bitrat | caf48b67e7bb94a178426fc7ce6b9ed50ffb2f3813a7c68900f21bfffb24e44f

max time kernel
596s
max time network
604s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
12-04-2024 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stub_tor.exe
Size

7.8MB
MD5

c76390d9e1052d9e708940d67b5c135d
SHA1

a370a73a9dd746584428e8a939288ecffd3c80f7
SHA256

caf48b67e7bb94a178426fc7ce6b9ed50ffb2f3813a7c68900f21bfffb24e44f
SHA512

4d2d38d8719cdac8a406cfa96944ee99d2d926511e64d6b6aa964d40d0d9ddb1dc6e4e6253bcb1e77b32613c0b4409ab32ea54c476018fee963574edb043dd3b
SSDEEP

196608:oIRcbH4jSteTGvExwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOf:odHsfuExwZ6v1CPwDv3uFteg2EeJUO9E

Score

10^/10

bitrat persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

7sbl4dpbubwjjghdquwg47fyq7rookd4bgm2ypm2kjzkivd7tomvczqd.onion:440

Attributes

communication_password
4124bc0a9335c27f086f24ba207a4912
install_dir
Minecraft
install_file
Runtime_Broker
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\a5b260eb\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\a5b260eb\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\a5b260eb\tor\libssp-0.dll	acprotect
C:\Users\Admin\AppData\Local\a5b260eb\tor\libwinpthread-1.dll	acprotect
C:\Users\Admin\AppData\Local\a5b260eb\tor\libgcc_s_sjlj-1.dll	acprotect
C:\Users\Admin\AppData\Local\a5b260eb\tor\libevent-2-1-6.dll	acprotect
C:\Users\Admin\AppData\Local\a5b260eb\tor\zlib1.dll	acprotect

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

stub_tor.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation stub_tor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	stub_tor.exe

Executes dropped EXE 27 IoCs

Processes:

tor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exe

pid	process
3292	tor.exe
2608	tor.exe
3164	tor.exe
116	tor.exe
1232	tor.exe
4616	tor.exe
2148	tor.exe
4584	tor.exe
2240	tor.exe
3908	tor.exe
4192	tor.exe
4684	tor.exe
1644	tor.exe
4732	tor.exe
3292	tor.exe
3152	tor.exe
3320	tor.exe
4296	tor.exe
628	tor.exe
1832	tor.exe
3140	tor.exe
1544	tor.exe
1764	tor.exe
2148	tor.exe
1216	tor.exe
4168	tor.exe
3100	tor.exe

Loads dropped DLL 64 IoCs

Processes:

