1b9c4646b8840ef2d2a24603ffa2efa695ee29002c0057d4ba558080f2c485b6

max time kernel
1798s
max time network
1807s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7613e5c267e7f270918ef87fcb1e45c.exe
Size

7.8MB
MD5

a7613e5c267e7f270918ef87fcb1e45c
SHA1

5ce965496ce1d9eea2d78548854bd486c11329d1
SHA256

1b9c4646b8840ef2d2a24603ffa2efa695ee29002c0057d4ba558080f2c485b6
SHA512

19888cf9937c44770dff47027ada8ef8eaa46cc849717ec0fb46bb32d07434b3b851efa708decd2fa18c07333cc247d35e03d71fbd386caea839bf44cdd7c0d2
SSDEEP

196608:LIRcbH4jSteTGvCxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOf:LdHsfuCxwZ6v1CPwDv3uFteg2EeJUO9E

Score

7^/10

persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libevent-2-1-6.dll	acprotect
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\f7cf36c6\tor\zlib1.dll	acprotect
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libwinpthread-1.dll	acprotect
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libgcc_s_sjlj-1.dll	acprotect
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libssp-0.dll	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a7613e5c267e7f270918ef87fcb1e45c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	a7613e5c267e7f270918ef87fcb1e45c.exe

Executes dropped EXE 58 IoCs

Processes:

windows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exe

pid	process
2420	windows32.exe
1536	windows32.exe
2352	windows32.exe
1304	windows32.exe
3184	windows32.exe
1452	windows32.exe
3608	windows32.exe
112	windows32.exe
2248	windows32.exe
780	windows32.exe
1576	windows32.exe
1276	windows32.exe
1384	windows32.exe
3000	windows32.exe
884	windows32.exe
1360	windows32.exe
4632	windows32.exe
940	windows32.exe
3172	windows32.exe
3732	windows32.exe
2252	windows32.exe
2340	windows32.exe
1076	windows32.exe
3728	windows32.exe
4236	windows32.exe
4168	windows32.exe
3484	windows32.exe
180	windows32.exe
4608	windows32.exe
412	windows32.exe
3124	windows32.exe
4516	windows32.exe
760	windows32.exe
5092	windows32.exe
5108	windows32.exe
220	windows32.exe
4128	windows32.exe
3252	windows32.exe
844	windows32.exe
404	windows32.exe
1108	windows32.exe
3412	windows32.exe
4952	windows32.exe
4980	windows32.exe
3668	windows32.exe
4904	windows32.exe
3232	windows32.exe
2996	windows32.exe
400	windows32.exe
1896	windows32.exe
3404	windows32.exe
32	windows32.exe
3016	windows32.exe
3688	windows32.exe
716	windows32.exe
3900	windows32.exe
1648	windows32.exe
4020	windows32.exe

Loads dropped DLL 64 IoCs

Processes:

