bitrat | 1ab1a15e1e4a19c7d77a01f00de5d401bc7ab0ffaa33c332788aadeeedddc386

max time kernel
1799s
max time network
1805s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-04-2024 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ec74da2134bd56250ca32be04b9b697.exe
Size

7.8MB
MD5

6ec74da2134bd56250ca32be04b9b697
SHA1

d20ff3ed5ff0f49b10d6c06dbc5710fb910e2e28
SHA256

1ab1a15e1e4a19c7d77a01f00de5d401bc7ab0ffaa33c332788aadeeedddc386
SHA512

d4d71707f0d8e5d7473980ddebea9fe7764dd38cc3cb51e789336869f28425d5d42aa229cdaac08ba22bebdabf108bfeb8c5f30452f9fd2787275c2863e3fea2
SSDEEP

196608:6CRAktw/6k1Juxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOfTVI:VRAktqJuxwZ6v1CPwDv3uFteg2EeJUOf

Score

10^/10

bitrat persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.33

bkc56e3jgy5zlfq7ialxyppztuh4dgranlyauupid4uc2ze5hg2cshqd.onion:80

Attributes

communication_password
a0439c943ecd02cca78474e6b334f67e
install_dir
Java_update
install_file
java_update.exe
tor_process
adobe

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\a0d62031\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\a0d62031\tor\libssp-0.dll	acprotect
C:\Users\Admin\AppData\Local\a0d62031\tor\libevent-2-1-6.dll	acprotect
C:\Users\Admin\AppData\Local\a0d62031\tor\libwinpthread-1.dll	acprotect
C:\Users\Admin\AppData\Local\a0d62031\tor\libssl-1_1.dll	acprotect
\Users\Admin\AppData\Local\a0d62031\tor\zlib1.dll	acprotect
\Users\Admin\AppData\Local\a0d62031\tor\libgcc_s_sjlj-1.dll	acprotect

Executes dropped EXE 64 IoCs

Processes:

ttttt.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exe

pid	process
2464	ttttt.exe
2520	adobe.exe
2156	adobe.exe
820	adobe.exe
2412	adobe.exe
1980	adobe.exe
2104	adobe.exe
2212	adobe.exe
2584	adobe.exe
2284	adobe.exe
1860	adobe.exe
1072	adobe.exe
2104	adobe.exe
2192	adobe.exe
820	adobe.exe
1684	adobe.exe
2112	adobe.exe
624	adobe.exe
2888	adobe.exe
2548	adobe.exe
2188	adobe.exe
2132	adobe.exe
1600	adobe.exe
1708	adobe.exe
1196	adobe.exe
2092	adobe.exe
2900	adobe.exe
1308	adobe.exe
1624	adobe.exe
2120	adobe.exe
1988	adobe.exe
2156	adobe.exe
2556	adobe.exe
1736	adobe.exe
1944	adobe.exe
2960	adobe.exe
2196	adobe.exe
2208	adobe.exe
2460	adobe.exe
1548	adobe.exe
2544	adobe.exe
680	adobe.exe
2120	adobe.exe
772	adobe.exe
660	adobe.exe
2388	adobe.exe
928	adobe.exe
1860	adobe.exe
972	adobe.exe
1664	adobe.exe
1648	adobe.exe
1368	adobe.exe
844	adobe.exe
1860	adobe.exe
2024	adobe.exe
2928	adobe.exe
1740	adobe.exe
1724	adobe.exe
1976	adobe.exe
2532	adobe.exe
940	adobe.exe
2996	adobe.exe
2300	adobe.exe
688	adobe.exe

