Resubmissions
09-04-2024 13:50
240409-q5ca5abh9y 1009-04-2024 13:50
240409-q5bplagf55 1009-04-2024 13:50
240409-q5a33abh9v 1009-04-2024 13:50
240409-q5asasgf53 1028-08-2023 01:46
230828-b68cmaef44 10Analysis
-
max time kernel
1201s -
max time network
1204s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-04-2024 10:39
Behavioral task
behavioral1
Sample
d151ec74b0a409363d9401eeb348efaa.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d151ec74b0a409363d9401eeb348efaa.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
d151ec74b0a409363d9401eeb348efaa.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
d151ec74b0a409363d9401eeb348efaa.exe
Resource
win11-20240412-en
General
-
Target
d151ec74b0a409363d9401eeb348efaa.exe
-
Size
7.8MB
-
MD5
d151ec74b0a409363d9401eeb348efaa
-
SHA1
36aefe3ff9c3f0d0318288259b2b7473855972fd
-
SHA256
def365ca4816c8d33a32a6ccf7632a875c77672c2c148d6720e8b26f66e5eec6
-
SHA512
053d850ef72a40d11735f927bf17f6df542eba622895c3a61c9294d79037c67330dfe7a6b81ec50e3a2bd8612504bdbf81161aae7925be8e2612c752725022ec
-
SSDEEP
196608:LIRcbH4jSteTGvzxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOf:LdHsfuzxwZ6v1CPwDv3uFteg2EeJUO9E
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 7 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral3/files/0x0007000000023268-17.dat acprotect behavioral3/files/0x0007000000023269-18.dat acprotect behavioral3/files/0x000700000002326f-23.dat acprotect behavioral3/files/0x000700000002326b-19.dat acprotect behavioral3/files/0x000700000002326c-26.dat acprotect behavioral3/files/0x000700000002326d-27.dat acprotect behavioral3/files/0x000700000002326a-33.dat acprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation d151ec74b0a409363d9401eeb348efaa.exe -
Executes dropped EXE 36 IoCs
pid Process 4536 dllhost.exe 4824 dllhost.exe 5112 dllhost.exe 3140 dllhost.exe 4068 dllhost.exe 4800 dllhost.exe 4644 dllhost.exe 2140 dllhost.exe 1392 dllhost.exe 3620 dllhost.exe 396 dllhost.exe 5104 dllhost.exe 4860 dllhost.exe 2904 dllhost.exe 1992 dllhost.exe 368 dllhost.exe 3380 dllhost.exe 4392 dllhost.exe 1800 dllhost.exe 4408 dllhost.exe 3952 dllhost.exe 2284 dllhost.exe 3808 dllhost.exe 4424 dllhost.exe 320 dllhost.exe 5084 dllhost.exe 1436 dllhost.exe 4176 dllhost.exe 4204 dllhost.exe 4888 dllhost.exe 1352 dllhost.exe 2816 dllhost.exe 2552 dllhost.exe 2624 dllhost.exe 4464 dllhost.exe 4744 dllhost.exe -
Loads dropped DLL 64 IoCs
pid Process 4536 dllhost.exe 4536 dllhost.exe 4536 dllhost.exe 4536 dllhost.exe 4536 dllhost.exe 4536 dllhost.exe 4536 dllhost.exe 4536 dllhost.exe 4536 dllhost.exe 4824 dllhost.exe 4824 dllhost.exe 4824 dllhost.exe 4824 dllhost.exe 4824 dllhost.exe 4824 dllhost.exe 4824 dllhost.exe 5112 dllhost.exe 5112 dllhost.exe 5112 dllhost.exe 5112 dllhost.exe 5112 dllhost.exe 5112 dllhost.exe 5112 dllhost.exe 3140 dllhost.exe 3140 dllhost.exe 3140 dllhost.exe 3140 dllhost.exe 3140 dllhost.exe 3140 dllhost.exe 3140 dllhost.exe 4068 dllhost.exe 4068 dllhost.exe 4068 dllhost.exe 4068 dllhost.exe 4068 dllhost.exe 4068 dllhost.exe 4068 dllhost.exe 4800 dllhost.exe 4800 dllhost.exe 4800 dllhost.exe 4800 dllhost.exe 4800 dllhost.exe 4800 dllhost.exe 4800 dllhost.exe 4644 dllhost.exe 4644 dllhost.exe 4644 dllhost.exe 4644 dllhost.exe 4644 dllhost.exe 4644 dllhost.exe 4644 dllhost.exe 2140 dllhost.exe 2140 dllhost.exe 2140 dllhost.exe 2140 dllhost.exe 2140 dllhost.exe 2140 dllhost.exe 2140 dllhost.exe 1392 dllhost.exe 1392 dllhost.exe 1392 dllhost.exe 1392 dllhost.exe 1392 dllhost.exe 1392 dllhost.exe -