windows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exe

pid	process
2420	windows32.exe
2420	windows32.exe
2420	windows32.exe
2420	windows32.exe
2420	windows32.exe
2420	windows32.exe
2420	windows32.exe
2420	windows32.exe
1536	windows32.exe
1536	windows32.exe
1536	windows32.exe
1536	windows32.exe
1536	windows32.exe
1536	windows32.exe
1536	windows32.exe
2352	windows32.exe
2352	windows32.exe
2352	windows32.exe
2352	windows32.exe
2352	windows32.exe
2352	windows32.exe
2352	windows32.exe
1304	windows32.exe
1304	windows32.exe
1304	windows32.exe
1304	windows32.exe
1304	windows32.exe
1304	windows32.exe
1304	windows32.exe
3184	windows32.exe
3184	windows32.exe
3184	windows32.exe
3184	windows32.exe
3184	windows32.exe
3184	windows32.exe
3184	windows32.exe
1452	windows32.exe
1452	windows32.exe
1452	windows32.exe
1452	windows32.exe
1452	windows32.exe
1452	windows32.exe
1452	windows32.exe
3608	windows32.exe
3608	windows32.exe
3608	windows32.exe
3608	windows32.exe
3608	windows32.exe
3608	windows32.exe
3608	windows32.exe
112	windows32.exe
112	windows32.exe
112	windows32.exe
112	windows32.exe
112	windows32.exe
112	windows32.exe
112	windows32.exe
2248	windows32.exe
2248	windows32.exe
2248	windows32.exe
2248	windows32.exe
2248	windows32.exe
2248	windows32.exe
2248	windows32.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe	upx
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libcrypto-1_1.dll	upx
behavioral3/memory/2420-21-0x00000000009D0000-0x0000000000DD4000-memory.dmp	upx
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libevent-2-1-6.dll	upx
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libssl-1_1.dll	upx
behavioral3/memory/2420-27-0x0000000074180000-0x00000000741C9000-memory.dmp	upx
C:\Users\Admin\AppData\Local\f7cf36c6\tor\zlib1.dll	upx
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libwinpthread-1.dll	upx
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libgcc_s_sjlj-1.dll	upx
behavioral3/memory/2420-31-0x0000000073FE0000-0x00000000740A8000-memory.dmp	upx
behavioral3/memory/2420-34-0x0000000073E10000-0x0000000073F1A000-memory.dmp	upx
behavioral3/memory/2420-35-0x0000000073FB0000-0x0000000073FD4000-memory.dmp	upx
behavioral3/memory/2420-36-0x0000000073F20000-0x0000000073FA8000-memory.dmp	upx
behavioral3/memory/2420-28-0x00000000740B0000-0x000000007417E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libssp-0.dll	upx
behavioral3/memory/2420-40-0x0000000073B40000-0x0000000073E0F000-memory.dmp	upx
behavioral3/memory/2420-45-0x00000000009D0000-0x0000000000DD4000-memory.dmp	upx
behavioral3/memory/2420-46-0x0000000074180000-0x00000000741C9000-memory.dmp	upx
behavioral3/memory/2420-47-0x00000000740B0000-0x000000007417E000-memory.dmp	upx
behavioral3/memory/2420-48-0x0000000073FE0000-0x00000000740A8000-memory.dmp	upx
behavioral3/memory/2420-49-0x0000000073FB0000-0x0000000073FD4000-memory.dmp	upx
behavioral3/memory/2420-50-0x0000000073F20000-0x0000000073FA8000-memory.dmp	upx
behavioral3/memory/2420-51-0x0000000073E10000-0x0000000073F1A000-memory.dmp	upx
behavioral3/memory/2420-52-0x0000000073B40000-0x0000000073E0F000-memory.dmp	upx
behavioral3/memory/2420-61-0x00000000009D0000-0x0000000000DD4000-memory.dmp	upx
behavioral3/memory/2420-65-0x00000000009D0000-0x0000000000DD4000-memory.dmp	upx
behavioral3/memory/2420-74-0x00000000009D0000-0x0000000000DD4000-memory.dmp	upx
behavioral3/memory/2420-89-0x00000000009D0000-0x0000000000DD4000-memory.dmp	upx
behavioral3/memory/2420-97-0x00000000009D0000-0x0000000000DD4000-memory.dmp	upx