tor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exe

pid	process
3292	tor.exe
3292	tor.exe
3292	tor.exe
3292	tor.exe
3292	tor.exe
3292	tor.exe
3292	tor.exe
3292	tor.exe
3292	tor.exe
2608	tor.exe
2608	tor.exe
2608	tor.exe
2608	tor.exe
2608	tor.exe
2608	tor.exe
2608	tor.exe
3164	tor.exe
3164	tor.exe
3164	tor.exe
3164	tor.exe
3164	tor.exe
3164	tor.exe
3164	tor.exe
116	tor.exe
116	tor.exe
116	tor.exe
116	tor.exe
116	tor.exe
116	tor.exe
116	tor.exe
1232	tor.exe
1232	tor.exe
1232	tor.exe
1232	tor.exe
1232	tor.exe
1232	tor.exe
1232	tor.exe
4616	tor.exe
4616	tor.exe
4616	tor.exe
4616	tor.exe
4616	tor.exe
4616	tor.exe
4616	tor.exe
2148	tor.exe
2148	tor.exe
2148	tor.exe
2148	tor.exe
2148	tor.exe
2148	tor.exe
2148	tor.exe
2148	tor.exe
4584	tor.exe
4584	tor.exe
4584	tor.exe
4584	tor.exe
4584	tor.exe
4584	tor.exe
4584	tor.exe
2240	tor.exe
2240	tor.exe
2240	tor.exe
2240	tor.exe
2240	tor.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe	upx
C:\Users\Admin\AppData\Local\a5b260eb\tor\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\a5b260eb\tor\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\a5b260eb\tor\libssp-0.dll	upx
C:\Users\Admin\AppData\Local\a5b260eb\tor\libwinpthread-1.dll	upx
C:\Users\Admin\AppData\Local\a5b260eb\tor\libgcc_s_sjlj-1.dll	upx
behavioral3/memory/3292-34-0x0000000000DE0000-0x00000000011E4000-memory.dmp	upx
behavioral3/memory/3292-35-0x00000000736F0000-0x0000000073739000-memory.dmp	upx
C:\Users\Admin\AppData\Local\a5b260eb\tor\libevent-2-1-6.dll	upx
C:\Users\Admin\AppData\Local\a5b260eb\tor\zlib1.dll	upx
behavioral3/memory/3292-39-0x00000000736C0000-0x00000000736E4000-memory.dmp	upx
behavioral3/memory/3292-41-0x0000000073320000-0x00000000735EF000-memory.dmp	upx
behavioral3/memory/3292-42-0x00000000735F0000-0x00000000736B8000-memory.dmp	upx
behavioral3/memory/3292-43-0x0000000073210000-0x000000007331A000-memory.dmp	upx
behavioral3/memory/3292-46-0x0000000073740000-0x000000007380E000-memory.dmp	upx
behavioral3/memory/3292-44-0x0000000073180000-0x0000000073208000-memory.dmp	upx
behavioral3/memory/3292-48-0x0000000000DE0000-0x00000000011E4000-memory.dmp	upx
behavioral3/memory/3292-58-0x0000000000DE0000-0x00000000011E4000-memory.dmp	upx
behavioral3/memory/3292-68-0x0000000000DE0000-0x00000000011E4000-memory.dmp	upx
behavioral3/memory/3292-86-0x0000000000DE0000-0x00000000011E4000-memory.dmp	upx
behavioral3/memory/3292-95-0x0000000000DE0000-0x00000000011E4000-memory.dmp	upx
behavioral3/memory/3292-110-0x0000000000DE0000-0x00000000011E4000-memory.dmp	upx
behavioral3/memory/3292-118-0x0000000000DE0000-0x00000000011E4000-memory.dmp	upx
behavioral3/memory/3292-126-0x0000000000DE0000-0x00000000011E4000-memory.dmp	upx
behavioral3/memory/3292-134-0x0000000000DE0000-0x00000000011E4000-memory.dmp	upx
behavioral3/memory/2608-157-0x0000000000DE0000-0x00000000011E4000-memory.dmp	upx
behavioral3/memory/2608-159-0x0000000073320000-0x00000000735EF000-memory.dmp	upx
behavioral3/memory/2608-160-0x00000000735F0000-0x00000000736B8000-memory.dmp	upx
behavioral3/memory/2608-162-0x0000000073740000-0x000000007380E000-memory.dmp	upx
behavioral3/memory/2608-163-0x00000000736F0000-0x0000000073739000-memory.dmp	upx
behavioral3/memory/2608-164-0x00000000736C0000-0x00000000736E4000-memory.dmp	upx
behavioral3/memory/2608-166-0x0000000073210000-0x000000007331A000-memory.dmp	upx
behavioral3/memory/2608-169-0x0000000073180000-0x0000000073208000-memory.dmp	upx
behavioral3/memory/3292-165-0x0000000000DE0000-0x00000000011E4000-memory.dmp	upx
behavioral3/memory/2608-180-0x0000000073210000-0x000000007331A000-memory.dmp	upx
behavioral3/memory/2608-179-0x00000000736C0000-0x00000000736E4000-memory.dmp	upx
behavioral3/memory/2608-178-0x00000000736F0000-0x0000000073739000-memory.dmp	upx
behavioral3/memory/2608-177-0x0000000073740000-0x000000007380E000-memory.dmp	upx
behavioral3/memory/2608-181-0x0000000000DE0000-0x00000000011E4000-memory.dmp	upx
behavioral3/memory/2608-182-0x0000000073320000-0x00000000735EF000-memory.dmp	upx
behavioral3/memory/2608-183-0x00000000735F0000-0x00000000736B8000-memory.dmp	upx
behavioral3/memory/3164-195-0x0000000073510000-0x00000000735D8000-memory.dmp	upx
behavioral3/memory/3164-196-0x0000000073440000-0x000000007350E000-memory.dmp	upx
behavioral3/memory/3164-197-0x00000000733F0000-0x0000000073439000-memory.dmp	upx
behavioral3/memory/3164-203-0x00000000732B0000-0x00000000733BA000-memory.dmp	upx
behavioral3/memory/3164-200-0x00000000733C0000-0x00000000733E4000-memory.dmp	upx
behavioral3/memory/3164-204-0x0000000073220000-0x00000000732A8000-memory.dmp	upx
behavioral3/memory/3164-205-0x00000000735E0000-0x00000000738AF000-memory.dmp	upx
behavioral3/memory/3164-222-0x0000000000DE0000-0x00000000011E4000-memory.dmp	upx
behavioral3/memory/3164-231-0x0000000073510000-0x00000000735D8000-memory.dmp	upx
behavioral3/memory/3164-232-0x0000000073440000-0x000000007350E000-memory.dmp	upx
behavioral3/memory/116-252-0x0000000000DE0000-0x00000000011E4000-memory.dmp	upx
behavioral3/memory/116-254-0x00000000735E0000-0x00000000738AF000-memory.dmp	upx
behavioral3/memory/116-256-0x0000000073510000-0x00000000735D8000-memory.dmp	upx
behavioral3/memory/116-263-0x00000000733C0000-0x00000000733E4000-memory.dmp	upx
behavioral3/memory/3164-262-0x0000000000DE0000-0x00000000011E4000-memory.dmp	upx
behavioral3/memory/116-261-0x00000000733F0000-0x0000000073439000-memory.dmp	upx
behavioral3/memory/116-258-0x0000000073440000-0x000000007350E000-memory.dmp	upx
behavioral3/memory/116-266-0x00000000732B0000-0x00000000733BA000-memory.dmp	upx
behavioral3/memory/116-267-0x0000000073220000-0x00000000732A8000-memory.dmp	upx
behavioral3/memory/116-274-0x0000000073440000-0x000000007350E000-memory.dmp	upx
behavioral3/memory/116-275-0x0000000000DE0000-0x00000000011E4000-memory.dmp	upx
behavioral3/memory/116-276-0x00000000735E0000-0x00000000738AF000-memory.dmp	upx
behavioral3/memory/116-277-0x0000000073510000-0x00000000735D8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