resource yara_rule behavioral3/files/0x000700000002326e-13.dat upx behavioral3/files/0x0007000000023268-17.dat upx behavioral3/memory/4536-21-0x0000000000630000-0x0000000000A34000-memory.dmp upx behavioral3/files/0x0007000000023269-18.dat upx behavioral3/files/0x000700000002326f-23.dat upx behavioral3/files/0x000700000002326b-19.dat upx behavioral3/files/0x000700000002326c-26.dat upx behavioral3/memory/4536-29-0x0000000073FA0000-0x0000000074068000-memory.dmp upx behavioral3/memory/4536-31-0x0000000073F20000-0x0000000073F69000-memory.dmp upx behavioral3/files/0x000700000002326d-27.dat upx behavioral3/memory/4536-36-0x0000000073CB0000-0x0000000073D38000-memory.dmp upx behavioral3/files/0x000700000002326a-33.dat upx behavioral3/memory/4536-32-0x0000000073E50000-0x0000000073F1E000-memory.dmp upx behavioral3/memory/4536-30-0x0000000073F70000-0x0000000073F94000-memory.dmp upx behavioral3/memory/4536-38-0x0000000073D40000-0x0000000073E4A000-memory.dmp upx behavioral3/memory/4536-41-0x00000000739E0000-0x0000000073CAF000-memory.dmp upx behavioral3/memory/4536-47-0x0000000000630000-0x0000000000A34000-memory.dmp upx behavioral3/memory/4536-48-0x0000000073FA0000-0x0000000074068000-memory.dmp upx behavioral3/memory/4536-50-0x0000000073F20000-0x0000000073F69000-memory.dmp upx behavioral3/memory/4536-51-0x0000000073E50000-0x0000000073F1E000-memory.dmp upx behavioral3/memory/4536-52-0x0000000073D40000-0x0000000073E4A000-memory.dmp upx behavioral3/memory/4536-49-0x0000000073F70000-0x0000000073F94000-memory.dmp upx behavioral3/memory/4536-53-0x0000000073CB0000-0x0000000073D38000-memory.dmp upx behavioral3/memory/4536-54-0x00000000739E0000-0x0000000073CAF000-memory.dmp upx behavioral3/memory/4536-55-0x0000000000630000-0x0000000000A34000-memory.dmp upx behavioral3/memory/4536-56-0x0000000000630000-0x0000000000A34000-memory.dmp upx behavioral3/memory/4536-76-0x0000000000630000-0x0000000000A34000-memory.dmp upx behavioral3/memory/4536-94-0x0000000000630000-0x0000000000A34000-memory.dmp upx behavioral3/memory/4536-102-0x0000000000630000-0x0000000000A34000-memory.dmp upx behavioral3/memory/4536-110-0x0000000000630000-0x0000000000A34000-memory.dmp upx behavioral3/memory/4536-118-0x0000000000630000-0x0000000000A34000-memory.dmp upx behavioral3/memory/4824-128-0x0000000000630000-0x0000000000A34000-memory.dmp upx behavioral3/memory/4824-136-0x00000000739E0000-0x0000000073CAF000-memory.dmp upx behavioral3/memory/4824-137-0x0000000073FA0000-0x0000000074068000-memory.dmp upx behavioral3/memory/4824-138-0x0000000073E50000-0x0000000073F1E000-memory.dmp upx behavioral3/memory/4824-139-0x0000000073F20000-0x0000000073F69000-memory.dmp upx behavioral3/memory/4824-140-0x0000000073F70000-0x0000000073F94000-memory.dmp upx behavioral3/memory/4824-141-0x0000000073D40000-0x0000000073E4A000-memory.dmp upx behavioral3/memory/4824-142-0x0000000073CB0000-0x0000000073D38000-memory.dmp upx behavioral3/memory/4824-155-0x0000000000630000-0x0000000000A34000-memory.dmp upx behavioral3/memory/4824-156-0x00000000739E0000-0x0000000073CAF000-memory.dmp upx behavioral3/memory/4824-157-0x0000000073FA0000-0x0000000074068000-memory.dmp upx behavioral3/memory/4824-158-0x0000000073E50000-0x0000000073F1E000-memory.dmp upx behavioral3/memory/4824-174-0x0000000000630000-0x0000000000A34000-memory.dmp upx behavioral3/memory/4824-220-0x0000000000630000-0x0000000000A34000-memory.dmp upx behavioral3/memory/5112-225-0x00000000739E0000-0x0000000073CAF000-memory.dmp upx behavioral3/memory/5112-226-0x0000000000630000-0x0000000000A34000-memory.dmp