x0000000000EF4000-memory.dmp	upx
behavioral4/memory/4916-102-0x0000000000AF0000-0x0000000000EF4000-memory.dmp	upx
behavioral4/memory/4916-111-0x0000000000AF0000-0x0000000000EF4000-memory.dmp	upx
behavioral4/memory/4916-119-0x0000000000AF0000-0x0000000000EF4000-memory.dmp	upx
behavioral4/memory/4916-127-0x0000000000AF0000-0x0000000000EF4000-memory.dmp	upx
behavioral4/memory/4916-143-0x0000000000AF0000-0x0000000000EF4000-memory.dmp	upx
behavioral4/memory/3508-157-0x0000000073050000-0x000000007331F000-memory.dmp	upx
behavioral4/memory/3508-159-0x0000000073580000-0x0000000073648000-memory.dmp	upx
behavioral4/memory/3508-160-0x0000000073460000-0x000000007352E000-memory.dmp	upx
behavioral4/memory/3508-162-0x0000000073530000-0x0000000073579000-memory.dmp	upx
behavioral4/memory/3508-166-0x0000000073320000-0x000000007342A000-memory.dmp	upx
behavioral4/memory/3508-167-0x0000000072FC0000-0x0000000073048000-memory.dmp	upx
behavioral4/memory/3508-165-0x0000000073430000-0x0000000073454000-memory.dmp	upx
behavioral4/memory/3508-177-0x0000000073050000-0x000000007331F000-memory.dmp	upx
behavioral4/memory/3508-176-0x0000000000AF0000-0x0000000000EF4000-memory.dmp	upx
behavioral4/memory/3508-178-0x0000000073580000-0x0000000073648000-memory.dmp	upx
behavioral4/memory/3508-179-0x0000000073460000-0x000000007352E000-memory.dmp	upx
behavioral4/memory/3040-192-0x0000000000AF0000-0x0000000000EF4000-memory.dmp	upx
behavioral4/memory/3040-193-0x0000000073080000-0x000000007334F000-memory.dmp	upx
behavioral4/memory/3040-194-0x0000000071D00000-0x0000000071DC8000-memory.dmp	upx
behavioral4/memory/3040-197-0x0000000071C30000-0x0000000071CFE000-memory.dmp	upx
behavioral4/memory/3040-200-0x0000000073000000-0x0000000073024000-memory.dmp	upx
behavioral4/memory/3040-201-0x0000000071B20000-0x0000000071C2A000-memory.dmp	upx
behavioral4/memory/3040-202-0x0000000071A90000-0x0000000071B18000-memory.dmp	upx
behavioral4/memory/3040-203-0x0000000073030000-0x0000000073079000-memory.dmp	upx
behavioral4/memory/3040-226-0x0000000000AF0000-0x0000000000EF4000-memory.dmp	upx
behavioral4/memory/3040-227-0x0000000073080000-0x000000007334F000-memory.dmp	upx
behavioral4/memory/3040-228-0x0000000071D00000-0x0000000071DC8000-memory.dmp	upx
behavioral4/memory/3040-229-0x0000000071C30000-0x0000000071CFE000-memory.dmp	upx
behavioral4/memory/4952-253-0x0000000000AF0000-0x0000000000EF4000-memory.dmp	upx
behavioral4/memory/4952-258-0x0000000071D00000-0x0000000071DC8000-memory.dmp	upx
behavioral4/memory/4952-259-0x0000000071C30000-0x0000000071CFE000-memory.dmp	upx
behavioral4/memory/4952-262-0x0000000073030000-0x0000000073079000-memory.dmp	upx
behavioral4/memory/4952-264-0x0000000073000000-0x0000000073024000-memory.dmp	upx
behavioral4/memory/4952-266-0x0000000071B20000-0x0000000071C2A000-memory.dmp	upx
behavioral4/memory/4952-268-0x0000000071A90000-0x0000000071B18000-memory.dmp	upx
behavioral4/memory/3040-260-0x0000000000AF0000-0x0000000000EF4000-memory.dmp	upx
behavioral4/memory/4952-255-0x0000000073080000-0x000000007334F000-memory.dmp	upx
behavioral4/memory/4952-273-0x0000000071D00000-0x0000000071DC8000-memory.dmp	upx
behavioral4/memory/4952-274-0x0000000000AF0000-0x0000000000EF4000-memory.dmp	upx
behavioral4/memory/4952-275-0x0000000073080000-0x000000007334F000-memory.dmp	upx
behavioral4/memory/4872-289-0x0000000073000000-0x0000000073024000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime_Broker = "C:\\Users\\Admin\\AppData\\Local\\Minecraft\\Runtime_Broker"	stub_tor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime_Broker = "C:\\Users\\Admin\\AppData\\Local\\Minecraft\\Runtime_Broker倀"	stub_tor.exe

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
84	myexternalip.com
2	myexternalip.com
35	myexternalip.com
15	myexternalip.com
22	myexternalip.com
30	myexternalip.com
45	myexternalip.com
64	myexternalip.com
76	myexternalip.com
52	myexternalip.com
70	myexternalip.com
90	myexternalip.com
97	myexternalip.com
103	myexternalip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

pid	Process
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 64 IoCs

pid	Process
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe
2844	stub_tor.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2844	stub_tor.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2844	stub_tor.exe
2844	stub_tor.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 4916	2844	stub_tor.exe	80
PID 2844 wrote to memory of 4916	2844	stub_tor.exe	80
PID 2844 wrote to memory of 4916	2844	stub_tor.exe	80
PID 2844 wrote to memory of 3508	2844	stub_tor.exe	81
PID 2844 wrote to memory of 3508	2844	stub_tor.exe	81
PID 2844 wrote to memory of 3508	2844	stub_tor.exe	81
PID 2844 wrote to memory of 3040	2844	stub_tor.exe	82
PID 2844 wrote to memory of 3040	2844	stub_tor.exe	82
PID 2844 wrote to memory of 3040	2844	stub_tor.exe	82
PID 2844 wrote to memory of 4952	2844	stub_tor.exe	83
PID 2844 wrote to memory of 4952	2844	stub_tor.exe	83
PID 2844 wrote to memory of 4952	2844	stub_tor.exe	83
PID 2844 wrote to memory of 4872	2844	stub_tor.exe	84
PID 2844 wrote to memory of 4872	2844	stub_tor.exe	84
PID 2844 wrote to memory of 4872	2844	stub_tor.exe	84
PID 2844 wrote to memory of 2976	2844	stub_tor.exe	85
PID 2844 wrote to memory of 2976	2844	stub_tor.exe	85
PID 2844 wrote to memory of 2976	2844	stub_tor.exe	85
PID 2844 wrote to memory of 3124	2844	stub_tor.exe	86
PID 2844 wrote to memory of 3124	2844	stub_tor.exe	86
PID 2844 wrote to memory of 3124	2844	stub_tor.exe	86
PID 2844 wrote to memory of 2268	2844	stub_tor.exe	87
PID 2844 wrote to memory of 2268	2844	stub_tor.exe	87
PID 2844 wrote to memory of 2268	2844	stub_tor.exe	87
PID 2844 wrote to memory of 2640	2844	stub_tor.exe	88
PID 2844 wrote to memory of 2640	2844	stub_tor.exe	88
PID 2844 wrote to memory of 2640	2844	stub_tor.exe	88
PID 2844 wrote to memory of 4968	2844	stub_tor.exe	89
PID 2844 wrote to memory of 4968	2844	stub_tor.exe	89
PID 2844 wrote to memory of 4968	2844	stub_tor.exe	89
PID 2844 wrote to memory of 3480	2844	stub_tor.exe	90
PID 2844 wrote to memory of 3480	2844	stub_tor.exe	90
PID 2844 wrote to memory of 3480	2844	stub_tor.exe	90
PID 2844 wrote to memory of 1660	2844	stub_tor.exe	91
PID 2844 wrote to memory of 1660	2844	stub_tor.exe	91
PID 2844 wrote to memory of 1660	2844	stub_tor.exe	91
PID 2844 wrote to memory of 3704	2844	stub_tor.exe	92
PID 2844 wrote to memory of 3704	2844	stub_tor.exe	92
PID 2844 wrote to memory of 3704	2844	stub_tor.exe	92
PID 2844 wrote to memory of 4824	2844	stub_tor.exe	93
PID 2844 wrote to memory of 4824	2844	stub_tor.exe	93
PID 2844 wrote to memory of 4824	2844	stub_tor.exe	93
PID 2844 wrote to memory of 3676	2844	stub_tor.exe	94
PID 2844 wrote to memory of 3676	2844	stub_tor.exe	94
PID 2844 wrote to memory of 3676	2844	stub_tor.exe	94
PID 2844 wrote to memory of 4480	2844	stub_tor.exe	95
PID 2844 wrote to memory of 4480	2844	stub_tor.exe	95
PID 2844 wrote to memory of 4480	2844	stub_tor.exe	95
PID 2844 wrote to memory of 3236	2844	stub_tor.exe	96
PID 2844 wrote to memory of 3236	2844	stub_tor.exe	96
PID 2844 wrote to memory of 3236	2844	stub_tor.exe	96
PID 2844 wrote to memory of 1436	2844	stub_tor.exe	97
PID 2844 wrote to memory of 1436	2844	stub_tor.exe	97
PID 2844 wrote to memory of 1436	2844	stub_tor.exe	97
PID 2844 wrote to memory of 1140	2844	stub_tor.exe	98
PID 2844 wrote to memory of 1140	2844	stub_tor.exe	98
PID 2844 wrote to memory of 1140	2844	stub_tor.exe	98
PID 2844 wrote to memory of 4804	2844	stub_tor.exe	99
PID 2844 wrote to memory of 4804	2844	stub_tor.exe	99
PID 2844 wrote to memory of 4804	2844	stub_tor.exe	99
PID 2844 wrote to memory of 4524	2844	stub_tor.exe	100
PID 2844 wrote to memory of 4524	2844	stub_tor.exe	100
PID 2844 wrote to memory of 4524	2844	stub_tor.exe	100
PID 2844 wrote to memory of 956	2844	stub_tor.exe	101

C:\Users\Admin\AppData\Local\Temp\stub_tor.exe
"C:\Users\Admin\AppData\Local\Temp\stub_tor.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4916
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3508
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3040
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4952
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4872
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2976
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3124
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2268
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2640
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
  "C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:956

Network

DNS

49.78.31.31.in-addr.arpa

Remote address:

8.8.8.8:53

Request

49.78.31.31.in-addr.arpa

IN PTR

Response
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

140.81.58.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.81.58.199.in-addr.arpa

IN PTR

Response

140.81.58.199.in-addr.arpa

IN PTR

longclawriseupnet
DNS

16.10.79.141.in-addr.arpa

Remote address:

8.8.8.8:53

Request

16.10.79.141.in-addr.arpa

IN PTR

Response

16.10.79.141.in-addr.arpa

IN PTR

atalef217hs-offenburgde
DNS

myexternalip.com

Remote address:

8.8.8.8:53

Request

myexternalip.com

IN A

Response

myexternalip.com

IN A

34.117.118.44
DNS

x1.c.lencr.org

Remote address:

8.8.8.8:53

Request

x1.c.lencr.org

IN A

Response

x1.c.lencr.org

IN CNAME

crl.root-x1.letsencrypt.org.edgekey.net

crl.root-x1.letsencrypt.org.edgekey.net

IN CNAME

e8652.dscx.akamaiedge.net

e8652.dscx.akamaiedge.net

IN A

2.19.169.32
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

r3.o.lencr.org

Remote address:

8.8.8.8:53

Request

r3.o.lencr.org

IN A

Response

r3.o.lencr.org

IN CNAME

o.lencr.edgesuite.net

o.lencr.edgesuite.net

IN CNAME

a1887.dscq.akamai.net

a1887.dscq.akamai.net

IN A

23.63.101.170

a1887.dscq.akamai.net

IN A

23.63.101.171
DNS

170.101.63.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

170.101.63.23.in-addr.arpa

IN PTR

Response

170.101.63.23.in-addr.arpa

IN PTR

a23-63-101-170deploystaticakamaitechnologiescom
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response
DNS

117.150.227.212.in-addr.arpa

Remote address:

8.8.8.8:53

Request

117.150.227.212.in-addr.arpa

IN PTR

Response

117.150.227.212.in-addr.arpa

IN PTR

ip212-227-150-117pbiaascom
DNS

ctldl.windowsupdate.com

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

wu-bg-shim.trafficmanager.net

wu-bg-shim.trafficmanager.net

IN CNAME

download.windowsupdate.com.edgesuite.net

download.windowsupdate.com.edgesuite.net

IN CNAME

a767.dspw65.akamai.net

a767.dspw65.akamai.net

IN A

2.17.197.240

a767.dspw65.akamai.net

IN A

2.17.197.216
DNS

self.events.data.microsoft.com

Remote address:

8.8.8.8:53

Request

self.events.data.microsoft.com

IN A

Response

self.events.data.microsoft.com

IN CNAME

self-events-data.trafficmanager.net

self-events-data.trafficmanager.net

IN CNAME

onedscolprdaue03.australiaeast.cloudapp.azure.com

onedscolprdaue03.australiaeast.cloudapp.azure.com

IN A

40.79.173.41
DNS

ocsp.digicert.com

Remote address:

8.8.8.8:53

Request

ocsp.digicert.com

IN A

Response

ocsp.digicert.com

IN CNAME

ocsp.edge.digicert.com

ocsp.edge.digicert.com

IN CNAME

fp2e7a.wpc.2be4.phicdn.net

fp2e7a.wpc.2be4.phicdn.net

IN CNAME

fp2e7a.wpc.phicdn.net

fp2e7a.wpc.phicdn.net

IN A

192.229.221.95
DNS

232.158.181.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.158.181.5.in-addr.arpa

IN PTR

Response

232.158.181.5.in-addr.arpa

IN PTR

no-rdns mivocloudcom
DNS

168.102.160.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

168.102.160.192.in-addr.arpa

IN PTR

Response

168.102.160.192.in-addr.arpa

IN PTR

prawksirelaycoldhakcom
DNS

149.111.45.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.111.45.5.in-addr.arpa

IN PTR

Response

149.111.45.5.in-addr.arpa

IN PTR

nobodyyourvservernet
DNS

162.109.105.109.in-addr.arpa

Remote address:

8.8.8.8:53

Request

162.109.105.109.in-addr.arpa

IN PTR

Response

162.109.105.109.in-addr.arpa

IN PTR

tornordunet
DNS

16.2.111.66.in-addr.arpa

Remote address:

8.8.8.8:53

Request

16.2.111.66.in-addr.arpa

IN PTR

Response

16.2.111.66.in-addr.arpa

IN PTR

nycbug1nycbugorg
DNS

172.2.216.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.2.216.95.in-addr.arpa

IN PTR

Response

172.2.216.95.in-addr.arpa

IN PTR

readme-tor-exitmemcpyio
DNS

ctldl.windowsupdate.com

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

wu-bg-shim.trafficmanager.net

wu-bg-shim.trafficmanager.net

IN CNAME

bg.microsoft.map.fastly.net

bg.microsoft.map.fastly.net

IN A

199.232.210.172

bg.microsoft.map.fastly.net

IN A

199.232.214.172
DNS

44.118.117.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

44.118.117.34.in-addr.arpa

IN PTR

Response

44.118.117.34.in-addr.arpa

IN PTR

4411811734bcgoogleusercontentcom
DNS

32.169.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

32.169.19.2.in-addr.arpa

IN PTR

Response

32.169.19.2.in-addr.arpa

IN PTR

a2-19-169-32deploystaticakamaitechnologiescom
DNS

nexusrules.officeapps.live.com

Remote address:

8.8.8.8:53

Request

nexusrules.officeapps.live.com

IN A

Response

nexusrules.officeapps.live.com

IN CNAME

prod.nexusrules.live.com.akadns.net

prod.nexusrules.live.com.akadns.net

IN A

52.111.229.19
DNS

162.93.81.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

162.93.81.51.in-addr.arpa

IN PTR

Response

162.93.81.51.in-addr.arpa

IN PTR

ns1004575ip-51-81-93us
DNS

77.29.59.37.in-addr.arpa

Remote address:

8.8.8.8:53

Request

77.29.59.37.in-addr.arpa

IN PTR

Response
DNS

240.197.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.197.17.2.in-addr.arpa

IN PTR

Response

240.197.17.2.in-addr.arpa

IN PTR

a2-17-197-240deploystaticakamaitechnologiescom
DNS

41.173.79.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.173.79.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

220.234.59.146.in-addr.arpa

Remote address:

8.8.8.8:53

Request

220.234.59.146.in-addr.arpa

IN PTR

Response

220.234.59.146.in-addr.arpa

IN PTR

tor-exit-node-2 neowutranovh
DNS

45.114.11.193.in-addr.arpa

Remote address:

8.8.8.8:53

Request

45.114.11.193.in-addr.arpa

IN PTR

Response

45.114.11.193.in-addr.arpa

IN PTR

tor2mdfnetse
DNS

232.62.129.212.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.62.129.212.in-addr.arpa

IN PTR

Response

232.62.129.212.in-addr.arpa

IN PTR

torrelay wardsbackorg
DNS

28.28.87.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.28.87.192.in-addr.arpa

IN PTR

Response

28.28.87.192.in-addr.arpa

IN PTR

anonymous6secnl

31.31.78.49:443

www.fsqyjuyp4ftqt65qua3eib.com

tls

tor.exe

809 B
3.6kB
7
7
212.47.233.250:9001

tor.exe

260 B
5
127.0.0.1:49770

tor.exe
80.127.137.19:443

tor.exe

260 B
5
127.0.0.1:45808

stub_tor.exe
66.111.2.16:9001

www.zyiq7smkqo7nslh.com

tls

tor.exe

2.0kB
4.1kB
10
7
199.58.81.140:443

www.2gnkmuqj7v6oqpl2oswihuio.com

tls

tor.exe

52.6kB
771.5kB
558
573
141.79.10.16:9001

www.3eaoh74xj7vdalsamm63ukyn.com

tls

tor.exe

672.4kB
7.5MB
5107
5490
95.216.2.172:8081

www.trjw7felp.com

tls

tor.exe

502.9kB
5.7MB
3943
4217
141.79.10.16:9001

www.3pzijqipplgiy6lum.com

tls

tor.exe

46.4kB
55.0kB
105
147
95.216.2.172:8081

www.jbyb.com

tls

tor.exe

29.6kB
36.2kB
71
100
127.0.0.1:45808

stub_tor.exe
34.117.118.44:443

myexternalip.com

tls

stub_tor.exe

984 B
4.4kB
11
9
127.0.0.1:49911

tor.exe
127.0.0.1:45808

stub_tor.exe
34.117.118.44:443

myexternalip.com

tls

stub_tor.exe

1.2kB
1.3kB
9
6
51.81.93.162:443

www.fh2zsrhmirdhoo.com

tls

tor.exe

17.7kB
25.2kB
43
55
127.0.0.1:49949

tor.exe
212.227.150.117:443

www.zmz4w5h2vuovm5hzl6pi.com

tls

tor.exe

18.4kB
22.8kB
46
59
37.59.29.77:9000

www.r4ldg524jcyopqxvgqyuxcz4o.com

tls

tor.exe

5.4kB
9.0kB
17
20
127.0.0.1:45808

stub_tor.exe
34.117.118.44:443

myexternalip.com

tls

stub_tor.exe

1.2kB
1.3kB
9
6
127.0.0.1:50020

tor.exe
127.0.0.1:45808

stub_tor.exe
34.117.118.44:443

myexternalip.com

tls

stub_tor.exe

1.2kB
1.3kB
9
6
5.181.158.232:443

www.ztenkp7c.com

tls

tor.exe

3.0kB
5.9kB
10
10
127.0.0.1:50059

tor.exe
51.81.93.162:443

www.suisadkfogxxfpwr3uoqnd2.com

tls

tor.exe

3.7kB
6.1kB
13
14
127.0.0.1:50086

tor.exe
127.0.0.1:50113

tor.exe
146.59.234.220:443

www.uok76yoc2ojqxmfo.com

tls

tor.exe

3.1kB
9.2kB
13
15
51.81.93.162:443

www.pgsp7atsrepvx.com

tls

tor.exe

20.6kB
26.3kB
49
67
5.181.158.232:443

www.nldpglajsnetletjwicu.com

tls

tor.exe

12.4kB
16.3kB
31
42
127.0.0.1:45808

stub_tor.exe
34.117.118.44:443

myexternalip.com

tls

stub_tor.exe

1.2kB
1.3kB
9
6
127.0.0.1:50169

tor.exe
127.0.0.1:50198

tor.exe
192.160.102.168:9001

www.ki3rbnnbkaa4sex2ue2i5sv3.com

tls

tor.exe

3.5kB
13.0kB
18
15
51.81.93.162:443

www.efiqlvt2hlvumnycoy.com

tls

tor.exe

13.7kB
18.6kB
35
47
5.181.158.232:443

www.3a5afr6w2u2yl.com

tls

tor.exe

20.7kB
25.7kB
50
65
127.0.0.1:45808

stub_tor.exe
34.117.118.44:443

myexternalip.com

tls

stub_tor.exe

1.2kB
1.3kB
9
6
127.0.0.1:50241

tor.exe
127.0.0.1:50273

tor.exe
193.11.114.45:9002

www.5ayn6fnw.com

tls

tor.exe

3.2kB
9.3kB
14
17
5.181.158.232:443

www.ipiqb.com

tls

tor.exe

20.0kB
21.4kB
46
63
51.81.93.162:443

www.pcsfn4exxgoqf37xlcvkioh.com

tls

tor.exe

12.0kB
15.7kB
33
41
127.0.0.1:45808

stub_tor.exe
127.0.0.1:50345

tor.exe
193.11.114.45:9002

www.75t3qkbhqd3kw.com

tls

tor.exe

3.1kB
9.3kB
13
16
51.81.93.162:443

www.giqfcscoywvtoj2ykas.com

tls

tor.exe

23.5kB
30.3kB
55
75
127.0.0.1:45808

stub_tor.exe
5.181.158.232:443

www.srcni7jaxp.com

tls

tor.exe

12.4kB
14.6kB
31
39
34.117.118.44:443

myexternalip.com

tls

stub_tor.exe

1.2kB
1.3kB
9
6
127.0.0.1:50403

tor.exe
31.31.78.49:443

www.qmjq62.com

tls

tor.exe

793 B
3.6kB
7
7
51.81.93.162:443

www.xblnaogsyh4spct6.com

tls

tor.exe

20.6kB
24.2kB
49
67
5.181.158.232:443

www.atudmvabkytrneoi.com

tls

tor.exe

16.0kB
21.5kB
41
54
127.0.0.1:45808

stub_tor.exe
34.117.118.44:443

myexternalip.com

tls

stub_tor.exe

1.2kB
1.3kB
9
6
5.45.111.149:443

www.ubfdfs4vrxfispuxitfbk.com

tls

tor.exe

3.2kB
9.3kB
15
17
127.0.0.1:50461

tor.exe
51.81.93.162:443

www.ohw7it3q3zfubzajys.com

tls

tor.exe

20.0kB
24.9kB
47
68
5.181.158.232:443

www.tinii5dwib3p6.com

tls

tor.exe

16.5kB
19.7kB
39
50
127.0.0.1:45808

stub_tor.exe
34.117.118.44:443

myexternalip.com

tls

stub_tor.exe

1.2kB
1.3kB
9
6
127.0.0.1:50516

tor.exe
127.0.0.1:50540

tor.exe
212.129.62.232:443

www.zfhkkq4hdu4n.com

tls

tor.exe

3.1kB
9.2kB
12
14
5.181.158.232:443

www.7oh75mg.com

tls

tor.exe

27.1kB
29.9kB
61
75
127.0.0.1:45808

stub_tor.exe
51.81.93.162:443

www.agqv.com

tls

tor.exe

8.9kB
13.6kB
24
31
34.117.118.44:443

myexternalip.com

tls

stub_tor.exe

1.2kB
1.3kB
9
6
127.0.0.1:50587

tor.exe
109.105.109.162:60784

www.rtg6quxkpocgw63eo.com

tls

tor.exe

3.1kB
9.2kB
13
16
51.81.93.162:443

www.76zmn7hl.com

tls

tor.exe

19.5kB
23.9kB
47
60
5.181.158.232:443

www.frbkse2syq473qsf4w.com

tls

tor.exe

16.6kB
20.5kB
42
55
127.0.0.1:45808

stub_tor.exe
34.117.118.44:443

myexternalip.com

tls

stub_tor.exe

1.2kB
1.3kB
9
6
127.0.0.1:50641

tor.exe
127.0.0.1:50669

tor.exe
5.200.21.144:443

tor.exe

260 B
5
51.81.93.162:443

www.aumip5pl.com

tls

tor.exe

15.3kB
20.3kB
37
50
5.181.158.232:443

www.yknajy7fgjfpq2qs.com

tls

tor.exe

20.6kB
23.5kB
47
64
127.0.0.1:45808

stub_tor.exe
34.117.118.44:443

myexternalip.com

tls

stub_tor.exe

1.2kB
1.3kB
9
6
127.0.0.1:50727

tor.exe
192.87.28.28:9001

www.bd35crfoe.com

tls

tor.exe

3.1kB
9.1kB
13
11
51.81.93.162:443

www.cerpvje.com

tls

tor.exe

27.4kB
33.5kB
60
87
127.0.0.1:45808

stub_tor.exe
5.181.158.232:443

www.pl2kj3opzksn6esdq44u.com

tls

tor.exe

8.3kB
10.3kB
21
27
34.117.118.44:443

myexternalip.com

tls

stub_tor.exe

1.2kB
1.3kB
9
6
127.0.0.1:50778

tor.exe
127.0.0.1:50801

tor.exe
188.138.88.42:443

tor.exe

208 B
4
5.181.158.232:443

www.5xvzmmzehqalcwg.com

tls

tor.exe

10.1kB
12.9kB
26
36

8.8.8.8:53

49.78.31.31.in-addr.arpa

dns

1.3kB
2.4kB
18
18

DNS Request

49.78.31.31.in-addr.arpa

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

140.81.58.199.in-addr.arpa

DNS Request

16.10.79.141.in-addr.arpa

DNS Request

myexternalip.com

DNS Response

34.117.118.44

DNS Request

x1.c.lencr.org

DNS Response

2.19.169.32

DNS Request

172.210.232.199.in-addr.arpa

DNS Request

r3.o.lencr.org

DNS Response

23.63.101.170

23.63.101.171

DNS Request

170.101.63.23.in-addr.arpa

DNS Request

19.229.111.52.in-addr.arpa

DNS Request

117.150.227.212.in-addr.arpa

DNS Request

ctldl.windowsupdate.com

DNS Response

2.17.197.240

2.17.197.216

DNS Request

self.events.data.microsoft.com

DNS Response

40.79.173.41

DNS Request

ocsp.digicert.com

DNS Response

192.229.221.95

DNS Request

232.158.181.5.in-addr.arpa

DNS Request

168.102.160.192.in-addr.arpa

DNS Request

149.111.45.5.in-addr.arpa

DNS Request

162.109.105.109.in-addr.arpa
8.8.8.8:53

16.2.111.66.in-addr.arpa

dns

1.1kB
1.9kB
15
15

DNS Request

16.2.111.66.in-addr.arpa

DNS Request

172.2.216.95.in-addr.arpa

DNS Request

ctldl.windowsupdate.com

DNS Response

199.232.210.172

199.232.214.172

DNS Request

44.118.117.34.in-addr.arpa

DNS Request

32.169.19.2.in-addr.arpa

DNS Request

nexusrules.officeapps.live.com

DNS Response

52.111.229.19

DNS Request

162.93.81.51.in-addr.arpa

DNS Request

77.29.59.37.in-addr.arpa

DNS Request

240.197.17.2.in-addr.arpa

DNS Request

41.173.79.40.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

220.234.59.146.in-addr.arpa

DNS Request

45.114.11.193.in-addr.arpa

DNS Request

232.62.129.212.in-addr.arpa

DNS Request

28.28.87.192.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-certs

Filesize
20KB

MD5
c8bb11294d440667488ccdd77e3f052b

SHA1
e3586836e75844e092af9a2af29ea326449b8707

SHA256
ba0c39424754db46715d54d46cc1badb3ccb19b4c8a93785f0d4e71b31176089

SHA512
856d1579ad60139245bf88677b42f9fb4d90b6c15f12d3f8b075ade5429b1011573bf807e8d8b52f1e1e4ce663791f2100d4df8b18fc9e1bb6634f21e49f795f

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-microdesc-consensus

Filesize
2.6MB

MD5
3af58b6add70a3559c53205e4aefd0f9

SHA1
5c1a95db8a1695b14b26cb5e8ae92fea5bd9da41

SHA256
d9595b5e4bb49267b93c50334024de412c0e8a2831f2caa1102529292b9c2a7e

SHA512
21b93f9444d559aa19fd36afd939120623187fd42cf43296447cfa8794d7a72773900405b37587def2e794b7e829d337aaf5b397a8882552875a89023f104f97

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-microdescs

Filesize
20.4MB

MD5
d5b00ce3abad821c2a097ddee0d45f1b

SHA1
bcdf63e7b0c2e7e10bc2f338af0f8790eeef4cf4

SHA256
01bf9c108a2c6f47789cbfe9657e45224979f5073ac4ff2efd0e5dc8414adba2

SHA512
b3841056ddba3e39e4d1fcba3e1cdae621814ae357b95edec63814db7942f447353a135f47c0b2c9c68cee974578ce96b4338367c6cbfa9d5b28067bda66d22f

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-microdescs.new

Filesize
20.4MB

MD5
0ddd4d5513dd01fdd55797430f908a35

SHA1
733eaf611a827a9f588509634fd1abc47ff920c7

SHA256
8d6f17813b14def99bc16d2001a7237ce360907f28063b0aa06a58d1da4feb1f

SHA512
c3327a1998741c53b8f1db3ecd59a00222d30c86e80a1c27e6bd9b2e4179ff2fb2910bd087cc06398189ea72773326a6d67c4992416b1a55d88e4d768f11115b

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-microdescs.new

Filesize
8.8MB

MD5
74a18366ee78ebe64fbd0c705c703d10

SHA1
6deac511b789663383ecf3b677122494c406fff6

SHA256
d273bb5fcb214afd356a7532fb766d12fea7a3429e74ad05498dca01400b6be9

SHA512
1fbb02d6685ded533a4912a2bc5d715fef2e7e94bf9a88fbc92d6d053baf1146293c994fe4daaf9598207bca5cacdef59275c302537aced50400b719bef4218a

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\state

Filesize
232B

MD5
9e0d35f1b1df9faf117b997d0344ec5c

SHA1
234dcb32c208427e3900ade22b0c50ddde72f79a

SHA256
fd912e8a8f319eceb20b75f84dc9d99cec5a5680ec490fdcc02c178954b4d18b

SHA512
dd538c9ea2d96293f64fa3d65679870a7ceb6d33da41f045db78a4c700fc2adc3a23ea92df5a4c26d3b68a79498f0844b37ae74cc24cbb054a59ccd3cd2ddbb8

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\state

Filesize
3KB

MD5
8e25b8549d3b63b3d2a11ee3302d9d70

SHA1
0b17ffc34a3298bf4e58592c754c17fb11d1f56e

SHA256
49cd0cba2ee723e0565604fafa587a2bebf8272dd248fbd533157da85a76c485

SHA512
9eddb0e10464a3885c76c5dac4f118cfa5c21e6c60db661bdd16f5c0a87e8e250efb034dda7e4c31dc89cd01e5bd8d5ee14039fce17983b6bf78c649c436c8d0

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libcrypto-1_1.dll

Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libevent-2-1-6.dll

Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libgcc_s_sjlj-1.dll

Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libssl-1_1.dll

Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libssp-0.dll

Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libwinpthread-1.dll

Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe

Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\torrc

Filesize
157B

MD5
8ea874223f853aac5ea469ccc164a8f9

SHA1
70d31011547870c9f930496dbf9fb7ec296a8c28

SHA256
95e134044f370b2a96408d581f3c0381fe95388dae27c6d9598f44dc7d72b9ed

SHA512
fd1dc20219fbf4863926d90b5a2127b65e165656eac4493a80288d0c57fc309ed998b5d30fe8ce313987ee367fc4fe9b6026ff32d4391950d7f26ca7b6fdcdf2

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\zlib1.dll

Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
memory/2844-47-0x0000000072BA0000-0x0000000072BDC000-memory.dmp

Filesize
240KB

Download
memory/2844-180-0x0000000073430000-0x000000007346C000-memory.dmp

Filesize
240KB

Download
memory/2844-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/2844-110-0x0000000074000000-0x000000007403C000-memory.dmp

Filesize
240KB

Download
memory/2844-1-0x0000000074030000-0x000000007406C000-memory.dmp

Filesize
240KB

Download
memory/2976-306-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download
memory/2976-308-0x0000000073080000-0x000000007334F000-memory.dmp

Filesize
2.8MB

Download
memory/2976-309-0x0000000071D00000-0x0000000071DC8000-memory.dmp

Filesize
800KB

Download
memory/2976-312-0x0000000071A90000-0x0000000071B5E000-memory.dmp

Filesize
824KB

Download
memory/3040-260-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download
memory/3040-192-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download
memory/3040-201-0x0000000071B20000-0x0000000071C2A000-memory.dmp

Filesize
1.0MB

Download
memory/3040-229-0x0000000071C30000-0x0000000071CFE000-memory.dmp

Filesize
824KB

Download
memory/3040-200-0x0000000073000000-0x0000000073024000-memory.dmp

Filesize
144KB

Download
memory/3040-197-0x0000000071C30000-0x0000000071CFE000-memory.dmp

Filesize
824KB

Download
memory/3040-228-0x0000000071D00000-0x0000000071DC8000-memory.dmp

Filesize
800KB

Download
memory/3040-227-0x0000000073080000-0x000000007334F000-memory.dmp

Filesize
2.8MB

Download
memory/3040-194-0x0000000071D00000-0x0000000071DC8000-memory.dmp

Filesize
800KB

Download
memory/3040-226-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download
memory/3040-193-0x0000000073080000-0x000000007334F000-memory.dmp

Filesize
2.8MB

Download
memory/3040-203-0x0000000073030000-0x0000000073079000-memory.dmp

Filesize
292KB

Download
memory/3040-202-0x0000000071A90000-0x0000000071B18000-memory.dmp

Filesize
544KB

Download
memory/3508-178-0x0000000073580000-0x0000000073648000-memory.dmp

Filesize
800KB

Download
memory/3508-157-0x0000000073050000-0x000000007331F000-memory.dmp

Filesize
2.8MB

Download
memory/3508-160-0x0000000073460000-0x000000007352E000-memory.dmp

Filesize
824KB

Download
memory/3508-162-0x0000000073530000-0x0000000073579000-memory.dmp

Filesize
292KB

Download
memory/3508-166-0x0000000073320000-0x000000007342A000-memory.dmp

Filesize
1.0MB

Download
memory/3508-167-0x0000000072FC0000-0x0000000073048000-memory.dmp

Filesize
544KB

Download
memory/3508-165-0x0000000073430000-0x0000000073454000-memory.dmp

Filesize
144KB

Download
memory/3508-177-0x0000000073050000-0x000000007331F000-memory.dmp

Filesize
2.8MB

Download
memory/3508-176-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download
memory/3508-159-0x0000000073580000-0x0000000073648000-memory.dmp

Filesize
800KB

Download
memory/3508-179-0x0000000073460000-0x000000007352E000-memory.dmp

Filesize
824KB

Download
memory/4872-289-0x0000000073000000-0x0000000073024000-memory.dmp

Filesize
144KB

Download
memory/4872-294-0x0000000071A90000-0x0000000071B5E000-memory.dmp

Filesize
824KB

Download
memory/4872-293-0x0000000071B60000-0x0000000071BE8000-memory.dmp

Filesize
544KB

Download
memory/4872-290-0x0000000071BF0000-0x0000000071CFA000-memory.dmp

Filesize
1.0MB

Download
memory/4872-295-0x0000000073080000-0x000000007334F000-memory.dmp

Filesize
2.8MB

Download
memory/4872-313-0x0000000071D00000-0x0000000071DC8000-memory.dmp

Filesize
800KB

Download
memory/4872-288-0x0000000073030000-0x0000000073079000-memory.dmp

Filesize
292KB

Download
memory/4872-287-0x0000000071D00000-0x0000000071DC8000-memory.dmp

Filesize
800KB

Download
memory/4916-48-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download
memory/4916-22-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download
memory/4916-127-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download
memory/4916-119-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download
memory/4916-111-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download
memory/4916-102-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download
memory/4916-92-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download
memory/4916-66-0x0000000001860000-0x00000000018E8000-memory.dmp

Filesize
544KB

Download
memory/4916-30-0x0000000073460000-0x000000007352E000-memory.dmp

Filesize
824KB

Download
memory/4916-143-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download
memory/4916-29-0x0000000073530000-0x0000000073579000-memory.dmp

Filesize
292KB

Download
memory/4916-50-0x0000000073530000-0x0000000073579000-memory.dmp

Filesize
292KB

Download
memory/4916-40-0x0000000073320000-0x000000007342A000-memory.dmp

Filesize
1.0MB

Download
memory/4916-41-0x0000000001860000-0x0000000001B2F000-memory.dmp

Filesize
2.8MB

Download
memory/4916-42-0x0000000073050000-0x000000007331F000-memory.dmp

Filesize
2.8MB

Download
memory/4916-65-0x0000000001860000-0x0000000001B2F000-memory.dmp

Filesize
2.8MB

Download
memory/4916-44-0x0000000001860000-0x00000000018E8000-memory.dmp

Filesize
544KB

Download
memory/4916-45-0x0000000073580000-0x0000000073648000-memory.dmp

Filesize
800KB

Download
memory/4916-46-0x0000000073430000-0x0000000073454000-memory.dmp

Filesize
144KB

Download
memory/4916-43-0x0000000072FC0000-0x0000000073048000-memory.dmp

Filesize
544KB

Download
memory/4916-57-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download
memory/4916-56-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download
memory/4916-51-0x0000000073460000-0x000000007352E000-memory.dmp

Filesize
824KB

Download
memory/4952-258-0x0000000071D00000-0x0000000071DC8000-memory.dmp

Filesize
800KB

Download
memory/4952-275-0x0000000073080000-0x000000007334F000-memory.dmp

Filesize
2.8MB

Download
memory/4952-274-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download
memory/4952-273-0x0000000071D00000-0x0000000071DC8000-memory.dmp

Filesize
800KB

Download
memory/4952-255-0x0000000073080000-0x000000007334F000-memory.dmp

Filesize
2.8MB

Download
memory/4952-268-0x0000000071A90000-0x0000000071B18000-memory.dmp

Filesize
544KB

Download
memory/4952-266-0x0000000071B20000-0x0000000071C2A000-memory.dmp

Filesize
1.0MB

Download
memory/4952-264-0x0000000073000000-0x0000000073024000-memory.dmp

Filesize
144KB

Download
memory/4952-262-0x0000000073030000-0x0000000073079000-memory.dmp

Filesize
292KB

Download
memory/4952-259-0x0000000071C30000-0x0000000071CFE000-memory.dmp

Filesize
824KB

Download
memory/4952-253-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.