stub_tor.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime_Broker = "C:\\Users\\Admin\\AppData\\Local\\Minecraft\\Runtime_Broker"	stub_tor.exe

Looks up external IP address via web service 12 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
47	myexternalip.com
103	myexternalip.com
111	myexternalip.com
83	myexternalip.com
95	myexternalip.com
120	myexternalip.com
128	myexternalip.com
136	myexternalip.com
48	myexternalip.com
68	myexternalip.com
75	myexternalip.com
143	myexternalip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

stub_tor.exe

pid	process
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 64 IoCs

Processes:

stub_tor.exe

pid	process
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe
1492	stub_tor.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

stub_tor.exe

description pid process

Token: SeShutdownPrivilege 1492 stub_tor.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

stub_tor.exe

pid process

1492 stub_tor.exe
1492 stub_tor.exe

description	pid	process
Token: SeShutdownPrivilege	1492	stub_tor.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

stub_tor.exe

description	pid	process	target process
PID 1492 wrote to memory of 3292	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 3292	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 3292	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 2608	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 2608	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 2608	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 3164	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 3164	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 3164	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 116	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 116	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 116	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 1232	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 1232	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 1232	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 4616	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 4616	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 4616	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 2148	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 2148	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 2148	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 4584	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 4584	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 4584	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 2240	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 2240	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 2240	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 3908	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 3908	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 3908	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 4192	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 4192	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 4192	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 4684	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 4684	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 4684	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 1644	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 1644	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 1644	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 4732	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 4732	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 4732	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 3292	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 3292	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 3292	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 3152	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 3152	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 3152	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 3320	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 3320	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 3320	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 4296	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 4296	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 4296	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 628	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 628	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 628	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 1832	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 1832	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 1832	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 3140	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 3140	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 3140	1492	stub_tor.exe	tor.exe
PID 1492 wrote to memory of 1544	1492	stub_tor.exe	tor.exe

C:\Users\Admin\AppData\Local\Temp\stub_tor.exe
"C:\Users\Admin\AppData\Local\Temp\stub_tor.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3292

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3164

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:116

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1232

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4616

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4584

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3908

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4192

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4684

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1644

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4732

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3292

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3152

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3320

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4296

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:628

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1832

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3140

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1544

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1764

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2148

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1216

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4168

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-certs
Filesize
20KB

MD5
e9323057c6abe3e8075888734930243b

SHA1
7e20a63fb6dc70dbba4763b700f20ee128fd9799

SHA256
8c49faf85e9cd21394b56c0c4491f8abd9060b7da3d992db04975fb4d9035de0

SHA512
c7e0625c1e745feba4e24fb157a120f7b8ce6c6cd7a1fb81162e0009aa3bcf4f0cd20ecb5035cca30e9da9c0ee60e5a09410d76d89d8019fbc4743a7139c14c2

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-microdesc-consensus.tmp
Filesize
2.7MB

MD5
27acfbf94480631e547b5cb508d9d4fb

SHA1
f6477330ca9aeb4a8cd19cc44e1a30fa9695b36c

SHA256
0fd156526952ba5edb62133774a19bf72f71d3c968d01fcdb517521d45a67c5e

SHA512
902ccecfa284881c1f241802b9ccd51a85da0cc48632fbd944b686d37a4fa57bc7cd01c44ef79bfe475494be780164b82ff8fa9a3e77984f6e29467843138929

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-microdescs
Filesize
20.3MB

MD5
28a21fd2f31b948c9338d6ea90bb1ad7

SHA1
f9577b3a4ec2c90e973d3398acb60b1086e05b34

SHA256
693a6e45a16ee507d5a78fa55ec28e903e23b0aea85cde7047d98eca1f4b607d

SHA512
d278188512145fd468ac5c66d8f924c2c2076f4b9d65a1b6093acee002174c2f81906b4178d535154fedc4402921207637acc563bc4050fd370f3a695e545b2c

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-microdescs.new
Filesize
20.3MB

MD5
3e44d7f59eaf6b1123cbc49d43072f9d

SHA1
7c078eb103dca2273b528161c85573d79c0d60d8

SHA256
18281968d8c329eb96c0147070b86db0dcc0a04d8931e33772265b7634d75ffc

SHA512
7e4b9e360175e7bf02aeb341debe3f77b4c989e79383a8d501ec26ac9a41824e6407c43c8b98dd9e443d62643f13c6b6f054556cadbb2968ddbfa5427092da7b

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-microdescs.new
Filesize
11.9MB

MD5
4fbd96b08ac63c0997370a457901ff99

SHA1
5cc96455d6836d506d14d62e274e4920c0d48f79

SHA256
0d91e262752ec94fa2dd9dc47710493665ceb13b1af3961e463d5a012e2da970

SHA512
240057de4d952f72c6b297e321b0d6cf0691e26e3b5925c76cd47a41ba889fddcefb24c371906ac1612759621ee42caba7d50fa8cdb5766063e722f92ebd9224

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\state
Filesize
232B

MD5
9c323b1a950cfcba45ee9fa1a91c2609

SHA1
3fcfa2d203470e558ffafe2ca5b3169dac26baca

SHA256
be374d3d7d650e5e299a4e3e0b321cb4185086863b7dd8d936c08f5a2fd11b7c

SHA512
3aeda9c20e56c297cde908ef681fc32aa7915fd17416be2877a1fddafc11aaf105905a724789a59f8f9c2b082a339d8573eee81aa9f7277abdd7f40b7c22811f

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\state
Filesize
3KB

MD5
0efaec7e3d7f39ad0d4251204a4dc9f3

SHA1
47a08b60efe0bdca06cbb3012146368b47087cd5

SHA256
0843582ac1a7d2a5b467d2b2f8ae61ada8b7b7486d087943a7613e9d182660ab

SHA512
2ba95a247f410c8e3c6d4ddb2afdbd931b78581e0bf515acfaeda6775f1ab011bfde6fc1761740cd263d4aae333879b453a9f9e46b70992103d836146c7984c1

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libcrypto-1_1.dll
Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libevent-2-1-6.dll
Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libgcc_s_sjlj-1.dll
Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libssp-0.dll
Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libwinpthread-1.dll
Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\torrc
Filesize
157B

MD5
8ea874223f853aac5ea469ccc164a8f9

SHA1
70d31011547870c9f930496dbf9fb7ec296a8c28

SHA256
95e134044f370b2a96408d581f3c0381fe95388dae27c6d9598f44dc7d72b9ed

SHA512
fd1dc20219fbf4863926d90b5a2127b65e165656eac4493a80288d0c57fc309ed998b5d30fe8ce313987ee367fc4fe9b6026ff32d4391950d7f26ca7b6fdcdf2

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
memory/116-252-0x0000000000DE0000-0x00000000011E4000-memory.dmp

Filesize
4.0MB

Download
memory/116-256-0x0000000073510000-0x00000000735D8000-memory.dmp

Filesize
800KB

Download
memory/116-263-0x00000000733C0000-0x00000000733E4000-memory.dmp

Filesize
144KB

Download
memory/116-261-0x00000000733F0000-0x0000000073439000-memory.dmp

Filesize
292KB

Download
memory/116-258-0x0000000073440000-0x000000007350E000-memory.dmp

Filesize
824KB

Download
memory/116-266-0x00000000732B0000-0x00000000733BA000-memory.dmp

Filesize
1.0MB

Download
memory/116-267-0x0000000073220000-0x00000000732A8000-memory.dmp

Filesize
544KB

Download
memory/116-277-0x0000000073510000-0x00000000735D8000-memory.dmp

Filesize
800KB

Download
memory/116-254-0x00000000735E0000-0x00000000738AF000-memory.dmp

Filesize
2.8MB

Download
memory/116-276-0x00000000735E0000-0x00000000738AF000-memory.dmp

Filesize
2.8MB

Download
memory/116-275-0x0000000000DE0000-0x00000000011E4000-memory.dmp

Filesize
4.0MB

Download
memory/116-274-0x0000000073440000-0x000000007350E000-memory.dmp

Filesize
824KB

Download
memory/1232-290-0x0000000073440000-0x000000007350E000-memory.dmp

Filesize
824KB

Download
memory/1232-297-0x00000000732B0000-0x00000000733BA000-memory.dmp

Filesize
1.0MB

Download
memory/1232-310-0x0000000073510000-0x00000000735D8000-memory.dmp

Filesize
800KB

Download
memory/1232-309-0x0000000000DE0000-0x00000000011E4000-memory.dmp

Filesize
4.0MB

Download
memory/1232-289-0x0000000073510000-0x00000000735D8000-memory.dmp

Filesize
800KB

Download
memory/1232-293-0x0000000073220000-0x00000000732A8000-memory.dmp

Filesize
544KB

Download
memory/1232-291-0x00000000733F0000-0x0000000073439000-memory.dmp

Filesize
292KB

Download
memory/1232-292-0x00000000733C0000-0x00000000733E4000-memory.dmp

Filesize
144KB

Download
memory/1232-296-0x00000000735E0000-0x00000000738AF000-memory.dmp

Filesize
2.8MB

Download
memory/1492-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/1492-221-0x0000000072FE0000-0x0000000073019000-memory.dmp

Filesize
228KB

Download
memory/1492-47-0x0000000072D70000-0x0000000072DA9000-memory.dmp

Filesize
228KB

Download
memory/1492-107-0x0000000073E80000-0x0000000073EB9000-memory.dmp

Filesize
228KB

Download
memory/1492-1-0x00000000742C0000-0x00000000742F9000-memory.dmp

Filesize
228KB

Download
memory/2608-179-0x00000000736C0000-0x00000000736E4000-memory.dmp

Filesize
144KB

Download
memory/2608-160-0x00000000735F0000-0x00000000736B8000-memory.dmp

Filesize
800KB

Download
memory/2608-180-0x0000000073210000-0x000000007331A000-memory.dmp

Filesize
1.0MB

Download
memory/2608-169-0x0000000073180000-0x0000000073208000-memory.dmp

Filesize
544KB

Download
memory/2608-178-0x00000000736F0000-0x0000000073739000-memory.dmp

Filesize
292KB

Download
memory/2608-177-0x0000000073740000-0x000000007380E000-memory.dmp

Filesize
824KB

Download
memory/2608-181-0x0000000000DE0000-0x00000000011E4000-memory.dmp

Filesize
4.0MB

Download
memory/2608-182-0x0000000073320000-0x00000000735EF000-memory.dmp

Filesize
2.8MB

Download
memory/2608-183-0x00000000735F0000-0x00000000736B8000-memory.dmp

Filesize
800KB

Download
memory/2608-157-0x0000000000DE0000-0x00000000011E4000-memory.dmp

Filesize
4.0MB

Download
memory/2608-159-0x0000000073320000-0x00000000735EF000-memory.dmp

Filesize
2.8MB

Download
memory/2608-162-0x0000000073740000-0x000000007380E000-memory.dmp

Filesize
824KB

Download
memory/2608-166-0x0000000073210000-0x000000007331A000-memory.dmp

Filesize
1.0MB

Download
memory/2608-163-0x00000000736F0000-0x0000000073739000-memory.dmp

Filesize
292KB

Download
memory/2608-164-0x00000000736C0000-0x00000000736E4000-memory.dmp

Filesize
144KB

Download
memory/3164-262-0x0000000000DE0000-0x00000000011E4000-memory.dmp

Filesize
4.0MB

Download
memory/3164-205-0x00000000735E0000-0x00000000738AF000-memory.dmp

Filesize
2.8MB

Download
memory/3164-200-0x00000000733C0000-0x00000000733E4000-memory.dmp

Filesize
144KB

Download
memory/3164-203-0x00000000732B0000-0x00000000733BA000-memory.dmp

Filesize
1.0MB

Download
memory/3164-197-0x00000000733F0000-0x0000000073439000-memory.dmp

Filesize
292KB

Download
memory/3164-222-0x0000000000DE0000-0x00000000011E4000-memory.dmp

Filesize
4.0MB

Download
memory/3164-231-0x0000000073510000-0x00000000735D8000-memory.dmp

Filesize
800KB

Download
memory/3164-232-0x0000000073440000-0x000000007350E000-memory.dmp

Filesize
824KB

Download
memory/3164-204-0x0000000073220000-0x00000000732A8000-memory.dmp

Filesize
544KB

Download
memory/3164-196-0x0000000073440000-0x000000007350E000-memory.dmp

Filesize
824KB

Download
memory/3164-195-0x0000000073510000-0x00000000735D8000-memory.dmp

Filesize
800KB

Download
memory/3292-95-0x0000000000DE0000-0x00000000011E4000-memory.dmp

Filesize
4.0MB

Download
memory/3292-44-0x0000000073180000-0x0000000073208000-memory.dmp

Filesize
544KB

Download
memory/3292-126-0x0000000000DE0000-0x00000000011E4000-memory.dmp

Filesize
4.0MB

Download
memory/3292-118-0x0000000000DE0000-0x00000000011E4000-memory.dmp

Filesize
4.0MB

Download
memory/3292-110-0x0000000000DE0000-0x00000000011E4000-memory.dmp

Filesize
4.0MB

Download
memory/3292-165-0x0000000000DE0000-0x00000000011E4000-memory.dmp

Filesize
4.0MB

Download
memory/3292-86-0x0000000000DE0000-0x00000000011E4000-memory.dmp

Filesize
4.0MB

Download
memory/3292-76-0x00000000013F0000-0x0000000001478000-memory.dmp

Filesize
544KB

Download
memory/3292-68-0x0000000000DE0000-0x00000000011E4000-memory.dmp

Filesize
4.0MB

Download
memory/3292-58-0x0000000000DE0000-0x00000000011E4000-memory.dmp

Filesize
4.0MB

Download
memory/3292-48-0x0000000000DE0000-0x00000000011E4000-memory.dmp

Filesize
4.0MB

Download
memory/3292-134-0x0000000000DE0000-0x00000000011E4000-memory.dmp

Filesize
4.0MB

Download
memory/3292-45-0x00000000013F0000-0x0000000001478000-memory.dmp

Filesize
544KB

Download
memory/3292-46-0x0000000073740000-0x000000007380E000-memory.dmp

Filesize
824KB

Download
memory/3292-43-0x0000000073210000-0x000000007331A000-memory.dmp

Filesize
1.0MB

Download
memory/3292-42-0x00000000735F0000-0x00000000736B8000-memory.dmp

Filesize
800KB

Download
memory/3292-41-0x0000000073320000-0x00000000735EF000-memory.dmp

Filesize
2.8MB

Download
memory/3292-40-0x0000000001C30000-0x0000000001EFF000-memory.dmp

Filesize
2.8MB

Download
memory/3292-39-0x00000000736C0000-0x00000000736E4000-memory.dmp

Filesize
144KB

Download
memory/3292-35-0x00000000736F0000-0x0000000073739000-memory.dmp

Filesize
292KB

Download
memory/3292-34-0x0000000000DE0000-0x00000000011E4000-memory.dmp

Filesize
4.0MB

Download