upx behavioral3/memory/5112-227-0x0000000073FA0000-0x0000000074068000-memory.dmp upx behavioral3/memory/5112-228-0x0000000073E50000-0x0000000073F1E000-memory.dmp upx behavioral3/memory/5112-230-0x0000000073F20000-0x0000000073F69000-memory.dmp upx behavioral3/memory/5112-232-0x0000000073F70000-0x0000000073F94000-memory.dmp upx behavioral3/memory/5112-233-0x0000000073D40000-0x0000000073E4A000-memory.dmp upx behavioral3/memory/5112-234-0x0000000073CB0000-0x0000000073D38000-memory.dmp upx behavioral3/memory/5112-259-0x00000000739E0000-0x0000000073CAF000-memory.dmp upx behavioral3/memory/5112-260-0x0000000000630000-0x0000000000A34000-memory.dmp upx behavioral3/memory/5112-262-0x0000000073E50000-0x0000000073F1E000-memory.dmp upx behavioral3/memory/5112-261-0x0000000073FA0000-0x0000000074068000-memory.dmp upx behavioral3/memory/3140-290-0x0000000000630000-0x0000000000A34000-memory.dmp upx behavioral3/memory/3140-292-0x0000000073FA0000-0x0000000074068000-memory.dmp upx behavioral3/memory/3140-294-0x0000000073E50000-0x0000000073F1E000-memory.dmp upx behavioral3/memory/3140-296-0x0000000073F20000-0x0000000073F69000-memory.dmp upx behavioral3/memory/3140-298-0x0000000073F70000-0x0000000073F94000-memory.dmp upx behavioral3/memory/3140-300-0x0000000073D40000-0x0000000073E4A000-memory.dmp upx behavioral3/memory/3140-301-0x0000000073CB0000-0x0000000073D38000-memory.dmp upx -
Looks up external IP address via web service 24 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 248 myexternalip.com 263 myexternalip.com 113 myexternalip.com 121 myexternalip.com 166 myexternalip.com 172 myexternalip.com 186 myexternalip.com 207 myexternalip.com 214 myexternalip.com 229 myexternalip.com 134 myexternalip.com 159 myexternalip.com 180 myexternalip.com 192 myexternalip.com 201 myexternalip.com 241 myexternalip.com 270 myexternalip.com 86 myexternalip.com 106 myexternalip.com 142 myexternalip.com 87 myexternalip.com 148 myexternalip.com 221 myexternalip.com 255 myexternalip.com -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 27 IoCs
pid Process 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 3672 d151ec74b0a409363d9401eeb348efaa.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3672 d151ec74b0a409363d9401eeb348efaa.exe 3672 d151ec74b0a409363d9401eeb348efaa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3672 wrote to memory of 4536 3672 d151ec74b0a409363d9401eeb348efaa.exe 91 PID 3672 wrote to memory of 4536 3672 d151ec74b0a409363d9401eeb348efaa.exe 91 PID 3672 wrote to memory of 4536 3672 d151ec74b0a409363d9401eeb348efaa.exe 91 PID 3672 wrote to memory of 4824 3672 d151ec74b0a409363d9401eeb348efaa.exe 101 PID 3672 wrote to memory of 4824 3672 d151ec74b0a409363d9401eeb348efaa.exe 101 PID 3672 wrote to memory of 4824 3672 d151ec74b0a409363d9401eeb348efaa.exe 101 PID 3672 wrote to memory of 5112 3672 d151ec74b0a409363d9401eeb348efaa.exe 102 PID 3672 wrote to memory of 5112 3672 d151ec74b0a409363d9401eeb348efaa.exe 102 PID 3672 wrote to memory of 5112 3672 d151ec74b0a409363d9401eeb348efaa.exe 102 PID 3672 wrote to memory of 3140 3672 d151ec74b0a409363d9401eeb348efaa.exe 103 PID 3672 wrote to memory of 3140 3672 d151ec74b0a409363d9401eeb348efaa.exe 103 PID 3672 wrote to memory of 3140 3672 d151ec74b0a409363d9401eeb348efaa.exe 103 PID 3672 wrote to memory of 4068 3672 d151ec74b0a409363d9401eeb348efaa.exe 104 PID 3672 wrote to memory of 4068 3672 d151ec74b0a409363d9401eeb348efaa.exe 104 PID 3672 wrote to memory of 4068 3672 