behavioral3/memory/2420-105-0x00000000009D0000-0x0000000000DD4000-memory.dmp	upx
behavioral3/memory/2420-114-0x00000000009D0000-0x0000000000DD4000-memory.dmp	upx
behavioral3/memory/1536-130-0x00000000009D0000-0x0000000000DD4000-memory.dmp	upx
behavioral3/memory/1536-131-0x0000000073B40000-0x0000000073E0F000-memory.dmp	upx
behavioral3/memory/1536-132-0x0000000073FE0000-0x00000000740A8000-memory.dmp	upx
behavioral3/memory/1536-136-0x0000000074180000-0x00000000741C9000-memory.dmp	upx
behavioral3/memory/1536-137-0x0000000073FB0000-0x0000000073FD4000-memory.dmp	upx
behavioral3/memory/1536-140-0x0000000073E10000-0x0000000073F1A000-memory.dmp	upx
behavioral3/memory/1536-141-0x0000000073F20000-0x0000000073FA8000-memory.dmp	upx
behavioral3/memory/1536-133-0x00000000740B0000-0x000000007417E000-memory.dmp	upx
behavioral3/memory/1536-152-0x00000000009D0000-0x0000000000DD4000-memory.dmp	upx
behavioral3/memory/1536-153-0x0000000073B40000-0x0000000073E0F000-memory.dmp	upx
behavioral3/memory/1536-154-0x0000000073FE0000-0x00000000740A8000-memory.dmp	upx
behavioral3/memory/1536-155-0x00000000740B0000-0x000000007417E000-memory.dmp	upx
behavioral3/memory/1536-169-0x00000000009D0000-0x0000000000DD4000-memory.dmp	upx
behavioral3/memory/1536-219-0x00000000009D0000-0x0000000000DD4000-memory.dmp	upx
behavioral3/memory/2352-224-0x00000000009D0000-0x0000000000DD4000-memory.dmp	upx
behavioral3/memory/2352-225-0x0000000073B40000-0x0000000073E0F000-memory.dmp	upx
behavioral3/memory/2352-226-0x0000000073FE0000-0x00000000740A8000-memory.dmp	upx
behavioral3/memory/2352-227-0x00000000740B0000-0x000000007417E000-memory.dmp	upx
behavioral3/memory/2352-228-0x0000000074180000-0x00000000741C9000-memory.dmp	upx
behavioral3/memory/2352-229-0x0000000073FB0000-0x0000000073FD4000-memory.dmp	upx
behavioral3/memory/2352-230-0x0000000073E10000-0x0000000073F1A000-memory.dmp	upx
behavioral3/memory/2352-231-0x0000000073F20000-0x0000000073FA8000-memory.dmp	upx
behavioral3/memory/2352-256-0x00000000009D0000-0x0000000000DD4000-memory.dmp	upx
behavioral3/memory/1304-290-0x00000000009D0000-0x0000000000DD4000-memory.dmp	upx
behavioral3/memory/1304-291-0x0000000073FE0000-0x00000000740A8000-memory.dmp	upx
behavioral3/memory/1304-293-0x00000000740B0000-0x000000007417E000-memory.dmp	upx
behavioral3/memory/1304-295-0x0000000074180000-0x00000000741C9000-memory.dmp	upx
behavioral3/memory/1304-300-0x0000000073E10000-0x0000000073F1A000-memory.dmp	upx
behavioral3/memory/1304-301-0x0000000073F20000-0x0000000073FA8000-memory.dmp	upx
behavioral3/memory/1304-298-0x0000000073FB0000-0x0000000073FD4000-memory.dmp	upx
behavioral3/memory/1304-303-0x0000000073B40000-0x0000000073E0F000-memory.dmp	upx
behavioral3/memory/2352-304-0x00000000009D0000-0x0000000000DD4000-memory.dmp	upx
behavioral3/memory/1304-319-0x0000000073E10000-0x0000000073F1A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a7613e5c267e7f270918ef87fcb1e45c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win32 = "C:\\Users\\Admin\\AppData\\Local\\windir\\win32.exe䄀"	a7613e5c267e7f270918ef87fcb1e45c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win32 = "C:\\Users\\Admin\\AppData\\Local\\windir\\win32.exe瘀"	a7613e5c267e7f270918ef87fcb1e45c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win32 = "C:\\Users\\Admin\\AppData\\Local\\windir\\win32.exe\ue800"	a7613e5c267e7f270918ef87fcb1e45c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win32 = "C:\\Users\\Admin\\AppData\\Local\\windir\\win32.exe"	a7613e5c267e7f270918ef87fcb1e45c.exe