Loads dropped DLL 64 IoCs

Processes:

ttttt.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exe

pid	process
2464	ttttt.exe
2464	ttttt.exe
2520	adobe.exe
2520	adobe.exe
2520	adobe.exe
2520	adobe.exe
2520	adobe.exe
2520	adobe.exe
2520	adobe.exe
2464	ttttt.exe
2156	adobe.exe
2156	adobe.exe
2156	adobe.exe
2156	adobe.exe
2156	adobe.exe
2156	adobe.exe
2156	adobe.exe
2464	ttttt.exe
820	adobe.exe
820	adobe.exe
820	adobe.exe
820	adobe.exe
820	adobe.exe
820	adobe.exe
820	adobe.exe
2464	ttttt.exe
2412	adobe.exe
2412	adobe.exe
2412	adobe.exe
2412	adobe.exe
2412	adobe.exe
2412	adobe.exe
2412	adobe.exe
2464	ttttt.exe
1980	adobe.exe
1980	adobe.exe
1980	adobe.exe
1980	adobe.exe
1980	adobe.exe
1980	adobe.exe
1980	adobe.exe
2464	ttttt.exe
2104	adobe.exe
2104	adobe.exe
2104	adobe.exe
2104	adobe.exe
2104	adobe.exe
2104	adobe.exe
2104	adobe.exe
2464	ttttt.exe
2212	adobe.exe
2212	adobe.exe
2212	adobe.exe
2212	adobe.exe
2212	adobe.exe
2212	adobe.exe
2212	adobe.exe
2464	ttttt.exe
2584	adobe.exe
2584	adobe.exe
2584	adobe.exe
2584	adobe.exe
2584	adobe.exe
2584	adobe.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\a0d62031\tor\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe	upx
behavioral1/memory/2464-32-0x0000000003C70000-0x0000000004074000-memory.dmp	upx
behavioral1/memory/2520-33-0x0000000000D00000-0x0000000001104000-memory.dmp	upx
C:\Users\Admin\AppData\Local\a0d62031\tor\libssp-0.dll	upx
C:\Users\Admin\AppData\Local\a0d62031\tor\libevent-2-1-6.dll	upx
C:\Users\Admin\AppData\Local\a0d62031\tor\libwinpthread-1.dll	upx
C:\Users\Admin\AppData\Local\a0d62031\tor\libssl-1_1.dll	upx
behavioral1/memory/2520-49-0x0000000074630000-0x00000000746B8000-memory.dmp	upx
\Users\Admin\AppData\Local\a0d62031\tor\zlib1.dll	upx
behavioral1/memory/2520-54-0x0000000074760000-0x0000000074784000-memory.dmp	upx
behavioral1/memory/2520-52-0x0000000073EB0000-0x0000000073F7E000-memory.dmp	upx
behavioral1/memory/2520-46-0x0000000073F80000-0x000000007408A000-memory.dmp	upx
\Users\Admin\AppData\Local\a0d62031\tor\libgcc_s_sjlj-1.dll	upx
behavioral1/memory/2520-43-0x0000000074090000-0x0000000074158000-memory.dmp	upx
behavioral1/memory/2520-40-0x00000000746C0000-0x0000000074709000-memory.dmp	upx
behavioral1/memory/2520-37-0x0000000074160000-0x000000007442F000-memory.dmp	upx
behavioral1/memory/2520-60-0x0000000000D00000-0x0000000001104000-memory.dmp	upx
behavioral1/memory/2520-71-0x0000000000D00000-0x0000000001104000-memory.dmp	upx
behavioral1/memory/2520-72-0x0000000074160000-0x000000007442F000-memory.dmp	upx
behavioral1/memory/2520-73-0x00000000746C0000-0x0000000074709000-memory.dmp	upx
behavioral1/memory/2520-74-0x0000000074090000-0x0000000074158000-memory.dmp	upx
behavioral1/memory/2520-76-0x0000000073F80000-0x000000007408A000-memory.dmp	upx
behavioral1/memory/2520-78-0x0000000073EB0000-0x0000000073F7E000-memory.dmp	upx
behavioral1/memory/2520-77-0x0000000074630000-0x00000000746B8000-memory.dmp	upx
behavioral1/memory/2520-94-0x0000000000D00000-0x0000000001104000-memory.dmp	upx
behavioral1/memory/2520-122-0x0000000000D00000-0x0000000001104000-memory.dmp	upx
behavioral1/memory/2520-130-0x0000000000D00000-0x0000000001104000-memory.dmp	upx