d151ec74b0a409363d9401eeb348efaa.exe 104 PID 3672 wrote to memory of 4800 3672 d151ec74b0a409363d9401eeb348efaa.exe 105 PID 3672 wrote to memory of 4800 3672 d151ec74b0a409363d9401eeb348efaa.exe 105 PID 3672 wrote to memory of 4800 3672 d151ec74b0a409363d9401eeb348efaa.exe 105 PID 3672 wrote to memory of 4644 3672 d151ec74b0a409363d9401eeb348efaa.exe 106 PID 3672 wrote to memory of 4644 3672 d151ec74b0a409363d9401eeb348efaa.exe 106 PID 3672 wrote to memory of 4644 3672 d151ec74b0a409363d9401eeb348efaa.exe 106 PID 3672 wrote to memory of 2140 3672 d151ec74b0a409363d9401eeb348efaa.exe 107 PID 3672 wrote to memory of 2140 3672 d151ec74b0a409363d9401eeb348efaa.exe 107 PID 3672 wrote to memory of 2140 3672 d151ec74b0a409363d9401eeb348efaa.exe 107 PID 3672 wrote to memory of 1392 3672 d151ec74b0a409363d9401eeb348efaa.exe 108 PID 3672 wrote to memory of 1392 3672 d151ec74b0a409363d9401eeb348efaa.exe 108 PID 3672 wrote to memory of 1392 3672 d151ec74b0a409363d9401eeb348efaa.exe 108 PID 3672 wrote to memory of 3620 3672 d151ec74b0a409363d9401eeb348efaa.exe 109 PID 3672 wrote to memory of 3620 3672 d151ec74b0a409363d9401eeb348efaa.exe 109 PID 3672 wrote to memory of 3620 3672 d151ec74b0a409363d9401eeb348efaa.exe 109 PID 3672 wrote to memory of 396 3672 d151ec74b0a409363d9401eeb348efaa.exe 110 PID 3672 wrote to memory of 396 3672 d151ec74b0a409363d9401eeb348efaa.exe 110 PID 3672 wrote to memory of 396 3672 d151ec74b0a409363d9401eeb348efaa.exe 110 PID 3672 wrote to memory of 5104 3672 d151ec74b0a409363d9401eeb348efaa.exe 111 PID 3672 wrote to memory of 5104 3672 d151ec74b0a409363d9401eeb348efaa.exe 111 PID 3672 wrote to memory of 5104 3672 d151ec74b0a409363d9401eeb348efaa.exe 111 PID 3672 wrote to memory of 4860 3672 d151ec74b0a409363d9401eeb348efaa.exe 112 PID 3672 wrote to memory of 4860 3672 d151ec74b0a409363d9401eeb348efaa.exe 112 PID 3672 wrote to memory of 4860 3672 d151ec74b0a409363d9401eeb348efaa.exe 112 PID 3672 wrote to memory of 2904 3672 d151ec74b0a409363d9401eeb348efaa.exe 113 PID 3672 wrote to memory of 2904 3672 d151ec74b0a409363d9401eeb348efaa.exe 113 PID 3672 wrote to memory of 2904 3672 d151ec74b0a409363d9401eeb348efaa.exe 113 PID 3672 wrote to memory of 1992 3672 d151ec74b0a409363d9401eeb348efaa.exe 115 PID 3672 wrote to memory of 1992 3672 d151ec74b0a409363d9401eeb348efaa.exe 115 PID 3672 wrote to memory of 1992 3672 d151ec74b0a409363d9401eeb348efaa.exe 115 PID 3672 wrote to memory of 368 3672 d151ec74b0a409363d9401eeb348efaa.exe 116 PID 3672 wrote to memory of 368 3672 d151ec74b0a409363d9401eeb348efaa.exe 116 PID 3672 wrote to memory of 368 3672 d151ec74b0a409363d9401eeb348efaa.exe 116 PID 3672 wrote to memory of 3380 3672 d151ec74b0a409363d9401eeb348efaa.exe 117 PID 3672 wrote to memory of 3380 3672 d151ec74b0a409363d9401eeb348efaa.exe 117 PID 3672 wrote to memory of 3380 3672 d151ec74b0a409363d9401eeb348efaa.exe 117 PID 3672 wrote to memory of 4392 3672 d151ec74b0a409363d9401eeb348efaa.exe 118 PID 3672 wrote to memory of 4392 3672 d151ec74b0a409363d9401eeb348efaa.exe 118 PID 3672 wrote to memory of 4392 3672 d151ec74b0a409363d9401eeb348efaa.exe 118 PID 3672 wrote to memory of 1800 3672 d151ec74b0a409363d9401eeb348efaa.exe 119 PID 3672 wrote to memory of 1800 3672 d151ec74b0a409363d9401eeb348efaa.exe 119 PID 3672 wrote to memory of 1800 3672 d151ec74b0a409363d9401eeb348efaa.exe 119 PID 3672 wrote to memory of 4408 3672 d151ec74b0a409363d9401eeb348efaa.exe 120 PID 3672 wrote to memory of 4408 3672 d151ec74b0a409363d9401eeb348efaa.exe 120 PID 3672 wrote to memory of 4408 3672 d151ec74b0a409363d9401eeb348efaa.exe 120 PID 3672 wrote to memory of 3952 3672 d151ec74b0a409363d9401eeb348efaa.exe 121 PID 3672 wrote to memory of 3952 3672 d151ec74b0a409363d9401eeb348efaa.exe 121 PID 3672 wrote to memory of 3952 3672 d151ec74b0a409363d9401eeb348efaa.exe 121 PID 3672 wrote to memory of 2284 3672 d151ec74b0a409363d9401eeb348efaa.