Looks up external IP address via web service 32 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
76	myexternalip.com
116	myexternalip.com
135	myexternalip.com
180	myexternalip.com
249	myexternalip.com
272	myexternalip.com
315	myexternalip.com
331	myexternalip.com
341	myexternalip.com
371	myexternalip.com
348	myexternalip.com
75	myexternalip.com
166	myexternalip.com
300	myexternalip.com
106	myexternalip.com
147	myexternalip.com
254	myexternalip.com
291	myexternalip.com
97	myexternalip.com
205	myexternalip.com
223	myexternalip.com
356	myexternalip.com
157	myexternalip.com
188	myexternalip.com
215	myexternalip.com
230	myexternalip.com
240	myexternalip.com
280	myexternalip.com
363	myexternalip.com
197	myexternalip.com
266	myexternalip.com
323	myexternalip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 35 IoCs

Processes:

a7613e5c267e7f270918ef87fcb1e45c.exe

pid	process
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

a7613e5c267e7f270918ef87fcb1e45c.exe

pid process

3464 a7613e5c267e7f270918ef87fcb1e45c.exe

Suspicious behavior: RenamesItself 64 IoCs

Processes:

a7613e5c267e7f270918ef87fcb1e45c.exe

pid	process
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe
3464	a7613e5c267e7f270918ef87fcb1e45c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a7613e5c267e7f270918ef87fcb1e45c.exe

description pid process

Token: SeShutdownPrivilege 3464 a7613e5c267e7f270918ef87fcb1e45c.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a7613e5c267e7f270918ef87fcb1e45c.exe

pid process

3464 a7613e5c267e7f270918ef87fcb1e45c.exe
3464 a7613e5c267e7f270918ef87fcb1e45c.exe

description	pid	process
Token: SeShutdownPrivilege	3464	a7613e5c267e7f270918ef87fcb1e45c.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a7613e5c267e7f270918ef87fcb1e45c.exe

description	pid	process	target process
PID 3464 wrote to memory of 2420	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 2420	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 2420	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 1536	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 1536	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 1536	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 2352	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 2352	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 2352	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 1304	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 1304	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 1304	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 3184	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 3184	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 3184	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 1452	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 1452	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 1452	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 3608	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 3608	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 3608	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 112	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 112	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 112	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 2248	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 2248	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 2248	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 780	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 780	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 780	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 1576	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 1576	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 1576	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 1276	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 1276	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 1276	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 1384	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 1384	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 1384	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 3000	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 3000	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 3000	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 884	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 884	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 884	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 1360	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 1360	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 1360	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 4632	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 4632	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 4632	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 940	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 940	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 940	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 3172	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 3172	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 3172	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 3732	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 3732	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 3732	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 2252	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 2252	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 2252	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 3464 wrote to memory of 2340	3464	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe

C:\Users\Admin\AppData\Local\Temp\a7613e5c267e7f270918ef87fcb1e45c.exe
"C:\Users\Admin\AppData\Local\Temp\a7613e5c267e7f270918ef87fcb1e45c.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2420
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1536
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2352
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1304
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3184
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1452
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3608
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:112
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2248
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:780
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:4632
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:3732
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:3728
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:180
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:412
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:4128
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:3252
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:404
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:3404
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:32
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:716
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:3900
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
  "C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
  2⤵
  - Executes dropped EXE
  PID:4020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4024 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3964 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\f7cf36c6\tor\data\cached-certs

Filesize
20KB

MD5
3d8cb130e868caf434b857d0d6cd3c50

SHA1
04691df20f1f5c171a363836ccae6a85fe9b0848

SHA256
79b7f8937468ac431682c398273b9639b4660bf442d97df83ca5461915d01ab8

SHA512
79c3d3a06cca4f290c66d3b7270559e586fa5454d306a86c398a4fdce83a3deaaa88a55433f2d75b393cdfdf899cddf947411da65486bc75fc2db491e0811486

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\data\cached-microdesc-consensus.tmp

Filesize
2.7MB

MD5
381cc5ba2ce158b71214b0d01a0b1a5c

SHA1
d7c546b983b31d2785f46e3b097992f96445074d

SHA256
ad8060faee1771ee0547d651d4cceee52263e534b0cf84efa75f6c0bab1187ec

SHA512
8fc885b883e058bb907a3eb8d2a88bfa6729d114f926db80c15af03aa01f2e8833727c80e77903a730c7721f9e3730e6a95cd4d938c7da24c0848ff34691f8b4

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\data\cached-microdescs

Filesize
9.1MB

MD5
efbd226a5de4078fd22ed857e4c3e574

SHA1
a94665914b4117d1634fc4feb9154e53f4c391ce

SHA256
b9e2127bc13068f516fd1af9287b6f0e67c00529c089e8a02470033d05657f4b

SHA512
fab0ecc5cf82d63c906a50b1de0fb1491e77b2c7f4c44ffbd11111628b423e5835292dce63a95b56d5e2638fa10c539bdaa32c6662b4ce537adc723d419bca42

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\data\cached-microdescs.new

Filesize
6.9MB

MD5
125fb95fddc71774f3fd9253531e7830

SHA1
24e46d27e474daf91c81023c2ba91fd0f951937a

SHA256
d20740cefc13de3ff0aa254a2870176404a9fb8bc0150a23b9fa308cb44af2dd

SHA512
d74cbd9a755d3fef52ba437082489248f62312f4662c9d6282470b3d30f3d799524f03b0466eac147af3bf5541e0ebd75d1934d094398f002f208a1c255d66ff

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\data\cached-microdescs.new

Filesize
11.2MB

MD5
b178584f32838a29a2e321ba0047facf

SHA1
3da16b5c63dbd1abcf04f42997759b9caf7221df

SHA256
7529154870e9633b8fc65a69fa5e38708c67aac580a97c920f520764dfc9ec06

SHA512
372d8b9d34f6895e6b78b63c5c77d4235c07a7100ba42b6fa2cae216cd4b321a2940ef163a326d59f60a733c54eea314ab52651e3aa18905b8e26a0643e331ea

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\data\cached-microdescs.new

Filesize
9.1MB

MD5
80d19c3eaa70ee039f463f64bb012f90

SHA1
67754106010ee2cfcc18fc3ce0f43d2158a07c9b

SHA256
47625428132b11820a0688a5ed39f9fded203b247da03696789210027b2c810a

SHA512
3837d15c6436212f2e09ad95204694f025a2e6532c9d0e13ebefbadb20965dd4a551415f11f9ae609a924a5b50640748236e9c9ff95d4417be9e189fa3fe2bf4

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\data\state

Filesize
3KB

MD5
dd37d9cda526e7247679bfef749f0e42

SHA1
ad37539c354bc61bce346bf0150bd674b92a7ca5

SHA256
696e018de9ba07033fa8d2391a463aad64a4dc9df8830de2f8033cd785185c21

SHA512
7b869a6ca5f9335b574983b786a48a53be53593100508ea69ff1e04a3f98321dbe1e89e83112d1d4c2dc1e7018c6448966335c3f3ff7b53c2404765f0b1be716

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\data\state

Filesize
5KB

MD5
90c2caa480507046bcbc9a5415ed7bcb

SHA1
667e37e78aef61fd3f1d2ef38f55fe8da6bb54e3

SHA256
5cdfe07d854033673aa0328d587abf00aa5865fc718e22267a4999da7cacca99

SHA512
c53c02fb3c51c7814727f436378ca1fe7e39bfc65c9dd05f2e4362ced8fdd8d91d8d59696ba8475f0402e8d93f641515ce728e628ae656dc95007f4d485ef88a

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\data\state

Filesize
232B

MD5
b4a5d5de2ecad88c648cc87b8e9b6375

SHA1
7ac7b109b903b21db770640c0415b09dfaa70291

SHA256
360dc2b2a2e0ac57ddae965b6c9494b8f98fe3c6a753de48230b77229018a5da

SHA512
e7ed23bacbfe3568fa9697a8b33cf2ab7c16a617f2a5ba62048dac0a68bd40b441a0a6aa733d6b81b5c7e06e01181c9cc2ff9b2f7a5698660be9874853e5fce8

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libcrypto-1_1.dll

Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libevent-2-1-6.dll

Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libgcc_s_sjlj-1.dll

Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libssl-1_1.dll

Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libssp-0.dll

Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libwinpthread-1.dll

Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\torrc

Filesize
157B

MD5
d55bed9415496532e5333ecaff1e308d

SHA1
074dc0ad8d7b3f86679c321ec7377b3394659a52

SHA256
aacbccc1d0337c77cb4408cd9556b8e31d3a0390ab2ab6b17ad3bf30f2c93850

SHA512
69c492e32f75809ee12cf29a38d71435ec39e9327970dd7f108ce0599804008c0e3a462d244796a5592b587e1c8f1c1f78c2602d539f6d84bf33c18eb38276a5

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe

Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\zlib1.dll

Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
memory/1304-320-0x0000000073F20000-0x0000000073FA8000-memory.dmp

Filesize
544KB

Download
memory/1304-303-0x0000000073B40000-0x0000000073E0F000-memory.dmp

Filesize
2.8MB

Download
memory/1304-298-0x0000000073FB0000-0x0000000073FD4000-memory.dmp

Filesize
144KB

Download
memory/1304-301-0x0000000073F20000-0x0000000073FA8000-memory.dmp

Filesize
544KB

Download
memory/1304-300-0x0000000073E10000-0x0000000073F1A000-memory.dmp

Filesize
1.0MB

Download
memory/1304-295-0x0000000074180000-0x00000000741C9000-memory.dmp

Filesize
292KB

Download
memory/1304-293-0x00000000740B0000-0x000000007417E000-memory.dmp

Filesize
824KB

Download
memory/1304-291-0x0000000073FE0000-0x00000000740A8000-memory.dmp

Filesize
800KB

Download
memory/1304-290-0x00000000009D0000-0x0000000000DD4000-memory.dmp

Filesize
4.0MB

Download
memory/1304-319-0x0000000073E10000-0x0000000073F1A000-memory.dmp

Filesize
1.0MB

Download
memory/1304-321-0x00000000009D0000-0x0000000000DD4000-memory.dmp

Filesize
4.0MB

Download
memory/1304-317-0x0000000074180000-0x00000000741C9000-memory.dmp

Filesize
292KB

Download
memory/1304-318-0x0000000073FB0000-0x0000000073FD4000-memory.dmp

Filesize
144KB

Download
memory/1304-316-0x00000000740B0000-0x000000007417E000-memory.dmp

Filesize
824KB

Download
memory/1304-315-0x0000000073FE0000-0x00000000740A8000-memory.dmp

Filesize
800KB

Download
memory/1304-314-0x0000000073B40000-0x0000000073E0F000-memory.dmp

Filesize
2.8MB

Download
memory/1536-154-0x0000000073FE0000-0x00000000740A8000-memory.dmp

Filesize
800KB

Download
memory/1536-141-0x0000000073F20000-0x0000000073FA8000-memory.dmp

Filesize
544KB

Download
memory/1536-219-0x00000000009D0000-0x0000000000DD4000-memory.dmp

Filesize
4.0MB

Download
memory/1536-169-0x00000000009D0000-0x0000000000DD4000-memory.dmp

Filesize
4.0MB

Download
memory/1536-130-0x00000000009D0000-0x0000000000DD4000-memory.dmp

Filesize
4.0MB

Download
memory/1536-131-0x0000000073B40000-0x0000000073E0F000-memory.dmp

Filesize
2.8MB

Download
memory/1536-132-0x0000000073FE0000-0x00000000740A8000-memory.dmp

Filesize
800KB

Download
memory/1536-136-0x0000000074180000-0x00000000741C9000-memory.dmp

Filesize
292KB

Download
memory/1536-137-0x0000000073FB0000-0x0000000073FD4000-memory.dmp

Filesize
144KB

Download
memory/1536-155-0x00000000740B0000-0x000000007417E000-memory.dmp

Filesize
824KB

Download
memory/1536-140-0x0000000073E10000-0x0000000073F1A000-memory.dmp

Filesize
1.0MB

Download
memory/1536-153-0x0000000073B40000-0x0000000073E0F000-memory.dmp

Filesize
2.8MB

Download
memory/1536-133-0x00000000740B0000-0x000000007417E000-memory.dmp

Filesize
824KB

Download
memory/1536-152-0x00000000009D0000-0x0000000000DD4000-memory.dmp

Filesize
4.0MB

Download
memory/2352-230-0x0000000073E10000-0x0000000073F1A000-memory.dmp

Filesize
1.0MB

Download
memory/2352-225-0x0000000073B40000-0x0000000073E0F000-memory.dmp

Filesize
2.8MB

Download
memory/2352-229-0x0000000073FB0000-0x0000000073FD4000-memory.dmp

Filesize
144KB

Download
memory/2352-231-0x0000000073F20000-0x0000000073FA8000-memory.dmp

Filesize
544KB

Download
memory/2352-228-0x0000000074180000-0x00000000741C9000-memory.dmp

Filesize
292KB

Download
memory/2352-256-0x00000000009D0000-0x0000000000DD4000-memory.dmp

Filesize
4.0MB

Download
memory/2352-227-0x00000000740B0000-0x000000007417E000-memory.dmp

Filesize
824KB

Download
memory/2352-304-0x00000000009D0000-0x0000000000DD4000-memory.dmp

Filesize
4.0MB

Download
memory/2352-224-0x00000000009D0000-0x0000000000DD4000-memory.dmp

Filesize
4.0MB

Download
memory/2352-226-0x0000000073FE0000-0x00000000740A8000-memory.dmp

Filesize
800KB

Download
memory/2420-34-0x0000000073E10000-0x0000000073F1A000-memory.dmp

Filesize
1.0MB

Download
