bitrat | 8c05da461e90984671ffd87f0e4e28e057cca4d32a0569764dcdcce2d545fac2

Resubmissions

17-04-2024 14:54

240417-r96wzada86 10

17-04-2024 14:54

17-04-2024 14:54

17-04-2024 14:54

17-04-2024 14:54

15-04-2024 13:19

10-04-2024 12:02

10-04-2024 12:02

Analysis

max time kernel
1811s
max time network
1815s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75bff99becc32bcbe56efbe7a75f4d45.exe
Size

7.0MB
MD5

75bff99becc32bcbe56efbe7a75f4d45
SHA1

81bfcc77809161a5254a27d3d4d30548c96fcd5b
SHA256

8c05da461e90984671ffd87f0e4e28e057cca4d32a0569764dcdcce2d545fac2
SHA512

940af628585713a16e685eb5251c0b954bc014460cd4ca33226df2ef260f32af56223eaf1c341862fdf1669c6bafb6e7d9c5efbeb5e437ce5e2fd9905beece69
SSDEEP

49152:uW/1GYdVTXN3r3+LXDIDAKpvuh3jwLN6/VNUKIdI9OiKuDbD2yvAkdm5wrgWX+5z:hXkZL/p

Score

10^/10

bitrat zgrat persistence rat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

obqdy2u226qjiavs42z4z6zgcf6tefsoxaqzjvohmoy7kafdwgqgjkqd.onion:80

Attributes

communication_password
d93b4f1ee6f5b875a4f7fcef966bd09a
tor_process
WinSock

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral3/memory/4872-8-0x0000000003AA0000-0x0000000003B22000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-9-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-10-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-12-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-14-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-16-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-18-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-21-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-23-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-25-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-27-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-29-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-31-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-33-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-35-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-37-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-39-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-41-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-43-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-45-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-47-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-49-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-51-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-53-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-55-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-57-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-59-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-61-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-63-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-65-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-67-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-69-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-71-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-73-0x0000000003AA0000-0x0000000003B1C000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\","	75bff99becc32bcbe56efbe7a75f4d45.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral3/files/0x000800000002320f-2461.dat	acprotect
behavioral3/files/0x0008000000023210-2463.dat	acprotect
behavioral3/files/0x0007000000023215-2466.dat	acprotect
behavioral3/files/0x0007000000023214-2470.dat	acprotect
behavioral3/files/0x0007000000023216-2471.dat	acprotect
behavioral3/files/0x0007000000023218-2472.dat	acprotect
behavioral3/files/0x0007000000023213-2473.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	75bff99becc32bcbe56efbe7a75f4d45.exe

Executes dropped EXE 64 IoCs

pid	Process
3048	WinSock.exe
1380	WinSock.exe
968	WinSock.exe
4688	WinSock.exe
1200	WinSock.exe
3800	WinSock.exe
728	WinSock.exe
488	WinSock.exe
1408	WinSock.exe
3296	WinSock.exe
1872	WinSock.exe
788	WinSock.exe
3228	WinSock.exe
4236	WinSock.exe
424	WinSock.exe
3500	WinSock.exe
2356	WinSock.exe
1144	WinSock.exe
4744	WinSock.exe
3376	WinSock.exe
3024	WinSock.exe
392	WinSock.exe
5112	WinSock.exe
3604	WinSock.exe
4188	WinSock.exe
4276	WinSock.exe
2024	WinSock.exe
3232	WinSock.exe
1188	WinSock.exe
3280	WinSock.exe
2820	WinSock.exe
2564	WinSock.exe
424	WinSock.exe
2164	WinSock.exe
404	WinSock.exe
2720	WinSock.exe
2988	WinSock.exe
1972	WinSock.exe
3100	WinSock.exe
3372	WinSock.exe
2376	WinSock.exe
1020	WinSock.exe
4584	WinSock.exe
5064	WinSock.exe
2308	WinSock.exe
5028	WinSock.exe
2664	WinSock.exe
3536	WinSock.exe
3560	WinSock.exe
4644	WinSock.exe
3800	WinSock.exe
1124	WinSock.exe
4616	WinSock.exe
4100	WinSock.exe
1248	WinSock.exe
4176	WinSock.exe
3916	WinSock.exe
3596	WinSock.exe
4436	WinSock.exe
1064	WinSock.exe
1412	WinSock.exe
1540	WinSock.exe
3632	WinSock.exe
1796	WinSock.exe