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\d151ec74b0a409363d9401eeb348efaa.exe"C:\Users\Admin\AppData\Local\Temp\d151ec74b0a409363d9401eeb348efaa.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4536
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4824
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5112
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3140
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4068
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4800
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4644
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1392
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:3620
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:396
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:5104
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:4860
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:2904
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:1992
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:368
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:3380
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:4392
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:1800
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:4408
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:3952
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:2284
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:3808
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:4424
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:320
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:5084
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:1436
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:4176
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:4204
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:4888
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:1352
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:2816
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:2552
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:2624
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:4464
-
-
C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc2⤵
- Executes dropped EXE
PID:4744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵PID:4480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵PID:2796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD54a082307354b54c426896db32166ca27
SHA154b68387729a0a0e746c7cbfea0852044f7c9439
SHA25629d2d2b0407b89be128e8e1b0d352858c48744037090ab1d5a88ba01cd0626e8
SHA512bb2cbdaf38d4082987d63df04462f7a04d9ccc53c197da76e2e3e124b7b3407e7627309674fc1e0bc41de46043b45836ea86673662d766999a45a5c4d7aee57f
-
Filesize
2.7MB
MD59b2986911dd53fdda3a049f80e2fe4c8
SHA12e9e3f7bd2ed141fcedfd8c9caa787b04a96db67
SHA2561baf86a01a45e998d4e94c0c85c8bd5a7058693fe4587e2ada13eebec809ff2d
SHA51245e8cb3eeff3b2b2d3f0dd5f124fdf660698ccba9a346bcc502b7672bc65ca30f0fa507a4b69eb1dda7fe9b033b9abb1ea4a6d914c8b7b395a6220cf21af9187
-
Filesize
12.4MB
MD5f291395aebe7dd75d7571c668c192abf
SHA1e939dbf0984293d2fe79242c617756dfc6d9c900