behavioral1/memory/2464-147-0x00000000057E0000-0x0000000005BE4000-memory.dmp	upx
behavioral1/memory/2156-149-0x0000000000D00000-0x0000000001104000-memory.dmp	upx
behavioral1/memory/2156-155-0x0000000000D00000-0x0000000001104000-memory.dmp	upx
behavioral1/memory/2156-158-0x0000000074160000-0x000000007442F000-memory.dmp	upx
behavioral1/memory/2156-157-0x0000000074090000-0x0000000074158000-memory.dmp	upx
behavioral1/memory/2156-154-0x00000000746C0000-0x0000000074709000-memory.dmp	upx
behavioral1/memory/2156-151-0x0000000074160000-0x000000007442F000-memory.dmp	upx
behavioral1/memory/2156-161-0x00000000746C0000-0x0000000074709000-memory.dmp	upx
behavioral1/memory/2156-162-0x0000000074630000-0x00000000746B8000-memory.dmp	upx
behavioral1/memory/2156-164-0x0000000073EB0000-0x0000000073F7E000-memory.dmp	upx
behavioral1/memory/2156-166-0x0000000074760000-0x0000000074784000-memory.dmp	upx
behavioral1/memory/2156-160-0x0000000073F80000-0x000000007408A000-memory.dmp	upx
behavioral1/memory/820-187-0x0000000073F50000-0x000000007421F000-memory.dmp	upx
behavioral1/memory/820-188-0x0000000073F00000-0x0000000073F49000-memory.dmp	upx
behavioral1/memory/820-189-0x0000000073540000-0x0000000073608000-memory.dmp	upx
behavioral1/memory/820-190-0x0000000073430000-0x000000007353A000-memory.dmp	upx
behavioral1/memory/820-191-0x00000000733A0000-0x0000000073428000-memory.dmp	upx
behavioral1/memory/820-194-0x0000000074640000-0x0000000074664000-memory.dmp	upx
behavioral1/memory/820-195-0x0000000000260000-0x0000000000664000-memory.dmp	upx
behavioral1/memory/820-196-0x00000000732D0000-0x000000007339E000-memory.dmp	upx
behavioral1/memory/820-208-0x0000000000260000-0x0000000000664000-memory.dmp	upx
behavioral1/memory/820-209-0x0000000073F50000-0x000000007421F000-memory.dmp	upx
behavioral1/memory/820-210-0x0000000073F00000-0x0000000073F49000-memory.dmp	upx
behavioral1/memory/820-211-0x0000000073540000-0x0000000073608000-memory.dmp	upx
behavioral1/memory/820-212-0x0000000073430000-0x000000007353A000-memory.dmp	upx
behavioral1/memory/820-213-0x00000000733A0000-0x0000000073428000-memory.dmp	upx
behavioral1/memory/820-214-0x00000000732D0000-0x000000007339E000-memory.dmp	upx
behavioral1/memory/820-215-0x0000000074640000-0x0000000074664000-memory.dmp	upx
behavioral1/memory/820-216-0x0000000000260000-0x0000000000664000-memory.dmp	upx
behavioral1/memory/820-224-0x0000000000260000-0x0000000000664000-memory.dmp	upx
behavioral1/memory/820-230-0x0000000000260000-0x0000000000664000-memory.dmp	upx
behavioral1/memory/2464-255-0x00000000058E0000-0x0000000005CE4000-memory.dmp	upx
behavioral1/memory/2412-258-0x0000000073F50000-0x000000007421F000-memory.dmp	upx
behavioral1/memory/2412-260-0x0000000073F00000-0x0000000073F49000-memory.dmp	upx
behavioral1/memory/2412-263-0x0000000073540000-0x0000000073608000-memory.dmp	upx
behavioral1/memory/2412-266-0x0000000073430000-0x000000007353A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ttttt.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\java_update = "C:\\Users\\Admin\\AppData\\Local\\Java_update\\java_update.exe"	ttttt.exe