Loads dropped DLL 64 IoCs

pid	Process
3048	WinSock.exe
3048	WinSock.exe
3048	WinSock.exe
3048	WinSock.exe
3048	WinSock.exe
3048	WinSock.exe
3048	WinSock.exe
3048	WinSock.exe
3048	WinSock.exe
1380	WinSock.exe
1380	WinSock.exe
1380	WinSock.exe
1380	WinSock.exe
1380	WinSock.exe
1380	WinSock.exe
1380	WinSock.exe
968	WinSock.exe
968	WinSock.exe
968	WinSock.exe
968	WinSock.exe
968	WinSock.exe
968	WinSock.exe
968	WinSock.exe
4688	WinSock.exe
4688	WinSock.exe
4688	WinSock.exe
4688	WinSock.exe
4688	WinSock.exe
4688	WinSock.exe
4688	WinSock.exe
1200	WinSock.exe
1200	WinSock.exe
1200	WinSock.exe
1200	WinSock.exe
1200	WinSock.exe
1200	WinSock.exe
1200	WinSock.exe
3800	WinSock.exe
3800	WinSock.exe
3800	WinSock.exe
3800	WinSock.exe
3800	WinSock.exe
3800	WinSock.exe
3800	WinSock.exe
728	WinSock.exe
728	WinSock.exe
728	WinSock.exe
728	WinSock.exe
728	WinSock.exe
728	WinSock.exe
728	WinSock.exe
488	WinSock.exe
488	WinSock.exe
488	WinSock.exe
488	WinSock.exe
488	WinSock.exe
488	WinSock.exe
488	WinSock.exe
1408	WinSock.exe
1408	WinSock.exe
1408	WinSock.exe
1408	WinSock.exe
1408	WinSock.exe
1408	WinSock.exe

UPX packed file 52 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x0007000000023217-2457.dat	upx
behavioral3/memory/3048-2462-0x0000000000740000-0x0000000000B44000-memory.dmp	upx
behavioral3/files/0x000800000002320f-2461.dat	upx
behavioral3/files/0x0008000000023210-2463.dat	upx
behavioral3/files/0x0007000000023215-2466.dat	upx
behavioral3/files/0x0007000000023214-2470.dat	upx
behavioral3/files/0x0007000000023216-2471.dat	upx
behavioral3/files/0x0007000000023218-2472.dat	upx
behavioral3/memory/3048-2474-0x0000000074560000-0x00000000745A9000-memory.dmp	upx
behavioral3/memory/3048-2475-0x0000000074490000-0x0000000074558000-memory.dmp	upx
behavioral3/memory/3048-2481-0x0000000073F20000-0x00000000741EF000-memory.dmp	upx
behavioral3/memory/3048-2483-0x0000000074280000-0x000000007438A000-memory.dmp	upx
behavioral3/memory/3048-2484-0x00000000741F0000-0x0000000074278000-memory.dmp	upx
behavioral3/memory/3048-2478-0x0000000074390000-0x00000000743B4000-memory.dmp	upx
behavioral3/memory/3048-2476-0x00000000743C0000-0x000000007448E000-memory.dmp	upx
behavioral3/files/0x0007000000023213-2473.dat	upx
behavioral3/memory/3048-2530-0x0000000000740000-0x0000000000B44000-memory.dmp	upx
behavioral3/memory/3048-2532-0x00000000743C0000-0x000000007448E000-memory.dmp	upx
behavioral3/memory/3048-2531-0x0000000074560000-0x00000000745A9000-memory.dmp	upx
behavioral3/memory/3048-2533-0x0000000074390000-0x00000000743B4000-memory.dmp	upx
behavioral3/memory/3048-2534-0x0000000073F20000-0x00000000741EF000-memory.dmp	upx
behavioral3/memory/3048-2535-0x0000000074490000-0x0000000074558000-memory.dmp	upx
behavioral3/memory/3048-2536-0x0000000074280000-0x000000007438A000-memory.dmp	upx
behavioral3/memory/3048-2607-0x0000000000740000-0x0000000000B44000-memory.dmp	upx
behavioral3/memory/1380-2608-0x0000000073F20000-0x00000000741EF000-memory.dmp	upx
behavioral3/memory/1380-2610-0x00000000743C0000-0x000000007448E000-memory.dmp	upx
behavioral3/memory/1380-2609-0x0000000074490000-0x0000000074558000-memory.dmp	upx
behavioral3/memory/1380-2612-0x0000000074390000-0x00000000743B4000-memory.dmp	upx
behavioral3/memory/1380-2611-0x0000000074560000-0x00000000745A9000-memory.dmp	upx
behavioral3/memory/1380-2613-0x0000000074280000-0x000000007438A000-memory.dmp	upx
behavioral3/memory/1380-2614-0x00000000741F0000-0x0000000074278000-memory.dmp	upx
behavioral3/memory/1380-2606-0x0000000000740000-0x0000000000B44000-memory.dmp	upx
behavioral3/memory/1380-2643-0x0000000000740000-0x0000000000B44000-memory.dmp	upx
behavioral3/memory/1380-2644-0x0000000073F20000-0x00000000741EF000-memory.dmp	upx
behavioral3/memory/1380-2646-0x00000000743C0000-0x000000007448E000-memory.dmp	upx
behavioral3/memory/1380-2645-0x0000000074490000-0x0000000074558000-memory.dmp	upx
behavioral3/memory/968-2681-0x0000000073F20000-0x00000000741EF000-memory.dmp	upx
behavioral3/memory/968-2683-0x0000000074490000-0x0000000074558000-memory.dmp	upx
behavioral3/memory/968-2685-0x00000000743C0000-0x000000007448E000-memory.dmp	upx
behavioral3/memory/968-2690-0x0000000074390000-0x00000000743B4000-memory.dmp	upx
behavioral3/memory/968-2687-0x0000000074560000-0x00000000745A9000-memory.dmp	upx
behavioral3/memory/968-2692-0x0000000074280000-0x000000007438A000-memory.dmp	upx
behavioral3/memory/968-2693-0x00000000741F0000-0x0000000074278000-memory.dmp	upx
behavioral3/memory/1380-2691-0x0000000000740000-0x0000000000B44000-memory.dmp	upx
behavioral3/memory/968-2679-0x0000000000740000-0x0000000000B44000-memory.dmp	upx
behavioral3/memory/968-2702-0x0000000074390000-0x00000000743B4000-memory.dmp	upx
behavioral3/memory/968-2703-0x0000000074280000-0x000000007438A000-memory.dmp	upx
behavioral3/memory/968-2704-0x0000000000740000-0x0000000000B44000-memory.dmp	upx
behavioral3/memory/968-2705-0x0000000073F20000-0x00000000741EF000-memory.dmp	upx
behavioral3/memory/968-2706-0x0000000074490000-0x0000000074558000-memory.dmp	upx
behavioral3/memory/968-2707-0x00000000743C0000-0x000000007448E000-memory.dmp	upx
behavioral3/memory/968-2708-0x0000000074560000-0x00000000745A9000-memory.dmp	upx

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	88.216.223.2
Destination IP	88.216.223.2

Looks up external IP address via web service 37 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
649	myexternalip.com
752	myexternalip.com
796	myexternalip.com
72	myexternalip.com
75	myexternalip.com
217	myexternalip.com
774	myexternalip.com
153	myexternalip.com
729	myexternalip.com
766	myexternalip.com
720	myexternalip.com
758	myexternalip.com
781	myexternalip.com
235	myexternalip.com
259	myexternalip.com
267	myexternalip.com
243	myexternalip.com
274	myexternalip.com
737	myexternalip.com
744	myexternalip.com
162	myexternalip.com
195	myexternalip.com
226	myexternalip.com
110	myexternalip.com
119	myexternalip.com
136	myexternalip.com
251	myexternalip.com
285	myexternalip.com
53	myexternalip.com
84	myexternalip.com
102	myexternalip.com
178	myexternalip.com
210	myexternalip.com
93	myexternalip.com
145	myexternalip.com
789	myexternalip.com
52	myexternalip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 40 IoCs

pid	Process
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4872 set thread context of 1116	4872	75bff99becc32bcbe56efbe7a75f4d45.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4872	75bff99becc32bcbe56efbe7a75f4d45.exe
4872	75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1116	75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4872	75bff99becc32bcbe56efbe7a75f4d45.exe
Token: SeShutdownPrivilege	1116	75bff99becc32bcbe56efbe7a75f4d45.exe
Token: SeManageVolumePrivilege	788	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1116	75bff99becc32bcbe56efbe7a75f4d45.exe
1116	75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 1116	4872	75bff99becc32bcbe56efbe7a75f4d45.exe	96
PID 4872 wrote to memory of 1116	4872	75bff99becc32bcbe56efbe7a75f4d45.exe	96
PID 4872 wrote to memory of 1116	4872	75bff99becc32bcbe56efbe7a75f4d45.exe	96
PID 4872 wrote to memory of 1116	4872	75bff99becc32bcbe56efbe7a75f4d45.exe	96
PID 4872 wrote to memory of 1116	4872	75bff99becc32bcbe56efbe7a75f4d45.exe	96
PID 4872 wrote to memory of 1116	4872	75bff99becc32bcbe56efbe7a75f4d45.exe	96
PID 4872 wrote to memory of 1116	4872	75bff99becc32bcbe56efbe7a75f4d45.exe	96
PID 4872 wrote to memory of 1116	4872	75bff99becc32bcbe56efbe7a75f4d45.exe	96
PID 4872 wrote to memory of 1116	4872	75bff99becc32bcbe56efbe7a75f4d45.exe	96
PID 4872 wrote to memory of 1116	4872	75bff99becc32bcbe56efbe7a75f4d45.exe	96
PID 4872 wrote to memory of 1116	4872	75bff99becc32bcbe56efbe7a75f4d45.exe	96
PID 4872 wrote to memory of 1116	4872	75bff99becc32bcbe56efbe7a75f4d45.exe	96
PID 1116 wrote to memory of 3048	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	97
PID 1116 wrote to memory of 3048	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	97
PID 1116 wrote to memory of 3048	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	97
PID 1116 wrote to memory of 1380	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	98
PID 1116 wrote to memory of 1380	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	98
PID 1116 wrote to memory of 1380	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	98
PID 1116 wrote to memory of 968	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	99
PID 1116 wrote to memory of 968	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	99
PID 1116 wrote to memory of 968	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	99
PID 1116 wrote to memory of 4688	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	100
PID 1116 wrote to memory of 4688	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	100
PID 1116 wrote to memory of 4688	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	100
PID 1116 wrote to memory of 1200	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	101
PID 1116 wrote to memory of 1200	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	101
PID 1116 wrote to memory of 1200	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	101
PID 1116 wrote to memory of 3800	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	102
PID 1116 wrote to memory of 3800	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	102
PID 1116 wrote to memory of 3800	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	102
PID 1116 wrote to memory of 728	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	103
PID 1116 wrote to memory of 728	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	103
PID 1116 wrote to memory of 728	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	103
PID 1116 wrote to memory of 488	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	104
PID 1116 wrote to memory of 488	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	104
PID 1116 wrote to memory of 488	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	104
PID 1116 wrote to memory of 1408	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	105
PID 1116 wrote to memory of 1408	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	105
PID 1116 wrote to memory of 1408	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	105
PID 1116 wrote to memory of 3296	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	106
PID 1116 wrote to memory of 3296	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	106
PID 1116 wrote to memory of 3296	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	106
PID 1116 wrote to memory of 1872	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	107
PID 1116 wrote to memory of 1872	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	107
PID 1116 wrote to memory of 1872	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	107
PID 1116 wrote to memory of 788	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	108
PID 1116 wrote to memory of 788	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	108
PID 1116 wrote to memory of 788	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	108
PID 1116 wrote to memory of 3228	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	109
PID 1116 wrote to memory of 3228	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	109
PID 1116 wrote to memory of 3228	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	109
PID 1116 wrote to memory of 4236	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	110
PID 1116 wrote to memory of 4236	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	110
PID 1116 wrote to memory of 4236	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	110
PID 1116 wrote to memory of 424	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	111
PID 1116 wrote to memory of 424	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	111
PID 1116 wrote to memory of 424	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	111
PID 1116 wrote to memory of 3500	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	112
PID 1116 wrote to memory of 3500	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	112
PID 1116 wrote to memory of 3500	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	112
PID 1116 wrote to memory of 2356	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	113
PID 1116 wrote to memory of 2356	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	113
PID 1116 wrote to memory of 2356	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	113
PID 1116 wrote to memory of 1144	1116	75bff99becc32bcbe56efbe7a75f4d45.exe	114

C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
"C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
  C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3048
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1380
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:968
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4688
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1200
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3800
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:728
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:488
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1408
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3296
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1872
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:788
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3228
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4236
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:424
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3500
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2356
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1144
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4744
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3376
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3024
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:392
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:5112
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3604
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4188
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4276
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2024
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3232
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1188
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3280
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2820
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2564
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:424
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2164
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:404
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2720
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2988
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1972
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3100
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3372
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2376
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1020
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4584
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:5064
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2308
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:5028
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2664
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3536
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3560
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4644
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3800
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1124
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4616
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4100
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1248
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4176
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3916
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3596
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4436
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1064
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1412
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1540
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3632
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1796
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    PID:4600
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    PID:2376
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    PID:4940
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    PID:764
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    PID:5008
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    PID:208

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4456

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
89cb6fbb4050355a3d6278acfcfde7e9

SHA1
8b76a664610f688fd539e1282894ecc79bc6ae4a

SHA256
73c5e311f67c9923582bd3690a32541561d512e4b387572f562d3aef81ab4779

SHA512
1ba1c6c4343a76e4c3550767cb80a4033efb31579b2533d0497b7ea3d6397fecaf914bb091508f8d65ad8eda7e4c42361a25f29be12d13d4d781c8db9333ec8e

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe

Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-certs

Filesize
20KB

MD5
4ec526a06f6e40db14ae9f5947a8d7c4

SHA1
b456e6404e2912a37ffa6b7966a42e9d9c2cb6c9

SHA256
8c2ca5f42e1e85f366611ca280a2b272c094dc4a04a2903c42c709bfdb7c101c

SHA512
a25179ff3ef6fdd192a07605411b9304ca704cacec42641d909cd0b714d1b156703c4d12b931803e2255f1d28b4d261ad644e7b6aa77ecb2830367b9f9df1ae9

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-microdesc-consensus.tmp

Filesize
2.7MB

MD5
381cc5ba2ce158b71214b0d01a0b1a5c

SHA1
d7c546b983b31d2785f46e3b097992f96445074d

SHA256
ad8060faee1771ee0547d651d4cceee52263e534b0cf84efa75f6c0bab1187ec

SHA512
8fc885b883e058bb907a3eb8d2a88bfa6729d114f926db80c15af03aa01f2e8833727c80e77903a730c7721f9e3730e6a95cd4d938c7da24c0848ff34691f8b4

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-microdescs

Filesize
20.3MB

MD5
929c7825f0c7db49d171c9565af5e068

SHA1
5c32b2bd6dd32ce5db5616f042020763abb48836

SHA256
4d785fe4c3f130f70fcb8b3dd660c66a7ff5209bfada9c9db060af9029e5e998

SHA512
ab072e2941f2c77fed616440ecde6ac7700b711b87cc0c28614d0380b27aa1661ac5d09260cf9b553e1d0b9e91487e766f650e5a344286cb8ee7a471acec86dc

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-microdescs.new

Filesize
6.4MB

MD5
1809fa0fddc6d59d5ec1a8b9973a6460

SHA1
2a27e5602831b2e46d45b86ff3f5571123ab45d1

SHA256
4b1d3e35db4b433f494992ad370c037cc32bccb24e5046e3f6afcdc32a010c27

SHA512
b88f795df45c9ff42c9a45f102ba5ff94c5347afa625f8d1fc1038abbd02af789d480ae36b1c035d6a698f884666dbfcd62d2fe2184d467e1edd43bef3d7250c

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-microdescs.new

Filesize
20.3MB

MD5
1c396951dfe229713d8f10b02e5755fa

SHA1
c79515fa35395cf42febe686943b4894670bc5f6

SHA256
6b6f11348d508715e170518ff5e01117769215776baa5c88d368c6ab27271581

SHA512
592543d3f7cf980efe095945e7a47ff3019ab407cf99c772709084db7f2006fccf5c3ad5d077bad8b39c143ebd9e97332a083f4aad9bbbaa0a9ebb1b506fc313

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\state

Filesize
3KB

MD5
d00002f525d4b9bc0c78f551b3d3608f

SHA1
0611f979478271426bfe7be722d327b9090ad97d

SHA256
af4237e5bfbff33c01b5ef97dc06e8d6abf894b2798bdaf4bd44dda182cf3bb0

SHA512
dc775b7ed58eb40056ce0e39b7c990967ae16b4bd17fabc16a3b57fecbe0a6b7348ebc7fd113640db9313872001f33265eaf0e138b69a062c8a3d4c0026bcae1

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\state

Filesize
5KB

MD5
f6e8d595745ea5bb1bc5408a2cce2750

SHA1
8809df2455dc88b8d9a793483e0b2d081a52c456

SHA256
1995a2e68beaf48840f013069cf77cf9eda730189ce569db3112c2c4778a775c

SHA512
e59ad0a926bfbcf2d8cc580e5ab5574ae4a3a14e559227243f1f0ae7af57d83c57f529159b6f174183df51bab42f26ceea8917dcd68de018e7fa81c1c2d2a73d

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\state

Filesize
232B

MD5
e8adbd7614739ceae4ae9e982f45a903

SHA1
46ab4ea10ffdf4debc9d4d915b486b7deaaf05ff

SHA256
8343e78c709d20753b90fb8eb52447e99ca9f3426d2c5c40312cf9cdcd687bb7

SHA512
4da4a5e8acc5d47969d961d1b1826a2d0a61fb8147d66c51985ef3ef1e1e9ffca4a29432102f03176870ff66b930ed7cc653fb76829bb071b0518f8cd1a08fe0

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll

Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libevent-2-1-6.dll

Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libgcc_s_sjlj-1.dll

Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssl-1_1.dll

Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssp-0.dll

Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libwinpthread-1.dll

Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\torrc

Filesize
157B

MD5
68afdef35a6105c2b148649bd05901b0

SHA1
828a2b590a95c2a411cc1b0004207747f2571024

SHA256
4e4e4e7f9fb03bcb898ce4f6075e3082d3a341d9fff1955ddf45089f83565622

SHA512
f198da05ec57c8525e6643f7f2c212701d0ab641d2850a28ce4cea7c33ac7b5c75782273bf7f01f95ccf02e27adf7c237ed116c5b0f220c13e70fe0aa7cfc671

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\zlib1.dll

Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
memory/968-2679-0x0000000000740000-0x0000000000B44000-memory.dmp

Filesize
4.0MB

Download
memory/968-2692-0x0000000074280000-0x000000007438A000-memory.dmp

Filesize
1.0MB

Download
memory/968-2681-0x0000000073F20000-0x00000000741EF000-memory.dmp

Filesize
2.8MB

Download
memory/968-2702-0x0000000074390000-0x00000000743B4000-memory.dmp

Filesize
144KB

Download
memory/968-2706-0x0000000074490000-0x0000000074558000-memory.dmp

Filesize
800KB

Download
memory/968-2693-0x00000000741F0000-0x0000000074278000-memory.dmp

Filesize
544KB

Download
memory/968-2705-0x0000000073F20000-0x00000000741EF000-memory.dmp

Filesize
2.8MB

Download
memory/968-2683-0x0000000074490000-0x0000000074558000-memory.dmp

Filesize
800KB

Download
memory/968-2685-0x00000000743C0000-0x000000007448E000-memory.dmp

Filesize
824KB

Download
memory/968-2707-0x00000000743C0000-0x000000007448E000-memory.dmp

Filesize
824KB

Download
memory/968-2687-0x0000000074560000-0x00000000745A9000-memory.dmp

Filesize
292KB

Download
memory/968-2690-0x0000000074390000-0x00000000743B4000-memory.dmp

Filesize
144KB

Download
memory/968-2703-0x0000000074280000-0x000000007438A000-memory.dmp

Filesize
1.0MB

Download
memory/968-2704-0x0000000000740000-0x0000000000B44000-memory.dmp

Filesize
4.0MB

Download
memory/968-2708-0x0000000074560000-0x00000000745A9000-memory.dmp

Filesize
292KB

Download
memory/1116-2501-0x0000000073B40000-0x0000000073B79000-memory.dmp

Filesize
228KB

Download
memory/1116-2515-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/1116-2444-0x0000000075130000-0x0000000075169000-memory.dmp

Filesize
228KB

Download
memory/1116-2642-0x0000000072C60000-0x0000000072C99000-memory.dmp

Filesize
228KB

Download
memory/1116-2562-0x00000000750F0000-0x0000000075129000-memory.dmp

Filesize
228KB

Download
memory/1116-2442-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/1380-2645-0x0000000074490000-0x0000000074558000-memory.dmp

Filesize
800KB

Download
memory/1380-2643-0x0000000000740000-0x0000000000B44000-memory.dmp

Filesize
4.0MB

Download
memory/1380-2610-0x00000000743C0000-0x000000007448E000-memory.dmp

Filesize
824KB

Download
memory/1380-2609-0x0000000074490000-0x0000000074558000-memory.dmp

Filesize
800KB

Download
memory/1380-2611-0x0000000074560000-0x00000000745A9000-memory.dmp

Filesize
292KB

Download
memory/1380-2608-0x0000000073F20000-0x00000000741EF000-memory.dmp

Filesize
2.8MB

Download
memory/1380-2612-0x0000000074390000-0x00000000743B4000-memory.dmp

Filesize
144KB

Download
memory/1380-2613-0x0000000074280000-0x000000007438A000-memory.dmp

Filesize
1.0MB

Download
memory/1380-2644-0x0000000073F20000-0x00000000741EF000-memory.dmp

Filesize
2.8MB

Download
memory/1380-2691-0x0000000000740000-0x0000000000B44000-memory.dmp

Filesize
4.0MB

Download
memory/1380-2614-0x00000000741F0000-0x0000000074278000-memory.dmp

Filesize
544KB

Download
memory/1380-2646-0x00000000743C0000-0x000000007448E000-memory.dmp

Filesize
824KB

Download
memory/1380-2606-0x0000000000740000-0x0000000000B44000-memory.dmp

Filesize
4.0MB

Download
memory/3048-2481-0x0000000073F20000-0x00000000741EF000-memory.dmp

Filesize
2.8MB

Download
memory/3048-2531-0x0000000074560000-0x00000000745A9000-memory.dmp

Filesize
292KB

Download
memory/3048-2474-0x0000000074560000-0x00000000745A9000-memory.dmp

Filesize
292KB

Download
memory/3048-2475-0x0000000074490000-0x0000000074558000-memory.dmp

Filesize
800KB

Download
memory/3048-2462-0x0000000000740000-0x0000000000B44000-memory.dmp

Filesize
4.0MB

Download
memory/3048-2483-0x0000000074280000-0x000000007438A000-memory.dmp

Filesize
1.0MB

Download
memory/3048-2484-0x00000000741F0000-0x0000000074278000-memory.dmp

Filesize
544KB

Download
memory/3048-2486-0x0000000000B50000-0x0000000000BD8000-memory.dmp

Filesize
544KB

Download
memory/3048-2485-0x00000000012F0000-0x00000000015BF000-memory.dmp

Filesize
2.8MB

Download
memory/3048-2607-0x0000000000740000-0x0000000000B44000-memory.dmp

Filesize
4.0MB

Download
memory/3048-2478-0x0000000074390000-0x00000000743B4000-memory.dmp

Filesize
144KB

Download
memory/3048-2476-0x00000000743C0000-0x000000007448E000-memory.dmp

Filesize
824KB

Download
memory/3048-2538-0x00000000012F0000-0x00000000015BF000-memory.dmp

Filesize
2.8MB

Download
memory/3048-2536-0x0000000074280000-0x000000007438A000-memory.dmp

Filesize
1.0MB

Download
memory/3048-2535-0x0000000074490000-0x0000000074558000-memory.dmp

Filesize
800KB

Download
memory/3048-2534-0x0000000073F20000-0x00000000741EF000-memory.dmp

Filesize
2.8MB

Download
memory/3048-2533-0x0000000074390000-0x00000000743B4000-memory.dmp

Filesize
144KB

Download
memory/3048-2530-0x0000000000740000-0x0000000000B44000-memory.dmp

Filesize
4.0MB

Download
memory/3048-2532-0x00000000743C0000-0x000000007448E000-memory.dmp

Filesize
824KB

Download
memory/4872-53-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-35-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-67-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-69-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-71-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-73-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-63-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-2441-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/4872-61-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-59-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-57-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-55-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-0-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/4872-51-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-49-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-47-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-45-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-43-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-41-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-39-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-37-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-65-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-33-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-31-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-29-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-27-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-25-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-23-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-20-0x0000000006400000-0x0000000006410000-memory.dmp

Filesize
64KB

Download
memory/4872-21-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-18-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-16-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-14-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-12-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-10-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-9-0x0000000003AA0000-0x0000000003B1C000-memory.dmp

Filesize
496KB

Download
memory/4872-8-0x0000000003AA0000-0x0000000003B22000-memory.dmp

Filesize
520KB

Download
memory/4872-7-0x0000000008930000-0x0000000008E50000-memory.dmp

Filesize
5.1MB

Download
memory/4872-6-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/4872-5-0x00000000062A0000-0x00000000062AA000-memory.dmp

Filesize
40KB

Download
memory/4872-4-0x0000000006400000-0x0000000006410000-memory.dmp

Filesize
64KB

Download
memory/4872-3-0x0000000006200000-0x0000000006292000-memory.dmp

Filesize
584KB

Download
memory/4872-2-0x00000000067B0000-0x0000000006D54000-memory.dmp

Filesize
5.6MB

Download
memory/4872-1-0x0000000000FF0000-0x00000000016F8000-memory.dmp

Filesize
7.0MB

Download