SHA256d87af464bd1a51b0692ea568629e8cd84fe3f32a28ef2537d9a9a1f6286a0bed
SHA5127d04bad7e69532be2afa0c1b9df4df16e3180e312f8e402405be0e6bc664b9193f8d5bb48a1b2a776e2e09643b43b38714d18d6f4575639114e9d14acd0ad1a1
-
Filesize
8.0MB
MD51e527dc13d3838cfb340ca4eb1be3dda
SHA149b0df8efe897b4ca37c6be9dd1617eaa32b6536
SHA2567328d86ca421a7d6cce27b4ffa1ea04feb696c28af7a7f0f207323fbcfccc958
SHA5128fb13b3de8e0b1a1ebe71932456ab98f8c6c945b5bc38a41d56046c32905bacfeaa83d00b09e2080b37c141a6215d284f27101f4844e7935609da676d14dcc5c
-
Filesize
12.4MB
MD547082bd92a8871edf9e907ee2815e920
SHA15cb76784c388716f0f109613cbc43da8fe2d8ed2
SHA2561bf9acd67a2f10383ab180fed721ca04740e73d82e2f130bb617dab38ca8a164
SHA512e70f51060692efca6c983dbd5233cd02bebf805f16616541d067d79b599225c63a2f6982bc41f73e8bbab01f1dd179b368112432bba07a6c6105514917ea9916
-
Filesize
7.1MB
MD51e99d91ec26953bdfed667c70bac4017
SHA1139d2d30a863639b026f5b1301bddd3a81d1f0e8
SHA25658ef30b7cf140ac8b6f4582df0d8f4477dd9f26d70ce62f0860f37fdc8ed687e
SHA512c6403d7855fcd59a99b4a1cb6871efa182a89efa1412f4cbbc60bbf313d7ebaf0e9f7d4c05edc2e4187d1dd219a6bed35e81d5f6bf6ea3499501fc144a2b6059
-
Filesize
232B
MD5986f83f75aab4c2b10f94c01fb0ed099
SHA125582ba4d29f4bb2424e31ff2d8b1d98aeee5f37
SHA256544fd246677e9c428666924fc8d70f3bf421e15104aca68ce5d8a9c22b904788
SHA512bb933334b3f584ccd69d6044bbd03c214d8c9a257157ac005a4ed22d2a42f756f5fbb27c5dde7de1df40644b331538f19e6980a2a69feec97c48396f367e0664
-
Filesize
3KB
MD5171de6fef68af9025cf8e219b8aa5b95
SHA154256ca58b53a4c3b27f706123f9beb181d596a2
SHA2566e0d73d59bdd66896db1abf74c9b1b6d755f20b249fdac4a6190f5adb13486e2
SHA5124b6bc7317756c5f92e00a80b94d1b4ab0723fe43e95f8c534e16f069717a7ebefa393f35d1528b2b71c0667b087582b42491c29a1cb294ed6328d2f07a5410da
-
Filesize
973KB
MD55cfe61ff895c7daa889708665ef05d7b
SHA15e58efe30406243fbd58d4968b0492ddeef145f2
SHA256f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA51243b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da
-
Filesize
1.7MB
MD52384a02c4a1f7ec481adde3a020607d3
SHA17e848d35a10bf9296c8fa41956a3daa777f86365
SHA256c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA5121ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503
-
Filesize
366KB
MD5099983c13bade9554a3c17484e5481f1
SHA1a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA51289f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2
-
Filesize
286KB
MD5b0d98f7157d972190fe0759d4368d320
SHA15715a533621a2b642aad9616e603c6907d80efc4
SHA2562922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA51241ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496
-
Filesize
439KB
MD5c88826ac4bb879622e43ead5bdb95aeb
SHA187d29853649a86f0463bfd9ad887b85eedc21723
SHA256c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3
-
Filesize
88KB
MD52c916456f503075f746c6ea649cf9539
SHA1fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA5121c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd
-
Filesize
188KB
MD5d407cc6d79a08039a6f4b50539e560b8
SHA121171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA25692cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c
-
Filesize
157B
MD5eebf3cf47a1beca7d42881292f826fcc
SHA1a37799483175f02dc9913f25389c574c13996164
SHA2569e45d5a6d2715a70dc3783af1e049de4defe98c2cc574d6ec8e0c1539874d6d7
SHA5124157e0f3d73f8c39fb93e0f80f01ba2a83fd20863fe10078fc75d061e19798850f34c9053bd0449c5c6b508682cfa5b8c505fe085e30b46d18305396389e2800
-
Filesize
52KB
MD5add33041af894b67fe34e1dc819b7eb6
SHA16db46eb021855a587c95479422adcc774a272eeb
SHA2568688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa