bitrat | 8c05da461e90984671ffd87f0e4e28e057cca4d32a0569764dcdcce2d545fac2

Resubmissions

17-04-2024 14:54

240417-r96wzada86 10

17-04-2024 14:54

17-04-2024 14:54

17-04-2024 14:54

17-04-2024 14:54

15-04-2024 13:19

10-04-2024 12:02

10-04-2024 12:02

Analysis

max time kernel
1802s
max time network
1820s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75bff99becc32bcbe56efbe7a75f4d45.exe
Size

7.0MB
MD5

75bff99becc32bcbe56efbe7a75f4d45
SHA1

81bfcc77809161a5254a27d3d4d30548c96fcd5b
SHA256

8c05da461e90984671ffd87f0e4e28e057cca4d32a0569764dcdcce2d545fac2
SHA512

940af628585713a16e685eb5251c0b954bc014460cd4ca33226df2ef260f32af56223eaf1c341862fdf1669c6bafb6e7d9c5efbeb5e437ce5e2fd9905beece69
SSDEEP

49152:uW/1GYdVTXN3r3+LXDIDAKpvuh3jwLN6/VNUKIdI9OiKuDbD2yvAkdm5wrgWX+5z:hXkZL/p

Score

10^/10

bitrat zgrat persistence rat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

obqdy2u226qjiavs42z4z6zgcf6tefsoxaqzjvohmoy7kafdwgqgjkqd.onion:80

Attributes

communication_password
d93b4f1ee6f5b875a4f7fcef966bd09a
tor_process
WinSock

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral4/memory/2100-9-0x00000000097D0000-0x0000000009852000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-10-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-11-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-13-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-15-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-17-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-19-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-21-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-23-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-25-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-27-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-29-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-31-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-33-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-35-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-37-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-39-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-41-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-43-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-47-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-45-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-49-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-51-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-53-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-55-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-57-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-59-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-61-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-63-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-65-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-67-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-69-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-71-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1
behavioral4/memory/2100-73-0x00000000097D0000-0x000000000984C000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\","	75bff99becc32bcbe56efbe7a75f4d45.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral4/files/0x0003000000000735-2461.dat	acprotect
behavioral4/files/0x0003000000000743-2464.dat	acprotect
behavioral4/files/0x0003000000000741-2463.dat	acprotect
behavioral4/files/0x000300000000073b-2462.dat	acprotect
behavioral4/files/0x0003000000000749-2466.dat	acprotect
behavioral4/files/0x000300000000073d-2471.dat	acprotect
behavioral4/files/0x0003000000000745-2473.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	75bff99becc32bcbe56efbe7a75f4d45.exe

Executes dropped EXE 62 IoCs

pid	Process
3752	WinSock.exe
1108	WinSock.exe
2136	WinSock.exe
3100	WinSock.exe
4068	WinSock.exe
4768	WinSock.exe
1008	WinSock.exe
1424	WinSock.exe
3968	WinSock.exe
1500	WinSock.exe
3312	WinSock.exe
3084	WinSock.exe
2312	WinSock.exe
332	WinSock.exe
3084	WinSock.exe
4088	WinSock.exe
4832	WinSock.exe
1528	WinSock.exe
4348	WinSock.exe
2980	WinSock.exe
432	WinSock.exe
1900	WinSock.exe
4152	WinSock.exe
3672	WinSock.exe
1156	WinSock.exe
3392	WinSock.exe
4000	WinSock.exe
5080	WinSock.exe
2200	WinSock.exe
1596	WinSock.exe
3508	WinSock.exe
3212	WinSock.exe
3872	WinSock.exe
2496	WinSock.exe
1596	WinSock.exe
2184	WinSock.exe
3992	WinSock.exe
2620	WinSock.exe
2108	WinSock.exe
3828	WinSock.exe
4068	WinSock.exe
4924	WinSock.exe
4500	WinSock.exe
2836	WinSock.exe
3288	WinSock.exe
4304	WinSock.exe
4276	WinSock.exe
4460	WinSock.exe
2128	WinSock.exe
5012	WinSock.exe
2952	WinSock.exe
1668	WinSock.exe
1920	WinSock.exe
932	WinSock.exe
4824	WinSock.exe
1080	WinSock.exe
1884	WinSock.exe
4148	WinSock.exe
4112	WinSock.exe
1172	WinSock.exe
528	WinSock.exe
1556	WinSock.exe

Loads dropped DLL 64 IoCs

pid	Process
3752	WinSock.exe
3752	WinSock.exe
3752	WinSock.exe
3752	WinSock.exe
3752	WinSock.exe
3752	WinSock.exe
3752	WinSock.exe
3752	WinSock.exe
3752	WinSock.exe
1108	WinSock.exe
1108	WinSock.exe
1108	WinSock.exe
1108	WinSock.exe
1108	WinSock.exe
1108	WinSock.exe
1108	WinSock.exe
2136	WinSock.exe
2136	WinSock.exe
2136	WinSock.exe
2136	WinSock.exe
2136	WinSock.exe
2136	WinSock.exe
2136	WinSock.exe
3100	WinSock.exe
3100	WinSock.exe
3100	WinSock.exe
3100	WinSock.exe
3100	WinSock.exe
3100	WinSock.exe
3100	WinSock.exe
4068	WinSock.exe
4068	WinSock.exe
4068	WinSock.exe
4068	WinSock.exe
4068	WinSock.exe
4068	WinSock.exe
4068	WinSock.exe
4768	WinSock.exe
4768	WinSock.exe
4768	WinSock.exe
4768	WinSock.exe
4768	WinSock.exe
4768	WinSock.exe
4768	WinSock.exe
1008	WinSock.exe
1008	WinSock.exe
1008	WinSock.exe
1008	WinSock.exe
1008	WinSock.exe
1008	WinSock.exe
1008	WinSock.exe
1424	WinSock.exe
1424	WinSock.exe
1424	WinSock.exe
1424	WinSock.exe
1424	WinSock.exe
1424	WinSock.exe
1424	WinSock.exe
3968	WinSock.exe
3968	WinSock.exe
3968	WinSock.exe
3968	WinSock.exe
3968	WinSock.exe
3968	WinSock.exe

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x0003000000000747-2457.dat	upx
behavioral4/files/0x0003000000000735-2461.dat	upx
behavioral4/files/0x0003000000000743-2464.dat	upx
behavioral4/files/0x0003000000000741-2463.dat	upx
behavioral4/files/0x000300000000073b-2462.dat	upx
behavioral4/memory/3752-2467-0x00000000008A0000-0x0000000000CA4000-memory.dmp	upx
behavioral4/memory/3752-2469-0x0000000073DE0000-0x0000000073EAE000-memory.dmp	upx
behavioral4/files/0x0003000000000749-2466.dat	upx
behavioral4/files/0x000300000000073d-2471.dat	upx
behavioral4/memory/3752-2474-0x0000000073DB0000-0x0000000073DD4000-memory.dmp	upx
behavioral4/memory/3752-2475-0x0000000073EB0000-0x0000000073EF9000-memory.dmp	upx
behavioral4/files/0x0003000000000745-2473.dat	upx
behavioral4/memory/3752-2478-0x0000000073F00000-0x0000000073FC8000-memory.dmp	upx
behavioral4/memory/3752-2481-0x0000000073CA0000-0x0000000073DAA000-memory.dmp	upx
behavioral4/memory/3752-2482-0x0000000073C10000-0x0000000073C98000-memory.dmp	upx
behavioral4/memory/3752-2485-0x0000000073940000-0x0000000073C0F000-memory.dmp	upx
behavioral4/memory/3752-2506-0x00000000008A0000-0x0000000000CA4000-memory.dmp	upx
behavioral4/memory/3752-2507-0x0000000073DE0000-0x0000000073EAE000-memory.dmp	upx
behavioral4/memory/3752-2508-0x0000000073DB0000-0x0000000073DD4000-memory.dmp	upx
behavioral4/memory/3752-2509-0x0000000073EB0000-0x0000000073EF9000-memory.dmp	upx
behavioral4/memory/3752-2510-0x0000000073F00000-0x0000000073FC8000-memory.dmp	upx
behavioral4/memory/3752-2520-0x0000000073CA0000-0x0000000073DAA000-memory.dmp	upx
behavioral4/memory/3752-2521-0x0000000073C10000-0x0000000073C98000-memory.dmp	upx
behavioral4/memory/3752-2522-0x0000000073940000-0x0000000073C0F000-memory.dmp	upx
behavioral4/memory/3752-2621-0x00000000008A0000-0x0000000000CA4000-memory.dmp	upx
behavioral4/memory/1108-2626-0x00000000008A0000-0x0000000000CA4000-memory.dmp	upx
behavioral4/memory/1108-2629-0x0000000073940000-0x0000000073C0F000-memory.dmp	upx
behavioral4/memory/1108-2632-0x0000000073F00000-0x0000000073FC8000-memory.dmp	upx
behavioral4/memory/1108-2634-0x0000000073EB0000-0x0000000073EF9000-memory.dmp	upx
behavioral4/memory/1108-2635-0x0000000073DB0000-0x0000000073DD4000-memory.dmp	upx
behavioral4/memory/1108-2633-0x0000000073DE0000-0x0000000073EAE000-memory.dmp	upx
behavioral4/memory/1108-2636-0x0000000073CA0000-0x0000000073DAA000-memory.dmp	upx
behavioral4/memory/1108-2637-0x0000000073C10000-0x0000000073C98000-memory.dmp	upx
behavioral4/memory/1108-2664-0x00000000008A0000-0x0000000000CA4000-memory.dmp	upx
behavioral4/memory/1108-2665-0x0000000073940000-0x0000000073C0F000-memory.dmp	upx
behavioral4/memory/2136-2695-0x0000000073F00000-0x0000000073FC8000-memory.dmp	upx
behavioral4/memory/2136-2696-0x0000000073DE0000-0x0000000073EAE000-memory.dmp	upx
behavioral4/memory/2136-2698-0x0000000073DB0000-0x0000000073DD4000-memory.dmp	upx
behavioral4/memory/2136-2697-0x0000000073EB0000-0x0000000073EF9000-memory.dmp	upx
behavioral4/memory/2136-2700-0x0000000073C10000-0x0000000073C98000-memory.dmp	upx
behavioral4/memory/2136-2699-0x0000000073CA0000-0x0000000073DAA000-memory.dmp	upx
behavioral4/memory/2136-2701-0x0000000073940000-0x0000000073C0F000-memory.dmp	upx
behavioral4/memory/2136-2713-0x0000000073DE0000-0x0000000073EAE000-memory.dmp	upx
behavioral4/memory/2136-2712-0x0000000073F00000-0x0000000073FC8000-memory.dmp	upx
behavioral4/memory/2136-2711-0x0000000073940000-0x0000000073C0F000-memory.dmp	upx
behavioral4/memory/2136-2716-0x0000000073CA0000-0x0000000073DAA000-memory.dmp	upx
behavioral4/memory/2136-2717-0x0000000073C10000-0x0000000073C98000-memory.dmp	upx
behavioral4/memory/2136-2714-0x0000000073EB0000-0x0000000073EF9000-memory.dmp	upx
behavioral4/memory/2136-2715-0x0000000073DB0000-0x0000000073DD4000-memory.dmp	upx
behavioral4/memory/2136-2718-0x00000000008A0000-0x0000000000CA4000-memory.dmp	upx
behavioral4/memory/3100-2761-0x00000000008A0000-0x0000000000CA4000-memory.dmp	upx

Looks up external IP address via web service 44 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
98	myexternalip.com
101	myexternalip.com
220	myexternalip.com
411	myexternalip.com
449	myexternalip.com
571	myexternalip.com
247	myexternalip.com
456	myexternalip.com
464	myexternalip.com
485	myexternalip.com
513	myexternalip.com
527	myexternalip.com
535	myexternalip.com
112	myexternalip.com
254	myexternalip.com
491	myexternalip.com
549	myexternalip.com
88	myexternalip.com
92	myexternalip.com
419	myexternalip.com
427	myexternalip.com
433	myexternalip.com
542	myexternalip.com
556	myexternalip.com
269	myexternalip.com
441	myexternalip.com
471	myexternalip.com
520	myexternalip.com
578	myexternalip.com
74	myexternalip.com
121	myexternalip.com
185	myexternalip.com
240	myexternalip.com
261	myexternalip.com
403	myexternalip.com
478	myexternalip.com
499	myexternalip.com
506	myexternalip.com
73	myexternalip.com
211	myexternalip.com
226	myexternalip.com
233	myexternalip.com
279	myexternalip.com
563	myexternalip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 47 IoCs

pid	Process
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2100 set thread context of 4752	2100	75bff99becc32bcbe56efbe7a75f4d45.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2100	75bff99becc32bcbe56efbe7a75f4d45.exe
2100	75bff99becc32bcbe56efbe7a75f4d45.exe
2100	75bff99becc32bcbe56efbe7a75f4d45.exe
2100	75bff99becc32bcbe56efbe7a75f4d45.exe
2100	75bff99becc32bcbe56efbe7a75f4d45.exe
2100	75bff99becc32bcbe56efbe7a75f4d45.exe
2100	75bff99becc32bcbe56efbe7a75f4d45.exe
2100	75bff99becc32bcbe56efbe7a75f4d45.exe
2100	75bff99becc32bcbe56efbe7a75f4d45.exe
2100	75bff99becc32bcbe56efbe7a75f4d45.exe
2100	75bff99becc32bcbe56efbe7a75f4d45.exe
2100	75bff99becc32bcbe56efbe7a75f4d45.exe
2100	75bff99becc32bcbe56efbe7a75f4d45.exe
2100	75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4752	75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	75bff99becc32bcbe56efbe7a75f4d45.exe
Token: SeShutdownPrivilege	4752	75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4752	75bff99becc32bcbe56efbe7a75f4d45.exe
4752	75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 4444	2100	75bff99becc32bcbe56efbe7a75f4d45.exe	99
PID 2100 wrote to memory of 4444	2100	75bff99becc32bcbe56efbe7a75f4d45.exe	99
PID 2100 wrote to memory of 4444	2100	75bff99becc32bcbe56efbe7a75f4d45.exe	99
PID 2100 wrote to memory of 4692	2100	75bff99becc32bcbe56efbe7a75f4d45.exe	100
PID 2100 wrote to memory of 4692	2100	75bff99becc32bcbe56efbe7a75f4d45.exe	100
PID 2100 wrote to memory of 4692	2100	75bff99becc32bcbe56efbe7a75f4d45.exe	100
PID 2100 wrote to memory of 1600	2100	75bff99becc32bcbe56efbe7a75f4d45.exe	101
PID 2100 wrote to memory of 1600	2100	75bff99becc32bcbe56efbe7a75f4d45.exe	101
PID 2100 wrote to memory of 1600	2100	75bff99becc32bcbe56efbe7a75f4d45.exe	101
PID 2100 wrote to memory of 4752	2100	75bff99becc32bcbe56efbe7a75f4d45.exe	102
PID 2100 wrote to memory of 4752	2100	75bff99becc32bcbe56efbe7a75f4d45.exe	102
PID 2100 wrote to memory of 4752	2100	75bff99becc32bcbe56efbe7a75f4d45.exe	102
PID 2100 wrote to memory of 4752	2100	75bff99becc32bcbe56efbe7a75f4d45.exe	102
PID 2100 wrote to memory of 4752	2100	75bff99becc32bcbe56efbe7a75f4d45.exe	102
PID 2100 wrote to memory of 4752	2100	75bff99becc32bcbe56efbe7a75f4d45.exe	102
PID 2100 wrote to memory of 4752	2100	75bff99becc32bcbe56efbe7a75f4d45.exe	102
PID 2100 wrote to memory of 4752	2100	75bff99becc32bcbe56efbe7a75f4d45.exe	102
PID 2100 wrote to memory of 4752	2100	75bff99becc32bcbe56efbe7a75f4d45.exe	102
PID 2100 wrote to memory of 4752	2100	75bff99becc32bcbe56efbe7a75f4d45.exe	102
PID 2100 wrote to memory of 4752	2100	75bff99becc32bcbe56efbe7a75f4d45.exe	102
PID 2100 wrote to memory of 4752	2100	75bff99becc32bcbe56efbe7a75f4d45.exe	102
PID 4752 wrote to memory of 3752	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	103
PID 4752 wrote to memory of 3752	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	103
PID 4752 wrote to memory of 3752	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	103
PID 4752 wrote to memory of 1108	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	104
PID 4752 wrote to memory of 1108	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	104
PID 4752 wrote to memory of 1108	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	104
PID 4752 wrote to memory of 2136	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	105
PID 4752 wrote to memory of 2136	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	105
PID 4752 wrote to memory of 2136	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	105
PID 4752 wrote to memory of 3100	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	106
PID 4752 wrote to memory of 3100	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	106
PID 4752 wrote to memory of 3100	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	106
PID 4752 wrote to memory of 4068	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	107
PID 4752 wrote to memory of 4068	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	107
PID 4752 wrote to memory of 4068	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	107
PID 4752 wrote to memory of 4768	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	108
PID 4752 wrote to memory of 4768	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	108
PID 4752 wrote to memory of 4768	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	108
PID 4752 wrote to memory of 1008	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	109
PID 4752 wrote to memory of 1008	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	109
PID 4752 wrote to memory of 1008	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	109
PID 4752 wrote to memory of 1424	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	110
PID 4752 wrote to memory of 1424	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	110
PID 4752 wrote to memory of 1424	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	110
PID 4752 wrote to memory of 3968	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	116
PID 4752 wrote to memory of 3968	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	116
PID 4752 wrote to memory of 3968	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	116
PID 4752 wrote to memory of 1500	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	118
PID 4752 wrote to memory of 1500	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	118
PID 4752 wrote to memory of 1500	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	118
PID 4752 wrote to memory of 3312	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	121
PID 4752 wrote to memory of 3312	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	121
PID 4752 wrote to memory of 3312	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	121
PID 4752 wrote to memory of 3084	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	122
PID 4752 wrote to memory of 3084	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	122
PID 4752 wrote to memory of 3084	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	122
PID 4752 wrote to memory of 2312	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	124
PID 4752 wrote to memory of 2312	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	124
PID 4752 wrote to memory of 2312	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	124
PID 4752 wrote to memory of 332	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	125
PID 4752 wrote to memory of 332	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	125
PID 4752 wrote to memory of 332	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	125
PID 4752 wrote to memory of 3084	4752	75bff99becc32bcbe56efbe7a75f4d45.exe	126

C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
"C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
  C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
  2⤵
  PID:4444
- C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
  C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
  2⤵
  PID:4692
- C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
  C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
  2⤵
  PID:1600
- C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
  C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3752
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1108
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2136
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3100
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4068
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4768
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1008
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1424
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3968
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1500
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3312
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3084
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2312
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:332
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3084
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4088
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4832
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1528
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4348
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2980
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:432
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1900
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4152
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3672
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1156
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3392
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4000
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:5080
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2200
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1596
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3508
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3212
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3872
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2496
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1596
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2184
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3992
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2620
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2108
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3828
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4068
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4924
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4500
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2836
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3288
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4304
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4276
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4460
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2128
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:5012
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2952
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1668
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1920
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:932
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4824
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1080
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1884
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4148
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4112
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1172
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:528
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3812 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:3648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe

Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-certs

Filesize
13KB

MD5
42cb4329657a871427c95c47dc80bde9

SHA1
a0bcddf821c7dffe76c82a7843ceddc485dd5e6b

SHA256
5f3617eb08c18b58f2ba92efb9fa801e6509687e5386b9e81e8c904c799adfb6

SHA512
53d77a31f9d3854fd5a1eb865b2a0ff49bcf62ae7d07e7adda5e120a2ccffe5d59365c88e3e79eac6979d318a635c423953a5bbb628ac9d83d77f0f574a1ad5e

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-certs

Filesize
20KB

MD5
1bf8da2f6a2ff804f978ac8de1c75b79

SHA1
7fd73c7d41e0e2aebdf134ce415d8762eea793f0

SHA256
492c2a0ae5e64db899f1ca410b863788b3ba9acb74bbc31e6601d6e6754ed846

SHA512
9174800d4ec56cc7eec5c2b05e8a8be54f5832f22b22c5fb713d255a078cd08321b6d6728c0958f2f6a843bbd558f234b17bccda0e9ea5e05cd86cad6f85ec10

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
824d601100461dff98727da8170c4db0

SHA1
b9734355b4ecc7021f0985dbb4c2227fe21bd882

SHA256
a212dc71ce3cb610fe044bbfe0301a48d464cea4dfba3b9e402a12cdc79a86d0

SHA512
0bc856b9671a4a858cca76ed8ed9b556ff237a04e2b4b0feac2fdfd7b72331d3fe822153a3d27c146ff73580b9a98e1d122a9e6bf9da0d69db6e3f5868599aec

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-microdescs

Filesize
20.1MB

MD5
45a7fed2b5d121aef340443665676726

SHA1
6c6b692caf0f362fd78023ebb3598afb043791e4

SHA256
c0ff0241dabe9c11d2e02738bbe2d381778b4574876c4a5a976f081b9bf797cb

SHA512
c00b353d6d3de588a6634d14cc000354f6055ac6ed039d317e1469f58c35bf96121f652145a35fbf178dbfbd7d273784599a3ce78f421f49491aaf7de506c60d

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-microdescs.new

Filesize
7.0MB

MD5
a6f14e02d8a57ee06136949108c88acf

SHA1
21b22b17c3baa1e8300b06e415de7fda3b659d00

SHA256
cb2800fa03280ef6fc0de62f497c1ad9c825a6742611fb31705aa64f98838f50

SHA512
b30bfdb615eae52cb7804118c63d0437cade6a1ea5c328b138a116e267a4441361b1430af07d1888705e36f3d588feba3f9221026e9622ca577706e43f7265ba

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-microdescs.new

Filesize
20.1MB

MD5
33e6ff9c8dc3fd7a6350ab3af57d7e38

SHA1
480b91865923a5710d7db2ab6d8bf9ea85d55794

SHA256
481615e8d4f2c567c5623921fe9e232ac948f5e1494f6caaa98a0f061be1739c

SHA512
c5340f85a58df6c32339c6a634f6e7cc844791051eafd153f890161c6a277558fe7c1c7ed51bf309432cbdc6859521d9dd4573cc86a4f05b7d032791b8d655cc

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\state

Filesize
3KB

MD5
4d1b168c42782b536554d9f50a8f007c

SHA1
279a70e6d279141b73d9d77af3d00dc6a594495e

SHA256
07acce0c768b8b891b3c96c742a6516996fc00e6685baebdce4051e38c40fbc6

SHA512
d3d4aeac922f4a2f9896569b3d78737e55527c31b6f4c769126880d8a0d09cef86a8f48be2647b222b7cd14763a694666600a4ccb9000b1697b61dee28f59bf0

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\state

Filesize
232B

MD5
3198978027fb082dee47a79b4d7c8dc7

SHA1
6e84b9d4e022de5c11c61ea4d0c15a32f8737e9f

SHA256
04793b01a76493c9eb07558914cdcc91c2913398b3345b0e4c00c0f49c52478c

SHA512
dc87ce98e6000942d1dce794ff29dc90b066125c965d20e3df021337a40e3df5efd067ce78d2900118196f11c88bb00b468cfdbc2d03759d784a4374f7b4d676

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll

Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libevent-2-1-6.dll

Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libgcc_s_sjlj-1.dll

Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssl-1_1.dll

Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssp-0.dll

Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libwinpthread-1.dll

Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\torrc

Filesize
157B

MD5
68afdef35a6105c2b148649bd05901b0

SHA1
828a2b590a95c2a411cc1b0004207747f2571024

SHA256
4e4e4e7f9fb03bcb898ce4f6075e3082d3a341d9fff1955ddf45089f83565622

SHA512
f198da05ec57c8525e6643f7f2c212701d0ab641d2850a28ce4cea7c33ac7b5c75782273bf7f01f95ccf02e27adf7c237ed116c5b0f220c13e70fe0aa7cfc671

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\zlib1.dll

Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
memory/1108-2665-0x0000000073940000-0x0000000073C0F000-memory.dmp

Filesize
2.8MB

Download
memory/1108-2626-0x00000000008A0000-0x0000000000CA4000-memory.dmp

Filesize
4.0MB

Download
memory/1108-2664-0x00000000008A0000-0x0000000000CA4000-memory.dmp

Filesize
4.0MB

Download
memory/1108-2629-0x0000000073940000-0x0000000073C0F000-memory.dmp

Filesize
2.8MB

Download
memory/1108-2632-0x0000000073F00000-0x0000000073FC8000-memory.dmp

Filesize
800KB

Download
memory/1108-2637-0x0000000073C10000-0x0000000073C98000-memory.dmp

Filesize
544KB

Download
memory/1108-2634-0x0000000073EB0000-0x0000000073EF9000-memory.dmp

Filesize
292KB

Download
memory/1108-2635-0x0000000073DB0000-0x0000000073DD4000-memory.dmp

Filesize
144KB

Download
memory/1108-2633-0x0000000073DE0000-0x0000000073EAE000-memory.dmp

Filesize
824KB

Download
memory/1108-2636-0x0000000073CA0000-0x0000000073DAA000-memory.dmp

Filesize
1.0MB

Download
memory/2100-47-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-6-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/2100-45-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-49-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-51-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-53-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-55-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-57-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-59-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-61-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-63-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-65-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-67-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-69-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-71-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-73-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-1-0x0000000000030000-0x0000000000738000-memory.dmp

Filesize
7.0MB

Download
memory/2100-2442-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/2100-2-0x0000000005680000-0x0000000005C24000-memory.dmp

Filesize
5.6MB

Download
memory/2100-43-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-41-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-39-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-37-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-35-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-3-0x0000000005170000-0x0000000005202000-memory.dmp

Filesize
584KB

Download
memory/2100-4-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/2100-33-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-31-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-5-0x0000000005140000-0x000000000514A000-memory.dmp

Filesize
40KB

Download
memory/2100-0-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/2100-29-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-7-0x0000000007BC0000-0x00000000080E0000-memory.dmp

Filesize
5.1MB

Download
memory/2100-8-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/2100-9-0x00000000097D0000-0x0000000009852000-memory.dmp

Filesize
520KB

Download
memory/2100-10-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-11-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-13-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-27-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-15-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-17-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-19-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-21-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-23-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2100-25-0x00000000097D0000-0x000000000984C000-memory.dmp

Filesize
496KB

Download
memory/2136-2712-0x0000000073F00000-0x0000000073FC8000-memory.dmp

Filesize
800KB

Download
memory/2136-2716-0x0000000073CA0000-0x0000000073DAA000-memory.dmp

Filesize
1.0MB

Download
memory/2136-2718-0x00000000008A0000-0x0000000000CA4000-memory.dmp

Filesize
4.0MB

Download
memory/2136-2715-0x0000000073DB0000-0x0000000073DD4000-memory.dmp

Filesize
144KB

Download
memory/2136-2695-0x0000000073F00000-0x0000000073FC8000-memory.dmp

Filesize
800KB

Download
memory/2136-2717-0x0000000073C10000-0x0000000073C98000-memory.dmp

Filesize
544KB

Download
memory/2136-2696-0x0000000073DE0000-0x0000000073EAE000-memory.dmp

Filesize
824KB

Download
memory/2136-2711-0x0000000073940000-0x0000000073C0F000-memory.dmp

Filesize
2.8MB

Download
memory/2136-2714-0x0000000073EB0000-0x0000000073EF9000-memory.dmp

Filesize
292KB

Download
memory/2136-2713-0x0000000073DE0000-0x0000000073EAE000-memory.dmp

Filesize
824KB

Download
memory/2136-2701-0x0000000073940000-0x0000000073C0F000-memory.dmp

Filesize
2.8MB

Download
memory/2136-2699-0x0000000073CA0000-0x0000000073DAA000-memory.dmp

Filesize
1.0MB

Download
memory/2136-2700-0x0000000073C10000-0x0000000073C98000-memory.dmp

Filesize
544KB

Download
memory/2136-2697-0x0000000073EB0000-0x0000000073EF9000-memory.dmp

Filesize
292KB

Download
memory/2136-2698-0x0000000073DB0000-0x0000000073DD4000-memory.dmp

Filesize
144KB

Download
memory/3100-2761-0x00000000008A0000-0x0000000000CA4000-memory.dmp

Filesize
4.0MB

Download
memory/3752-2507-0x0000000073DE0000-0x0000000073EAE000-memory.dmp

Filesize
824KB

Download
memory/3752-2506-0x00000000008A0000-0x0000000000CA4000-memory.dmp

Filesize
4.0MB

Download
memory/3752-2480-0x0000000001B10000-0x0000000001B98000-memory.dmp

Filesize
544KB

Download
memory/3752-2478-0x0000000073F00000-0x0000000073FC8000-memory.dmp

Filesize
800KB

Download
memory/3752-2475-0x0000000073EB0000-0x0000000073EF9000-memory.dmp

Filesize
292KB

Download
memory/3752-2467-0x00000000008A0000-0x0000000000CA4000-memory.dmp

Filesize
4.0MB

Download
memory/3752-2474-0x0000000073DB0000-0x0000000073DD4000-memory.dmp

Filesize
144KB

Download
memory/3752-2469-0x0000000073DE0000-0x0000000073EAE000-memory.dmp

Filesize
824KB

Download
memory/3752-2482-0x0000000073C10000-0x0000000073C98000-memory.dmp

Filesize
544KB

Download
memory/3752-2485-0x0000000073940000-0x0000000073C0F000-memory.dmp

Filesize
2.8MB

Download
memory/3752-2486-0x0000000001B10000-0x0000000001DDF000-memory.dmp

Filesize
2.8MB

Download
memory/3752-2519-0x0000000001B10000-0x0000000001B98000-memory.dmp

Filesize
544KB

Download
memory/3752-2520-0x0000000073CA0000-0x0000000073DAA000-memory.dmp

Filesize
1.0MB

Download
memory/3752-2481-0x0000000073CA0000-0x0000000073DAA000-memory.dmp

Filesize
1.0MB

Download
memory/3752-2510-0x0000000073F00000-0x0000000073FC8000-memory.dmp

Filesize
800KB

Download
memory/3752-2621-0x00000000008A0000-0x0000000000CA4000-memory.dmp

Filesize
4.0MB

Download
memory/3752-2508-0x0000000073DB0000-0x0000000073DD4000-memory.dmp

Filesize
144KB

Download
memory/3752-2521-0x0000000073C10000-0x0000000073C98000-memory.dmp

Filesize
544KB

Download
memory/3752-2509-0x0000000073EB0000-0x0000000073EF9000-memory.dmp

Filesize
292KB

Download
memory/3752-2523-0x0000000001B10000-0x0000000001DDF000-memory.dmp

Filesize
2.8MB

Download
memory/3752-2522-0x0000000073940000-0x0000000073C0F000-memory.dmp

Filesize
2.8MB

Download
memory/4752-2548-0x0000000074B40000-0x0000000074B79000-memory.dmp

Filesize
228KB

Download
memory/4752-2497-0x0000000073530000-0x0000000073569000-memory.dmp

Filesize
228KB

Download
memory/4752-2496-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4752-2663-0x0000000072650000-0x0000000072689000-memory.dmp

Filesize
228KB

Download
memory/4752-2444-0x0000000074B20000-0x0000000074B59000-memory.dmp

Filesize
228KB

Download
memory/4752-2441-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download