bitrat | 28323ee7a1adaee55fe254d8a6fad742294a4e7e0ad89589707da2a1a9e32486

Resubmissions

10-04-2024 11:59

240410-n5sxrsaa2t 10

10-04-2024 11:59

10-04-2024 11:59

10-04-2024 11:59

15-02-2024 02:33

Analysis

max time kernel
1800s
max time network
1799s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cba67b5a3086744c0d4f831079b319b.exe
Size

5.1MB
MD5

9cba67b5a3086744c0d4f831079b319b
SHA1

9db9ea7ad37fb54ada8486ce1bb5a4dab489186e
SHA256

28323ee7a1adaee55fe254d8a6fad742294a4e7e0ad89589707da2a1a9e32486
SHA512

57cdd4cc35e8148cfed304cce7af9d43df50acc5fe2ec3a85c72723ba18e6153f16031ced478273292dabd95005da4a145656285e932d85569333f9dc740b649
SSDEEP

98304:NVJppwXSyo8skn3moI25UzSOVRBKrCqflZ+VJscvKgFl8jCP:7pOwu2t26uqRsnf2VXvD6jC

Score

10^/10

bitrat persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.35

4napo6g3cp6av4hmxmwzi5lyojpfk3i2kl2tpssb2wvidqsa3kzo6eyd.onion:80

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
windows32file

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\chrome\\google\\chrome.exe\","	9cba67b5a3086744c0d4f831079b319b.exe

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral3/files/0x0007000000023206-82.dat	acprotect
behavioral3/files/0x0007000000023202-81.dat	acprotect
behavioral3/files/0x0007000000023207-87.dat	acprotect
behavioral3/files/0x0007000000023204-85.dat	acprotect
behavioral3/files/0x0007000000023209-84.dat	acprotect
behavioral3/files/0x0007000000023205-83.dat	acprotect
behavioral3/files/0x0007000000023203-79.dat	acprotect

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	9cba67b5a3086744c0d4f831079b319b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	9cba67b5a3086744c0d4f831079b319b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 64 IoCs

pid	Process
1984	windows32file.exe
3768	windows32file.exe
4836	windows32file.exe
4360	windows32file.exe
2184	windows32file.exe
704	windows32file.exe
3148	windows32file.exe
2696	windows32file.exe
1264	windows32file.exe
924	windows32file.exe
4340	windows32file.exe
4728	windows32file.exe
4336	windows32file.exe
4012	windows32file.exe
2308	windows32file.exe
3068	windows32file.exe
5032	windows32file.exe
4340	windows32file.exe
2912	windows32file.exe
4992	windows32file.exe
2580	windows32file.exe
1400	windows32file.exe
4736	windows32file.exe
3736	windows32file.exe
3180	windows32file.exe
3596	windows32file.exe
4516	windows32file.exe
5072	windows32file.exe
3840	windows32file.exe
4416	windows32file.exe
5040	windows32file.exe
4704	windows32file.exe
224	windows32file.exe
1568	windows32file.exe
3684	windows32file.exe
1856	windows32file.exe
2264	windows32file.exe
3204	windows32file.exe
2176	windows32file.exe
3144	windows32file.exe
3164	windows32file.exe
1420	windows32file.exe
2172	windows32file.exe
4260	windows32file.exe
3776	windows32file.exe
4536	windows32file.exe
2300	windows32file.exe
4480	windows32file.exe
3464	windows32file.exe
4668	windows32file.exe
3876	windows32file.exe
3748	windows32file.exe
3352	windows32file.exe
4536	windows32file.exe
3192	windows32file.exe
3200	windows32file.exe
3296	windows32file.exe
2288	windows32file.exe
1020	windows32file.exe
4564	windows32file.exe
2364	windows32file.exe
4636	windows32file.exe
4224	windows32file.exe
3344	windows32file.exe

Loads dropped DLL 64 IoCs

pid	Process
1984	windows32file.exe
1984	windows32file.exe
1984	windows32file.exe
1984	windows32file.exe
1984	windows32file.exe
1984	windows32file.exe
1984	windows32file.exe
1984	windows32file.exe
3768	windows32file.exe
3768	windows32file.exe
3768	windows32file.exe
3768	windows32file.exe
3768	windows32file.exe
3768	windows32file.exe
3768	windows32file.exe
4836	windows32file.exe
4836	windows32file.exe
4836	windows32file.exe
4836	windows32file.exe
4836	windows32file.exe
4836	windows32file.exe
4836	windows32file.exe
4360	windows32file.exe
4360	windows32file.exe
4360	windows32file.exe
4360	windows32file.exe
4360	windows32file.exe
4360	windows32file.exe
4360	windows32file.exe
2184	windows32file.exe
2184	windows32file.exe
2184	windows32file.exe
2184	windows32file.exe
2184	windows32file.exe
2184	windows32file.exe
2184	windows32file.exe
704	windows32file.exe
704	windows32file.exe
704	windows32file.exe
704	windows32file.exe
704	windows32file.exe
704	windows32file.exe
704	windows32file.exe
3148	windows32file.exe
3148	windows32file.exe
3148	windows32file.exe
3148	windows32file.exe
3148	windows32file.exe
3148	windows32file.exe
3148	windows32file.exe
2696	windows32file.exe
2696	windows32file.exe
2696	windows32file.exe
2696	windows32file.exe
2696	windows32file.exe
2696	windows32file.exe
2696	windows32file.exe
2696	windows32file.exe
1264	windows32file.exe
1264	windows32file.exe
1264	windows32file.exe
1264	windows32file.exe
1264	windows32file.exe
1264	windows32file.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x0007000000023208-76.dat	upx
behavioral3/files/0x0007000000023206-82.dat	upx
behavioral3/files/0x0007000000023202-81.dat	upx
behavioral3/memory/1984-80-0x00000000003F0000-0x00000000007F4000-memory.dmp	upx
behavioral3/files/0x0007000000023207-87.dat	upx
behavioral3/files/0x0007000000023204-85.dat	upx
behavioral3/files/0x0007000000023209-84.dat	upx
behavioral3/files/0x0007000000023205-83.dat	upx
behavioral3/memory/1984-88-0x000000006F570000-0x000000006F83F000-memory.dmp	upx
behavioral3/memory/1984-89-0x000000006F520000-0x000000006F569000-memory.dmp	upx
behavioral3/memory/1984-90-0x000000006F450000-0x000000006F51E000-memory.dmp	upx
behavioral3/memory/1984-92-0x000000006F310000-0x000000006F41A000-memory.dmp	upx
behavioral3/memory/1984-93-0x000000006F280000-0x000000006F308000-memory.dmp	upx
behavioral3/memory/1984-91-0x000000006F420000-0x000000006F444000-memory.dmp	upx
behavioral3/files/0x0007000000023203-79.dat	upx
behavioral3/memory/1984-97-0x000000006F840000-0x000000006F908000-memory.dmp	upx
behavioral3/memory/1984-107-0x00000000003F0000-0x00000000007F4000-memory.dmp	upx
behavioral3/memory/1984-109-0x000000006F570000-0x000000006F83F000-memory.dmp	upx
behavioral3/memory/1984-116-0x00000000003F0000-0x00000000007F4000-memory.dmp	upx
behavioral3/memory/1984-117-0x00000000003F0000-0x00000000007F4000-memory.dmp	upx
behavioral3/memory/1984-127-0x00000000003F0000-0x00000000007F4000-memory.dmp	upx
behavioral3/memory/1984-136-0x00000000003F0000-0x00000000007F4000-memory.dmp	upx
behavioral3/memory/1984-146-0x00000000003F0000-0x00000000007F4000-memory.dmp	upx
behavioral3/memory/1984-164-0x00000000003F0000-0x00000000007F4000-memory.dmp	upx
behavioral3/memory/1984-174-0x00000000003F0000-0x00000000007F4000-memory.dmp	upx
behavioral3/memory/3768-199-0x00000000003F0000-0x00000000007F4000-memory.dmp	upx
behavioral3/memory/3768-201-0x000000006F840000-0x000000006F908000-memory.dmp	upx
behavioral3/memory/3768-203-0x000000006F450000-0x000000006F51E000-memory.dmp	upx
behavioral3/memory/3768-205-0x000000006F520000-0x000000006F569000-memory.dmp	upx
behavioral3/memory/3768-210-0x000000006F310000-0x000000006F41A000-memory.dmp	upx
behavioral3/memory/3768-208-0x000000006F420000-0x000000006F444000-memory.dmp	upx
behavioral3/memory/3768-212-0x000000006F280000-0x000000006F308000-memory.dmp	upx
behavioral3/memory/3768-215-0x000000006F570000-0x000000006F83F000-memory.dmp	upx
behavioral3/memory/3768-223-0x000000006F450000-0x000000006F51E000-memory.dmp	upx
behavioral3/memory/3768-222-0x000000006F840000-0x000000006F908000-memory.dmp	upx
behavioral3/memory/3768-221-0x00000000003F0000-0x00000000007F4000-memory.dmp	upx
behavioral3/memory/4836-245-0x00000000737A0000-0x0000000073868000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	88.198.207.48

Looks up external IP address via web service 31 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
150	myexternalip.com
320	myexternalip.com
335	myexternalip.com
212	myexternalip.com
286	myexternalip.com
308	myexternalip.com
244	myexternalip.com
373	myexternalip.com
75	myexternalip.com
258	myexternalip.com
64	myexternalip.com
88	myexternalip.com
327	myexternalip.com
65	myexternalip.com
161	myexternalip.com
203	myexternalip.com
273	myexternalip.com
300	myexternalip.com
365	myexternalip.com
95	myexternalip.com
122	myexternalip.com
170	myexternalip.com
178	myexternalip.com
194	myexternalip.com
250	myexternalip.com
350	myexternalip.com
141	myexternalip.com
185	myexternalip.com
228	myexternalip.com
343	myexternalip.com
357	myexternalip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 34 IoCs

pid	Process
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5096 set thread context of 4556	5096	9cba67b5a3086744c0d4f831079b319b.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	9cba67b5a3086744c0d4f831079b319b.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5096	9cba67b5a3086744c0d4f831079b319b.exe
5096	9cba67b5a3086744c0d4f831079b319b.exe
5096	9cba67b5a3086744c0d4f831079b319b.exe
5096	9cba67b5a3086744c0d4f831079b319b.exe
5096	9cba67b5a3086744c0d4f831079b319b.exe
5096	9cba67b5a3086744c0d4f831079b319b.exe
1436	powershell.exe
1436	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4556	9cba67b5a3086744c0d4f831079b319b.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5096	9cba67b5a3086744c0d4f831079b319b.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeShutdownPrivilege	4556	9cba67b5a3086744c0d4f831079b319b.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4556	9cba67b5a3086744c0d4f831079b319b.exe
4556	9cba67b5a3086744c0d4f831079b319b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 3140	5096	9cba67b5a3086744c0d4f831079b319b.exe	97
PID 5096 wrote to memory of 3140	5096	9cba67b5a3086744c0d4f831079b319b.exe	97
PID 5096 wrote to memory of 3140	5096	9cba67b5a3086744c0d4f831079b319b.exe	97
PID 3140 wrote to memory of 1436	3140	WScript.exe	98
PID 3140 wrote to memory of 1436	3140	WScript.exe	98
PID 3140 wrote to memory of 1436	3140	WScript.exe	98
PID 5096 wrote to memory of 2080	5096	9cba67b5a3086744c0d4f831079b319b.exe	99
PID 5096 wrote to memory of 2080	5096	9cba67b5a3086744c0d4f831079b319b.exe	99
PID 5096 wrote to memory of 2080	5096	9cba67b5a3086744c0d4f831079b319b.exe	99
PID 5096 wrote to memory of 4556	5096	9cba67b5a3086744c0d4f831079b319b.exe	100
PID 5096 wrote to memory of 4556	5096	9cba67b5a3086744c0d4f831079b319b.exe	100
PID 5096 wrote to memory of 4556	5096	9cba67b5a3086744c0d4f831079b319b.exe	100
PID 5096 wrote to memory of 4556	5096	9cba67b5a3086744c0d4f831079b319b.exe	100
PID 5096 wrote to memory of 4556	5096	9cba67b5a3086744c0d4f831079b319b.exe	100
PID 5096 wrote to memory of 4556	5096	9cba67b5a3086744c0d4f831079b319b.exe	100
PID 5096 wrote to memory of 4556	5096	9cba67b5a3086744c0d4f831079b319b.exe	100
PID 5096 wrote to memory of 4556	5096	9cba67b5a3086744c0d4f831079b319b.exe	100
PID 5096 wrote to memory of 4556	5096	9cba67b5a3086744c0d4f831079b319b.exe	100
PID 5096 wrote to memory of 4556	5096	9cba67b5a3086744c0d4f831079b319b.exe	100
PID 5096 wrote to memory of 4556	5096	9cba67b5a3086744c0d4f831079b319b.exe	100
PID 5096 wrote to memory of 4556	5096	9cba67b5a3086744c0d4f831079b319b.exe	100
PID 4556 wrote to memory of 1984	4556	9cba67b5a3086744c0d4f831079b319b.exe	102
PID 4556 wrote to memory of 1984	4556	9cba67b5a3086744c0d4f831079b319b.exe	102
PID 4556 wrote to memory of 1984	4556	9cba67b5a3086744c0d4f831079b319b.exe	102
PID 4556 wrote to memory of 3768	4556	9cba67b5a3086744c0d4f831079b319b.exe	103
PID 4556 wrote to memory of 3768	4556	9cba67b5a3086744c0d4f831079b319b.exe	103
PID 4556 wrote to memory of 3768	4556	9cba67b5a3086744c0d4f831079b319b.exe	103
PID 4556 wrote to memory of 4836	4556	9cba67b5a3086744c0d4f831079b319b.exe	104
PID 4556 wrote to memory of 4836	4556	9cba67b5a3086744c0d4f831079b319b.exe	104
PID 4556 wrote to memory of 4836	4556	9cba67b5a3086744c0d4f831079b319b.exe	104
PID 4556 wrote to memory of 4360	4556	9cba67b5a3086744c0d4f831079b319b.exe	105
PID 4556 wrote to memory of 4360	4556	9cba67b5a3086744c0d4f831079b319b.exe	105
PID 4556 wrote to memory of 4360	4556	9cba67b5a3086744c0d4f831079b319b.exe	105
PID 4556 wrote to memory of 2184	4556	9cba67b5a3086744c0d4f831079b319b.exe	106
PID 4556 wrote to memory of 2184	4556	9cba67b5a3086744c0d4f831079b319b.exe	106
PID 4556 wrote to memory of 2184	4556	9cba67b5a3086744c0d4f831079b319b.exe	106
PID 4556 wrote to memory of 704	4556	9cba67b5a3086744c0d4f831079b319b.exe	107
PID 4556 wrote to memory of 704	4556	9cba67b5a3086744c0d4f831079b319b.exe	107
PID 4556 wrote to memory of 704	4556	9cba67b5a3086744c0d4f831079b319b.exe	107
PID 4556 wrote to memory of 3148	4556	9cba67b5a3086744c0d4f831079b319b.exe	108
PID 4556 wrote to memory of 3148	4556	9cba67b5a3086744c0d4f831079b319b.exe	108
PID 4556 wrote to memory of 3148	4556	9cba67b5a3086744c0d4f831079b319b.exe	108
PID 4556 wrote to memory of 2696	4556	9cba67b5a3086744c0d4f831079b319b.exe	109
PID 4556 wrote to memory of 2696	4556	9cba67b5a3086744c0d4f831079b319b.exe	109
PID 4556 wrote to memory of 2696	4556	9cba67b5a3086744c0d4f831079b319b.exe	109
PID 4556 wrote to memory of 1264	4556	9cba67b5a3086744c0d4f831079b319b.exe	110
PID 4556 wrote to memory of 1264	4556	9cba67b5a3086744c0d4f831079b319b.exe	110
PID 4556 wrote to memory of 1264	4556	9cba67b5a3086744c0d4f831079b319b.exe	110
PID 4556 wrote to memory of 924	4556	9cba67b5a3086744c0d4f831079b319b.exe	111
PID 4556 wrote to memory of 924	4556	9cba67b5a3086744c0d4f831079b319b.exe	111
PID 4556 wrote to memory of 924	4556	9cba67b5a3086744c0d4f831079b319b.exe	111
PID 4556 wrote to memory of 4340	4556	9cba67b5a3086744c0d4f831079b319b.exe	112
PID 4556 wrote to memory of 4340	4556	9cba67b5a3086744c0d4f831079b319b.exe	112
PID 4556 wrote to memory of 4340	4556	9cba67b5a3086744c0d4f831079b319b.exe	112
PID 4556 wrote to memory of 4728	4556	9cba67b5a3086744c0d4f831079b319b.exe	113
PID 4556 wrote to memory of 4728	4556	9cba67b5a3086744c0d4f831079b319b.exe	113
PID 4556 wrote to memory of 4728	4556	9cba67b5a3086744c0d4f831079b319b.exe	113
PID 4556 wrote to memory of 4336	4556	9cba67b5a3086744c0d4f831079b319b.exe	114
PID 4556 wrote to memory of 4336	4556	9cba67b5a3086744c0d4f831079b319b.exe	114
PID 4556 wrote to memory of 4336	4556	9cba67b5a3086744c0d4f831079b319b.exe	114
PID 4556 wrote to memory of 4012	4556	9cba67b5a3086744c0d4f831079b319b.exe	115
PID 4556 wrote to memory of 4012	4556	9cba67b5a3086744c0d4f831079b319b.exe	115
PID 4556 wrote to memory of 4012	4556	9cba67b5a3086744c0d4f831079b319b.exe	115
PID 4556 wrote to memory of 2308	4556	9cba67b5a3086744c0d4f831079b319b.exe	116

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
"C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\chrome\google\chrome.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
- C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  2⤵
  PID:2080
- C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1984
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3768
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4836
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4360
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2184
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:704
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3148
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2696
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1264
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:924
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4340
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4728
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4336
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4012
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2308
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3068
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:5032
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4340
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2912
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4992
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2580
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1400
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4736
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3736
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3180
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3596
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4516
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:5072
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3840
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4416
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:5040
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4704
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:224
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1568
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3684
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1856
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2264
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3204
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2176
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3144
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3164
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1420
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2172
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4260
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3776
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4536
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2300
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4480
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3464
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4668
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3876
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3748
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3352
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4536
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3192
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3200
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3296
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2288
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1020
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4564
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2364
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4636
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4224
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3344
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    PID:932
- - C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
    "C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
    3⤵
    PID:740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs

Filesize
150B

MD5
ed6d432bdbf28ed6ac0cf59692f5e0fe

SHA1
29b388b1b2cf5d2fea4d80088093ec6ea2575ca7

SHA256
452fac0c3baa72fa34a9089c390659b7438da3bc0e3e36a2e54de253492d61fe

SHA512
9879be1e14bc9b16a4743baf730261e474b3916fe84ea95d3b58ef57d924ec573434fc2530860ef74786e69d0480552b15049a276d88cf769a26b94a9c73446e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oxqhezfq.kxp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdescs

Filesize
20.3MB

MD5
f04a2b7d38062676fd889c5f3715b743

SHA1
858397446f6b7dd795946b26b388b0e05c895673

SHA256
3b782bf6eb45aea803ac19a93cef72c6c34383c972c88d2ec60f11fa9126d6eb

SHA512
d85261e5a62e2a2fb045e1a3d5b51496a9f01c42a77a559a93b0513438097348c531f3c1cd3c37c11e55568d5e3e389517585daa5cc93ce96adc0be00196484c

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\state

Filesize
3KB

MD5
29dde2ed42aed2fd8bb8aa18cc5babc2

SHA1
e6e4673e2a5a42cf58224bd12b93deb902d260b4

SHA256
b46ec740df51e98c42e2669c087fd116a583c73f3ded13b26d717438baa99559

SHA512
633c9755b40d0ecf0448da562a7385ec8936c71c3a272f2bcab5b96cb14154ed59d4a0f14c18233d3c54357ba00748da5f18117dc91efd490c46ef433cf030c2

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libcrypto-1_1.dll

Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libevent-2-1-6.dll

Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libgcc_s_sjlj-1.dll

Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssl-1_1.dll

Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssp-0.dll

Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libwinpthread-1.dll

Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\torrc

Filesize
157B

MD5
10e4369f9761d5401203f24a43aec777

SHA1
f6237d60d66f0bdc642836387c2e9adaf60114d2

SHA256
1936b09146613154cc18a4889276cb2de96a5fd24a2c86d34a778be90f965976

SHA512
7159148f7584cd188d7f030ac1be482ebad86cba6e964fdf2d6e673823027ebbb049ad9fdac15ed556976760953216a999c5145a0816d67072ed232bdc9e4abb

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\zlib1.dll

Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
memory/1436-37-0x000000007FD60000-0x000000007FD70000-memory.dmp

Filesize
64KB

Download
memory/1436-72-0x0000000007D70000-0x0000000007D78000-memory.dmp

Filesize
32KB

Download
memory/1436-20-0x0000000005960000-0x0000000005F88000-memory.dmp

Filesize
6.2MB

Download
memory/1436-21-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/1436-22-0x0000000005710000-0x0000000005732000-memory.dmp

Filesize
136KB

Download
memory/1436-23-0x0000000006100000-0x0000000006166000-memory.dmp

Filesize
408KB

Download
memory/1436-29-0x00000000061E0000-0x0000000006246000-memory.dmp

Filesize
408KB

Download
memory/1436-19-0x0000000002F80000-0x0000000002F90000-memory.dmp

Filesize
64KB

Download
memory/1436-34-0x0000000006350000-0x00000000066A4000-memory.dmp

Filesize
3.3MB

Download
memory/1436-35-0x00000000067D0000-0x00000000067EE000-memory.dmp

Filesize
120KB

Download
memory/1436-36-0x00000000067F0000-0x000000000683C000-memory.dmp

Filesize
304KB

Download
memory/1436-98-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/1436-38-0x0000000007980000-0x00000000079B2000-memory.dmp

Filesize
200KB

Download
memory/1436-39-0x0000000070AE0000-0x0000000070B2C000-memory.dmp

Filesize
304KB

Download
memory/1436-49-0x0000000006DA0000-0x0000000006DBE000-memory.dmp

Filesize
120KB

Download
memory/1436-50-0x0000000002F80000-0x0000000002F90000-memory.dmp

Filesize
64KB

Download
memory/1436-52-0x00000000079C0000-0x0000000007A63000-memory.dmp

Filesize
652KB

Download
memory/1436-51-0x0000000002F80000-0x0000000002F90000-memory.dmp

Filesize
64KB

Download
memory/1436-53-0x0000000008140000-0x00000000087BA000-memory.dmp

Filesize
6.5MB

Download
memory/1436-54-0x0000000007AF0000-0x0000000007B0A000-memory.dmp

Filesize
104KB

Download
memory/1436-55-0x0000000007B60000-0x0000000007B6A000-memory.dmp

Filesize
40KB

Download
memory/1436-56-0x0000000007D80000-0x0000000007E16000-memory.dmp

Filesize
600KB

Download
memory/1436-57-0x0000000007CF0000-0x0000000007D01000-memory.dmp

Filesize
68KB

Download
memory/1436-18-0x0000000002EC0000-0x0000000002EF6000-memory.dmp

Filesize
216KB

Download
memory/1436-60-0x0000000007D20000-0x0000000007D2E000-memory.dmp

Filesize
56KB

Download
memory/1436-61-0x0000000007D30000-0x0000000007D44000-memory.dmp

Filesize
80KB

Download
memory/1436-62-0x0000000007E40000-0x0000000007E5A000-memory.dmp

Filesize
104KB

Download
memory/1984-91-0x000000006F420000-0x000000006F444000-memory.dmp

Filesize
144KB

Download
memory/1984-107-0x00000000003F0000-0x00000000007F4000-memory.dmp

Filesize
4.0MB

Download
memory/1984-174-0x00000000003F0000-0x00000000007F4000-memory.dmp

Filesize
4.0MB

Download
memory/1984-164-0x00000000003F0000-0x00000000007F4000-memory.dmp

Filesize
4.0MB

Download
memory/1984-80-0x00000000003F0000-0x00000000007F4000-memory.dmp

Filesize
4.0MB

Download
memory/1984-146-0x00000000003F0000-0x00000000007F4000-memory.dmp

Filesize
4.0MB

Download
memory/1984-136-0x00000000003F0000-0x00000000007F4000-memory.dmp

Filesize
4.0MB

Download
memory/1984-127-0x00000000003F0000-0x00000000007F4000-memory.dmp

Filesize
4.0MB

Download
memory/1984-126-0x0000000001830000-0x00000000018B8000-memory.dmp

Filesize
544KB

Download
memory/1984-88-0x000000006F570000-0x000000006F83F000-memory.dmp

Filesize
2.8MB

Download
memory/1984-89-0x000000006F520000-0x000000006F569000-memory.dmp

Filesize
292KB

Download
memory/1984-90-0x000000006F450000-0x000000006F51E000-memory.dmp

Filesize
824KB

Download
memory/1984-92-0x000000006F310000-0x000000006F41A000-memory.dmp

Filesize
1.0MB

Download
memory/1984-93-0x000000006F280000-0x000000006F308000-memory.dmp

Filesize
544KB

Download
memory/1984-117-0x00000000003F0000-0x00000000007F4000-memory.dmp

Filesize
4.0MB

Download
memory/1984-116-0x00000000003F0000-0x00000000007F4000-memory.dmp

Filesize
4.0MB

Download
memory/1984-94-0x0000000001830000-0x00000000018B8000-memory.dmp

Filesize
544KB

Download
memory/1984-97-0x000000006F840000-0x000000006F908000-memory.dmp

Filesize
800KB

Download
memory/1984-109-0x000000006F570000-0x000000006F83F000-memory.dmp

Filesize
2.8MB

Download
memory/3768-203-0x000000006F450000-0x000000006F51E000-memory.dmp

Filesize
824KB

Download
memory/3768-199-0x00000000003F0000-0x00000000007F4000-memory.dmp

Filesize
4.0MB

Download
memory/3768-221-0x00000000003F0000-0x00000000007F4000-memory.dmp

Filesize
4.0MB

Download
memory/3768-222-0x000000006F840000-0x000000006F908000-memory.dmp

Filesize
800KB

Download
memory/3768-223-0x000000006F450000-0x000000006F51E000-memory.dmp

Filesize
824KB

Download
memory/3768-215-0x000000006F570000-0x000000006F83F000-memory.dmp

Filesize
2.8MB

Download
memory/3768-212-0x000000006F280000-0x000000006F308000-memory.dmp

Filesize
544KB

Download
memory/3768-208-0x000000006F420000-0x000000006F444000-memory.dmp

Filesize
144KB

Download
memory/3768-210-0x000000006F310000-0x000000006F41A000-memory.dmp

Filesize
1.0MB

Download
memory/3768-205-0x000000006F520000-0x000000006F569000-memory.dmp

Filesize
292KB

Download
memory/3768-201-0x000000006F840000-0x000000006F908000-memory.dmp

Filesize
800KB

Download
memory/4556-15-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4556-59-0x00000000700B0000-0x00000000700E9000-memory.dmp

Filesize
228KB

Download
memory/4556-224-0x0000000073C20000-0x0000000073C59000-memory.dmp

Filesize
228KB

Download
memory/4556-12-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4556-145-0x0000000075430000-0x0000000075469000-memory.dmp

Filesize
228KB

Download
memory/4556-13-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4556-155-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4556-162-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4556-100-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4556-173-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4556-101-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4556-17-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4556-102-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4556-103-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4556-104-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4556-106-0x0000000075430000-0x0000000075469000-memory.dmp

Filesize
228KB

Download
memory/4556-99-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4556-105-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4836-245-0x00000000737A0000-0x0000000073868000-memory.dmp

Filesize
800KB

Download
memory/5096-3-0x00000000035C0000-0x00000000035CA000-memory.dmp

Filesize
40KB

Download
memory/5096-0-0x0000000000DD0000-0x00000000012F0000-memory.dmp

Filesize
5.1MB

Download
memory/5096-5-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/5096-4-0x0000000005DC0000-0x0000000005DDE000-memory.dmp

Filesize
120KB

Download
memory/5096-16-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/5096-6-0x0000000003600000-0x0000000003610000-memory.dmp

Filesize
64KB

Download
memory/5096-2-0x0000000003600000-0x0000000003610000-memory.dmp

Filesize
64KB

Download
memory/5096-1-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download