Looks up external IP address via web service 51 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
242	myexternalip.com
305	myexternalip.com
405	myexternalip.com
159	myexternalip.com
111	myexternalip.com
280	myexternalip.com
22	myexternalip.com
13	myexternalip.com
80	myexternalip.com
265	myexternalip.com
368	myexternalip.com
36	myexternalip.com
119	myexternalip.com
133	myexternalip.com
167	myexternalip.com
72	myexternalip.com
336	myexternalip.com
360	myexternalip.com
182	myexternalip.com
250	myexternalip.com
258	myexternalip.com
320	myexternalip.com
213	myexternalip.com
174	myexternalip.com
58	myexternalip.com
103	myexternalip.com
205	myexternalip.com
228	myexternalip.com
287	myexternalip.com
88	myexternalip.com
43	myexternalip.com
126	myexternalip.com
297	myexternalip.com
14	myexternalip.com
197	myexternalip.com
344	myexternalip.com
384	myexternalip.com
398	myexternalip.com
189	myexternalip.com
96	myexternalip.com
235	myexternalip.com
376	myexternalip.com
51	myexternalip.com
149	myexternalip.com
272	myexternalip.com
312	myexternalip.com
328	myexternalip.com
32	myexternalip.com
221	myexternalip.com
352	myexternalip.com
141	myexternalip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 54 IoCs

Processes:

ttttt.exe

pid	process
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe
2464	ttttt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

ttttt.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ttttt.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ttttt.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

6ec74da2134bd56250ca32be04b9b697.exe

pid process

1708 6ec74da2134bd56250ca32be04b9b697.exe
1708 6ec74da2134bd56250ca32be04b9b697.exe
1708 6ec74da2134bd56250ca32be04b9b697.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ttttt.exe

pid process

2464 ttttt.exe

pid	process
1708	6ec74da2134bd56250ca32be04b9b697.exe
1708	6ec74da2134bd56250ca32be04b9b697.exe
1708	6ec74da2134bd56250ca32be04b9b697.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

6ec74da2134bd56250ca32be04b9b697.exettttt.exe

description	pid	process
Token: SeDebugPrivilege	1708	6ec74da2134bd56250ca32be04b9b697.exe
Token: SeDebugPrivilege	2464	ttttt.exe
Token: SeShutdownPrivilege	2464	ttttt.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ttttt.exe

pid process

2464 ttttt.exe
2464 ttttt.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6ec74da2134bd56250ca32be04b9b697.exettttt.exe

description	pid	process	target process
PID 1708 wrote to memory of 2464	1708	6ec74da2134bd56250ca32be04b9b697.exe	ttttt.exe
PID 1708 wrote to memory of 2464	1708	6ec74da2134bd56250ca32be04b9b697.exe	ttttt.exe
PID 1708 wrote to memory of 2464	1708	6ec74da2134bd56250ca32be04b9b697.exe	ttttt.exe
PID 1708 wrote to memory of 2464	1708	6ec74da2134bd56250ca32be04b9b697.exe	ttttt.exe
PID 2464 wrote to memory of 2520	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2520	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2520	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2520	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2156	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2156	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2156	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2156	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 820	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 820	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 820	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 820	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2412	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2412	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2412	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2412	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 1980	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 1980	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 1980	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 1980	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2104	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2104	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2104	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2104	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2212	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2212	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2212	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2212	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2584	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2584	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2584	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2584	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2284	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2284	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2284	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2284	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 1860	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 1860	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 1860	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 1860	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 1072	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 1072	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 1072	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 1072	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2104	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2104	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2104	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2104	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2192	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2192	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2192	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 2192	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 820	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 820	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 820	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 820	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 1684	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 1684	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 1684	2464	ttttt.exe	adobe.exe
PID 2464 wrote to memory of 1684	2464	ttttt.exe	adobe.exe

C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe
"C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\ttttt.exe
"C:\Users\Admin\AppData\Local\Temp\ttttt.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:820

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2284

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1860

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1072

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2104

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2192

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:820

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1684

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2112

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:624

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2888

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2548

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2188

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2132

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1600

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1708

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1196

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2092

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2900

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1308

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1624

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2120

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1988

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2156

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2556

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1736

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1944

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2960

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2196

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2208

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2460

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1548

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2544

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:680

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2120

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:772

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:660

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2388

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:928

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1860

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:972

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1664

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1648

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1368

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:844

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1860

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2024

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2928

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1740

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1724

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1976

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2532

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:940

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2996

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2300

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
- Executes dropped EXE
PID:688

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
PID:1372

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
PID:2800

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
PID:2480

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
PID:1492

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
PID:820

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
PID:2512

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
PID:1340

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
PID:2444

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
PID:1624

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
PID:1760

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
PID:2824

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
PID:2888

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
PID:1640

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
PID:2912

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
PID:1952

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
PID:1652

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
PID:1604

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
PID:2948

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
PID:2796

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
PID:852

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
PID:1944

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
PID:1952

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
PID:2908

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc
3⤵
PID:1860

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab9F3E.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1DF2.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\ttttt.exe
Filesize
7.8MB

MD5
fb3275ed37c90f2157066dcb2a8e46cb

SHA1
9eca563f4a66414d05ae700bcd57dfbb06644a19

SHA256
b9a5fed33c62e470f337ee1da21e4b1abab7a4b5107aabb01e432d8b32eab9ab

SHA512
408661a5c3b10a46bac7d5f4f0cf20baa4f97da31d1c9e7b994710f5e00de9afd343d3e74f60337058b06530aaca95c66af7698b0da34e9592a49f67933c8671

Download Submit
C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\a0d62031\tor\data\cached-certs
Filesize
20KB

MD5
10a51fb5e04ab03be568f1f12c039b48

SHA1
0b4f27ce96476186ea6ef372e2ffe2b718de0f6d

SHA256
7d5662d171c4a85f7f5ae269a34e875f7f1de1165864c6c4fefcd53f97692ad5

SHA512
6da979ba565cf5f99e9d0af207badedcbb799e205d83d756bbd8ab721b5a88c1b84a6fb86f4b09e91dde09a90a657d8fd5805768932d0a204e559af6d03900bc

Download Submit
C:\Users\Admin\AppData\Local\a0d62031\tor\data\cached-microdesc-consensus.tmp
Filesize
2.7MB

MD5
4a588a9a8a45b44021e47fc04f8529de

SHA1
9da79dc4ce4697853891388fa2c6effe3d57fe50

SHA256
8c59043346979bf7be919489f68f453400e7ee05dfa334467a63d410fe9e3f5d

SHA512
8187287b39bed37d5307b5bfabacebb85072c6bf1bd485a5023b5e3bcc4282cc4bc21c543bcc95bf7a3ad5de17c90bf392dc5540432ed240657edb796223d1c2

Download Submit
C:\Users\Admin\AppData\Local\a0d62031\tor\data\cached-microdescs.new
Filesize
20.3MB

MD5
764969402318e13809b65c8269f5d4ed

SHA1
d97096b1d0bc685e99da6621bae1259aa2d9fb8e

SHA256
6d69bc0cd7b39a81cfaa073814830de7a5547295534b8e94e17d6fe92f7be534

SHA512
25ecf0f3095511e83c849066746f7b3e1ee08f67fa54c6c827f80b653dbf751c0816980ca0f5ba316c7e25cbc0f56f8ba0eafd6cf2b446fc520b29ef9ab78cc3

Download Submit
C:\Users\Admin\AppData\Local\a0d62031\tor\data\cached-microdescs.new
Filesize
7.9MB

MD5
d6839cd61ee4645630a13dbc49a888dc

SHA1
fb2256e37878c9ce281e5aca82c8cb22d833e859

SHA256
2faac2f112106e849aa38dcf77f8eab610d46e3bf54598d0e2d4035951fbbc6f

SHA512
c58de52cfb2b8e9d5c529ab73bbd1e3147144764c2a08bdbb74149478e910114ae98b6f00bded7f0743ef4053af774b50c5280c6022be3cd3e68f87469adaab6

Download Submit
C:\Users\Admin\AppData\Local\a0d62031\tor\data\state
Filesize
9KB

MD5
71a1b04cb4b630a01007dbf37e028ddd

SHA1
f4e2f4848211d5859acb47fc1b66e7148384addc

SHA256
6b19516423ce6f765d3ec240385285ba55690d7ee904724f0905af6641931b8c

SHA512
88312e6bf895790cece7ae89e983f4e5ba75d6ba390997181329660c1c0d218df5e66b7daae40364c79139dfb7d1e7e19e65be95a7ff15c47baea49eb7a7fea2

Download Submit
C:\Users\Admin\AppData\Local\a0d62031\tor\libcrypto-1_1.dll
Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\a0d62031\tor\libevent-2-1-6.dll
Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\a0d62031\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\a0d62031\tor\libssp-0.dll
Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\a0d62031\tor\libwinpthread-1.dll
Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\a0d62031\tor\torrc
Filesize
139B

MD5
aed5236dc2f3c2c8244913bc771a0980

SHA1
24bf716687ea54e3f44f405da94acce3046aba2a

SHA256
69b07fcdeb4c47ad20869ac27c2b39dfe4afcba2e972500d24a5670904226f12

SHA512
ef367214b48860bd704eb52d35881f75cd18fe177be6d49c407e77b6b44dee46f717f578236a14f4028164beaaf616777aaef58b593b8f980a66c5241076c053

Download Submit
\Users\Admin\AppData\Local\a0d62031\tor\libgcc_s_sjlj-1.dll
Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
\Users\Admin\AppData\Local\a0d62031\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
memory/820-211-0x0000000073540000-0x0000000073608000-memory.dmp

Filesize
800KB

Download
memory/820-196-0x00000000732D0000-0x000000007339E000-memory.dmp

Filesize
824KB

Download
memory/820-187-0x0000000073F50000-0x000000007421F000-memory.dmp

Filesize
2.8MB

Download
memory/820-188-0x0000000073F00000-0x0000000073F49000-memory.dmp

Filesize
292KB

Download
memory/820-189-0x0000000073540000-0x0000000073608000-memory.dmp

Filesize
800KB

Download
memory/820-190-0x0000000073430000-0x000000007353A000-memory.dmp

Filesize
1.0MB

Download
memory/820-191-0x00000000733A0000-0x0000000073428000-memory.dmp

Filesize
544KB

Download
memory/820-194-0x0000000074640000-0x0000000074664000-memory.dmp

Filesize
144KB

Download
memory/820-195-0x0000000000260000-0x0000000000664000-memory.dmp

Filesize
4.0MB

Download
memory/820-210-0x0000000073F00000-0x0000000073F49000-memory.dmp

Filesize
292KB

Download
memory/820-230-0x0000000000260000-0x0000000000664000-memory.dmp

Filesize
4.0MB

Download
memory/820-224-0x0000000000260000-0x0000000000664000-memory.dmp

Filesize
4.0MB

Download
memory/820-208-0x0000000000260000-0x0000000000664000-memory.dmp

Filesize
4.0MB

Download
memory/820-216-0x0000000000260000-0x0000000000664000-memory.dmp

Filesize
4.0MB

Download
memory/820-215-0x0000000074640000-0x0000000074664000-memory.dmp

Filesize
144KB

Download
memory/820-214-0x00000000732D0000-0x000000007339E000-memory.dmp

Filesize
824KB

Download
memory/820-213-0x00000000733A0000-0x0000000073428000-memory.dmp

Filesize
544KB

Download
memory/820-212-0x0000000073430000-0x000000007353A000-memory.dmp

Filesize
1.0MB

Download
memory/820-209-0x0000000073F50000-0x000000007421F000-memory.dmp

Filesize
2.8MB

Download
memory/1708-1-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/1708-13-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/1708-0-0x0000000000AF0000-0x00000000012CC000-memory.dmp

Filesize
7.9MB

Download
memory/1708-5-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/1708-3-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/1708-2-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/1708-4-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/1980-295-0x00000000010B0000-0x00000000014B4000-memory.dmp

Filesize
4.0MB

Download
memory/1980-296-0x00000000741D0000-0x0000000074219000-memory.dmp

Filesize
292KB

Download
memory/1980-297-0x0000000074100000-0x00000000741C8000-memory.dmp

Filesize
800KB

Download
memory/1980-301-0x0000000073340000-0x000000007360F000-memory.dmp

Filesize
2.8MB

Download
memory/1980-298-0x0000000073FF0000-0x00000000740FA000-memory.dmp

Filesize
1.0MB

Download
memory/1980-302-0x0000000073270000-0x000000007333E000-memory.dmp

Filesize
824KB

Download
memory/1980-299-0x0000000073F60000-0x0000000073FE8000-memory.dmp

Filesize
544KB

Download
memory/1980-300-0x0000000073F30000-0x0000000073F54000-memory.dmp

Filesize
144KB

Download
memory/2156-164-0x0000000073EB0000-0x0000000073F7E000-memory.dmp

Filesize
824KB

Download
memory/2156-158-0x0000000074160000-0x000000007442F000-memory.dmp

Filesize
2.8MB

Download
memory/2156-166-0x0000000074760000-0x0000000074784000-memory.dmp

Filesize
144KB

Download
memory/2156-160-0x0000000073F80000-0x000000007408A000-memory.dmp

Filesize
1.0MB

Download
memory/2156-162-0x0000000074630000-0x00000000746B8000-memory.dmp

Filesize
544KB

Download
memory/2156-149-0x0000000000D00000-0x0000000001104000-memory.dmp

Filesize
4.0MB

Download
memory/2156-155-0x0000000000D00000-0x0000000001104000-memory.dmp

Filesize
4.0MB

Download
memory/2156-161-0x00000000746C0000-0x0000000074709000-memory.dmp

Filesize
292KB

Download
memory/2156-151-0x0000000074160000-0x000000007442F000-memory.dmp

Filesize
2.8MB

Download
memory/2156-154-0x00000000746C0000-0x0000000074709000-memory.dmp

Filesize
292KB

Download
memory/2156-157-0x0000000074090000-0x0000000074158000-memory.dmp

Filesize
800KB

Download
memory/2412-275-0x0000000000260000-0x0000000000664000-memory.dmp

Filesize
4.0MB

Download
memory/2412-258-0x0000000073F50000-0x000000007421F000-memory.dmp

Filesize
2.8MB

Download
memory/2412-278-0x0000000073F50000-0x000000007421F000-memory.dmp

Filesize
2.8MB

Download
memory/2412-279-0x0000000073F00000-0x0000000073F49000-memory.dmp

Filesize
292KB

Download
memory/2412-273-0x0000000074640000-0x0000000074664000-memory.dmp

Filesize
144KB

Download
memory/2412-271-0x00000000732D0000-0x000000007339E000-memory.dmp

Filesize
824KB

Download
memory/2412-269-0x00000000733A0000-0x0000000073428000-memory.dmp

Filesize
544KB

Download
memory/2412-266-0x0000000073430000-0x000000007353A000-memory.dmp

Filesize
1.0MB

Download
memory/2412-263-0x0000000073540000-0x0000000073608000-memory.dmp

Filesize
800KB

Download
memory/2412-260-0x0000000073F00000-0x0000000073F49000-memory.dmp

Filesize
292KB

Download
memory/2464-147-0x00000000057E0000-0x0000000005BE4000-memory.dmp

Filesize
4.0MB

Download
memory/2464-106-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/2464-32-0x0000000003C70000-0x0000000004074000-memory.dmp

Filesize
4.0MB

Download
memory/2464-34-0x0000000003C70000-0x0000000004074000-memory.dmp

Filesize
4.0MB

Download
memory/2464-280-0x0000000004310000-0x000000000431A000-memory.dmp

Filesize
40KB

Download
memory/2464-170-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/2464-171-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/2464-228-0x0000000004310000-0x000000000431A000-memory.dmp

Filesize
40KB

Download
memory/2464-229-0x0000000004310000-0x000000000431A000-memory.dmp

Filesize
40KB

Download
memory/2464-58-0x0000000003C70000-0x0000000004074000-memory.dmp

Filesize
4.0MB

Download
memory/2464-255-0x00000000058E0000-0x0000000005CE4000-memory.dmp

Filesize
4.0MB

Download
memory/2464-172-0x00000000057E0000-0x0000000005BE4000-memory.dmp

Filesize
4.0MB

Download
memory/2464-105-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/2520-72-0x0000000074160000-0x000000007442F000-memory.dmp

Filesize
2.8MB

Download
memory/2520-74-0x0000000074090000-0x0000000074158000-memory.dmp

Filesize
800KB

Download
memory/2520-94-0x0000000000D00000-0x0000000001104000-memory.dmp

Filesize
4.0MB

Download
memory/2520-122-0x0000000000D00000-0x0000000001104000-memory.dmp

Filesize
4.0MB

Download
memory/2520-130-0x0000000000D00000-0x0000000001104000-memory.dmp

Filesize
4.0MB

Download
memory/2520-78-0x0000000073EB0000-0x0000000073F7E000-memory.dmp

Filesize
824KB

Download
memory/2520-60-0x0000000000D00000-0x0000000001104000-memory.dmp

Filesize
4.0MB

Download
memory/2520-71-0x0000000000D00000-0x0000000001104000-memory.dmp

Filesize
4.0MB

Download
memory/2520-76-0x0000000073F80000-0x000000007408A000-memory.dmp

Filesize
1.0MB

Download
memory/2520-77-0x0000000074630000-0x00000000746B8000-memory.dmp

Filesize
544KB

Download
memory/2520-43-0x0000000074090000-0x0000000074158000-memory.dmp

Filesize
800KB

Download
memory/2520-40-0x00000000746C0000-0x0000000074709000-memory.dmp

Filesize
292KB

Download
memory/2520-46-0x0000000073F80000-0x000000007408A000-memory.dmp

Filesize
1.0MB

Download
memory/2520-52-0x0000000073EB0000-0x0000000073F7E000-memory.dmp

Filesize
824KB

Download
memory/2520-54-0x0000000074760000-0x0000000074784000-memory.dmp

Filesize
144KB

Download
memory/2520-49-0x0000000074630000-0x00000000746B8000-memory.dmp

Filesize
544KB

Download
memory/2520-33-0x0000000000D00000-0x0000000001104000-memory.dmp

Filesize
4.0MB

Download
memory/2520-73-0x00000000746C0000-0x0000000074709000-memory.dmp

Filesize
292KB

Download
memory/2520-37-0x0000000074160000-0x000000007442F000-memory.dmp

Filesize
2.8MB

Download