memory/2420-40-0x0000000073B40000-0x0000000073E0F000-memory.dmp

Filesize
2.8MB

Download
memory/2420-73-0x0000000001590000-0x000000000185F000-memory.dmp

Filesize
2.8MB

Download
memory/2420-21-0x00000000009D0000-0x0000000000DD4000-memory.dmp

Filesize
4.0MB

Download
memory/2420-27-0x0000000074180000-0x00000000741C9000-memory.dmp

Filesize
292KB

Download
memory/2420-74-0x00000000009D0000-0x0000000000DD4000-memory.dmp

Filesize
4.0MB

Download
memory/2420-89-0x00000000009D0000-0x0000000000DD4000-memory.dmp

Filesize
4.0MB

Download
memory/2420-61-0x00000000009D0000-0x0000000000DD4000-memory.dmp

Filesize
4.0MB

Download
memory/2420-52-0x0000000073B40000-0x0000000073E0F000-memory.dmp

Filesize
2.8MB

Download
memory/2420-31-0x0000000073FE0000-0x00000000740A8000-memory.dmp

Filesize
800KB

Download
memory/2420-114-0x00000000009D0000-0x0000000000DD4000-memory.dmp

Filesize
4.0MB

Download
memory/2420-51-0x0000000073E10000-0x0000000073F1A000-memory.dmp

Filesize
1.0MB

Download
memory/2420-50-0x0000000073F20000-0x0000000073FA8000-memory.dmp

Filesize
544KB

Download
memory/2420-49-0x0000000073FB0000-0x0000000073FD4000-memory.dmp

Filesize
144KB

Download
memory/2420-48-0x0000000073FE0000-0x00000000740A8000-memory.dmp

Filesize
800KB

Download
memory/2420-47-0x00000000740B0000-0x000000007417E000-memory.dmp

Filesize
824KB

Download
memory/2420-46-0x0000000074180000-0x00000000741C9000-memory.dmp

Filesize
292KB

Download
memory/2420-45-0x00000000009D0000-0x0000000000DD4000-memory.dmp

Filesize
4.0MB

Download
memory/2420-97-0x00000000009D0000-0x0000000000DD4000-memory.dmp

Filesize
4.0MB

Download
memory/2420-105-0x00000000009D0000-0x0000000000DD4000-memory.dmp

Filesize
4.0MB

Download
memory/2420-39-0x0000000001590000-0x000000000185F000-memory.dmp

Filesize
2.8MB

Download
memory/2420-65-0x00000000009D0000-0x0000000000DD4000-memory.dmp

Filesize
4.0MB

Download
memory/2420-28-0x00000000740B0000-0x000000007417E000-memory.dmp

Filesize
824KB

Download
memory/2420-36-0x0000000073F20000-0x0000000073FA8000-memory.dmp

Filesize
544KB

Download
memory/2420-35-0x0000000073FB0000-0x0000000073FD4000-memory.dmp

Filesize
144KB

Download
memory/3184-339-0x0000000073C20000-0x0000000073C44000-memory.dmp

Filesize
144KB

Download
memory/3184-365-0x0000000073F10000-0x00000000741DF000-memory.dmp

Filesize
2.8MB

Download
memory/3184-364-0x00000000009D0000-0x0000000000DD4000-memory.dmp

Filesize
4.0MB

Download
memory/3184-334-0x0000000073E40000-0x0000000073F08000-memory.dmp

Filesize
800KB

Download
memory/3184-337-0x0000000073C50000-0x0000000073CD8000-memory.dmp

Filesize
544KB

Download
memory/3184-336-0x0000000073CE0000-0x0000000073DEA000-memory.dmp

Filesize
1.0MB

Download
memory/3184-335-0x0000000073DF0000-0x0000000073E39000-memory.dmp

Filesize
292KB

Download
memory/3184-333-0x0000000073F10000-0x00000000741DF000-memory.dmp

Filesize
2.8MB

Download
memory/3184-354-0x0000000073C50000-0x0000000073CD8000-memory.dmp

Filesize
544KB

Download
memory/3184-340-0x0000000073B50000-0x0000000073C1E000-memory.dmp

Filesize
824KB

Download
memory/3464-332-0x0000000074CB0000-0x0000000074CE9000-memory.dmp

Filesize
228KB

Download
memory/3464-168-0x00000000739D0000-0x0000000073A09000-memory.dmp

Filesize
228KB

Download
memory/3464-353-0x0000000073760000-0x0000000073799000-memory.dmp

Filesize
228KB

Download
memory/3464-44-0x0000000073760000-0x0000000073799000-memory.dmp

Filesize
228KB

Download
memory/3464-355-0x0000000072850000-0x0000000072889000-memory.dmp

Filesize
228KB

Download
memory/3464-0-0x0000000074CB0000-0x0000000074CE9000-memory.dmp

Filesize
228KB

Download
memory/3464-255-0x00000000739D0000-0x0000000073A09000-memory.dmp

Filesize
228KB

Download