bitrat | 8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2

Resubmissions

26-04-2024 06:45

240426-hh76aaba6t 10

26-04-2024 06:44

26-04-2024 06:44

26-04-2024 06:44

26-04-2024 06:44

25-04-2024 13:09

Analysis

max time kernel
1793s
max time network
1803s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
26-04-2024 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
Size

11.7MB
MD5

aad57aa4be27a48ebfe54e35f8bf31d9
SHA1

cec3a059f103e163e6bfd0cbaa446045add97a89
SHA256

8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2
SHA512

423ecb0e593e7e862ba6a6f6d04937fdde737d5373620a61918522d348c25a39c40e0909e7e5dd4c52b5f546e6f15751a27d8820db0f1a10b98db25103d757b1
SSDEEP

196608:YN4reUU8Lxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQx6xtw3iFFrS6X/fTV73c:YN4reUPLxwZ6v1CPwDv3uFteg2EeJUOy

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.31

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
BitRAT payload 2 IoCs

Processes:

resource yara_rule

behavioral3/memory/2360-0-0x0000000000400000-0x0000000000FBD000-memory.dmp family_bitrat
behavioral3/memory/2360-53-0x0000000000400000-0x0000000000FBD000-memory.dmp family_bitrat

resource	yara_rule
behavioral3/memory/2360-0-0x0000000000400000-0x0000000000FBD000-memory.dmp	family_bitrat
behavioral3/memory/2360-53-0x0000000000400000-0x0000000000FBD000-memory.dmp	family_bitrat

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll	acprotect
\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll	acprotect
\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll	acprotect
\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll	acprotect
\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll	acprotect
\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll	acprotect

Executes dropped EXE 64 IoCs

Processes:

dllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

pid	process
1240	dllhost.exe
4556	dllhost.exe
4292	dllhost.exe
3428	dllhost.exe
888	dllhost.exe
2952	dllhost.exe
4920	dllhost.exe
1704	dllhost.exe
4752	dllhost.exe
4964	dllhost.exe
5040	dllhost.exe
4216	dllhost.exe
1244	dllhost.exe
4780	dllhost.exe
780	dllhost.exe
2600	dllhost.exe
2148	dllhost.exe
2488	dllhost.exe
4192	dllhost.exe
4052	dllhost.exe
1244	dllhost.exe
3840	dllhost.exe
2908	dllhost.exe
4548	dllhost.exe
1692	dllhost.exe
4656	dllhost.exe
4444	dllhost.exe
4516	dllhost.exe
4068	dllhost.exe
3732	dllhost.exe
2740	dllhost.exe
1624	dllhost.exe
1040	dllhost.exe
2888	dllhost.exe
3324	dllhost.exe
2616	dllhost.exe
4120	dllhost.exe
4304	dllhost.exe
1368	dllhost.exe
3252	dllhost.exe
5040	dllhost.exe
796	dllhost.exe
4676	dllhost.exe
4272	dllhost.exe
1400	dllhost.exe
2296	dllhost.exe
2208	dllhost.exe
4416	dllhost.exe
4952	dllhost.exe
1544	dllhost.exe
4672	dllhost.exe
4976	dllhost.exe
1232	dllhost.exe
2936	dllhost.exe
2272	dllhost.exe
216	dllhost.exe
4972	dllhost.exe
992	dllhost.exe
4352	dllhost.exe
1456	dllhost.exe
3412	dllhost.exe
1372	dllhost.exe
3644	dllhost.exe
5056	dllhost.exe

Loads dropped DLL 64 IoCs

Processes:

dllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

pid	process
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
4556	dllhost.exe
4556	dllhost.exe
4556	dllhost.exe
4556	dllhost.exe
4556	dllhost.exe
4556	dllhost.exe
4556	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
4292	dllhost.exe
3428	dllhost.exe
3428	dllhost.exe
3428	dllhost.exe
3428	dllhost.exe
3428	dllhost.exe
3428	dllhost.exe
3428	dllhost.exe
888	dllhost.exe
888	dllhost.exe
888	dllhost.exe
888	dllhost.exe
888	dllhost.exe
888	dllhost.exe
888	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
4920	dllhost.exe
4920	dllhost.exe
4920	dllhost.exe
4920	dllhost.exe
4920	dllhost.exe
4920	dllhost.exe
4920	dllhost.exe
1704	dllhost.exe
1704	dllhost.exe
1704	dllhost.exe
1704	dllhost.exe
1704	dllhost.exe
1704	dllhost.exe
1704	dllhost.exe
4752	dllhost.exe
4752	dllhost.exe
4752	dllhost.exe
4752	dllhost.exe
4752	dllhost.exe
4752	dllhost.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe	upx
C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll	upx
\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll	upx
\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll	upx
\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll	upx
\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll	upx
\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll	upx
behavioral3/memory/1240-31-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral3/memory/1240-32-0x0000000073680000-0x000000007374E000-memory.dmp	upx
behavioral3/memory/1240-33-0x0000000073630000-0x0000000073679000-memory.dmp	upx
behavioral3/memory/1240-34-0x0000000073600000-0x0000000073624000-memory.dmp	upx
behavioral3/memory/1240-39-0x0000000073460000-0x00000000734E8000-memory.dmp	upx
behavioral3/memory/1240-35-0x00000000734F0000-0x00000000735FA000-memory.dmp	upx
behavioral3/memory/1240-43-0x0000000073750000-0x0000000073818000-memory.dmp	upx
behavioral3/memory/1240-42-0x0000000073190000-0x000000007345F000-memory.dmp	upx
behavioral3/memory/1240-45-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral3/memory/1240-47-0x0000000073680000-0x000000007374E000-memory.dmp	upx
behavioral3/memory/1240-54-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral3/memory/1240-55-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral3/memory/1240-72-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral3/memory/1240-80-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral3/memory/1240-89-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral3/memory/1240-100-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral3/memory/1240-108-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral3/memory/1240-116-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral3/memory/4556-139-0x0000000073680000-0x000000007374E000-memory.dmp	upx
behavioral3/memory/4556-140-0x0000000073630000-0x0000000073679000-memory.dmp	upx
behavioral3/memory/4556-144-0x0000000073600000-0x0000000073624000-memory.dmp	upx
behavioral3/memory/4556-137-0x0000000073750000-0x0000000073818000-memory.dmp	upx
behavioral3/memory/4556-146-0x00000000734F0000-0x00000000735FA000-memory.dmp	upx
behavioral3/memory/1240-149-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral3/memory/4556-150-0x0000000073190000-0x000000007345F000-memory.dmp	upx
behavioral3/memory/4556-148-0x0000000073460000-0x00000000734E8000-memory.dmp	upx
behavioral3/memory/4556-158-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral3/memory/4556-160-0x0000000073680000-0x000000007374E000-memory.dmp	upx
behavioral3/memory/4556-159-0x0000000073750000-0x0000000073818000-memory.dmp	upx
behavioral3/memory/4556-161-0x0000000073600000-0x0000000073624000-memory.dmp	upx
behavioral3/memory/4292-172-0x0000000073950000-0x0000000073C1F000-memory.dmp	upx
behavioral3/memory/4292-173-0x0000000073880000-0x0000000073948000-memory.dmp	upx
behavioral3/memory/4292-175-0x0000000074120000-0x0000000074169000-memory.dmp	upx
behavioral3/memory/4292-176-0x00000000740F0000-0x0000000074114000-memory.dmp	upx
behavioral3/memory/4292-178-0x00000000736E0000-0x0000000073768000-memory.dmp	upx
behavioral3/memory/4292-177-0x0000000073770000-0x000000007387A000-memory.dmp	upx
behavioral3/memory/4292-181-0x0000000073610000-0x00000000736DE000-memory.dmp	upx
behavioral3/memory/4292-197-0x0000000073880000-0x0000000073948000-memory.dmp	upx
behavioral3/memory/4292-206-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral3/memory/4292-207-0x0000000073950000-0x0000000073C1F000-memory.dmp	upx
behavioral3/memory/4292-209-0x0000000073610000-0x00000000736DE000-memory.dmp	upx
behavioral3/memory/3428-253-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral3/memory/3428-265-0x0000000073950000-0x0000000073C1F000-memory.dmp	upx
behavioral3/memory/4292-267-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral3/memory/3428-266-0x0000000073880000-0x0000000073948000-memory.dmp	upx
behavioral3/memory/3428-269-0x0000000073610000-0x00000000736DE000-memory.dmp	upx
behavioral3/memory/3428-271-0x0000000073770000-0x000000007387A000-memory.dmp	upx
behavioral3/memory/3428-273-0x00000000736E0000-0x0000000073768000-memory.dmp	upx
behavioral3/memory/3428-270-0x0000000074120000-0x0000000074169000-memory.dmp	upx
behavioral3/memory/3428-275-0x00000000740F0000-0x0000000074114000-memory.dmp	upx
behavioral3/memory/3428-282-0x0000000073880000-0x0000000073948000-memory.dmp	upx
behavioral3/memory/3428-283-0x0000000073610000-0x00000000736DE000-memory.dmp	upx
behavioral3/memory/3428-284-0x0000000074120000-0x0000000074169000-memory.dmp	upx
behavioral3/memory/3428-286-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral3/memory/3428-285-0x0000000073770000-0x000000007387A000-memory.dmp	upx
behavioral3/memory/3428-287-0x0000000073950000-0x0000000073C1F000-memory.dmp	upx

Looks up external IP address via web service 22 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
170	myexternalip.com
238	myexternalip.com
98	myexternalip.com
106	myexternalip.com
149	myexternalip.com
203	myexternalip.com
210	myexternalip.com
217	myexternalip.com
259	myexternalip.com
56	myexternalip.com
78	myexternalip.com
121	myexternalip.com
141	myexternalip.com
156	myexternalip.com
245	myexternalip.com
252	myexternalip.com
267	myexternalip.com
57	myexternalip.com
91	myexternalip.com
163	myexternalip.com
196	myexternalip.com
224	myexternalip.com

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Suspicious use of NtSetInformationThreadHideFromDebugger 46 IoCs

Processes:

8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

pid	process
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

pid process

2360 8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

description pid process

Token: SeShutdownPrivilege 2360 8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

pid process

2360 8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2360 8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

description	pid	process
Token: SeShutdownPrivilege	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

description	pid	process	target process
PID 2360 wrote to memory of 1240	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 1240	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 1240	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4556	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4556	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4556	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4292	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4292	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4292	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 3428	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 3428	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 3428	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 888	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 888	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 888	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 2952	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 2952	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 2952	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4920	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4920	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4920	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 1704	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 1704	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 1704	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4752	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4752	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4752	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4964	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4964	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4964	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 5040	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 5040	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 5040	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4216	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4216	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4216	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 1244	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 1244	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 1244	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4780	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4780	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4780	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 780	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 780	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 780	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 2600	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 2600	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 2600	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 2148	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 2148	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 2148	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 2488	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 2488	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 2488	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4192	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4192	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4192	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4052	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4052	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 4052	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 1244	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 1244	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 1244	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2360 wrote to memory of 3840	2360	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1240

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4556

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4292

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3428

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2952

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4920

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4752

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4964

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:5040

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4216

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1244

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4780

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:780

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2600

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2148

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2488

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4192

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4052

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1244

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3840

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2908

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4548

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1692

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4656

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4444

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4516

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4068

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3732

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2740

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1624

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1040

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2888

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3324

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2616

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4120

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4304

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1368

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3252

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:5040

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:796

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4676

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4272

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1400

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2296

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2208

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4416

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4952

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1544

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4672

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4976

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1232

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2936

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2272

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:216

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4972

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:992

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4352

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1456

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3412

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1372

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3644

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:5056

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
PID:3924

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
PID:3532

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
PID:2064

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
PID:1340

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
PID:1672

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
PID:4444

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
PID:2896

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Proxy

T1090

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs
Filesize
13KB

MD5
71e0e00a94a2f20c37736412c756bc47

SHA1
5a9553f9c82d8c2e4b07ac0a491f1d2215484cda

SHA256
3fd024e3c2d7503e061571b58b96675bb23001771e74b17469f6aabf0a278dff

SHA512
41790f999ed403fdad9244b35f0e73bfb29c8f55a84a8121c8974ad1beaa92800bb9d0b4814bbabb36f9b491d5f33325dd890d174d67feee480100c34865c14d

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus.tmp
Filesize
2.5MB

MD5
e0c532df4b63edb19c242ef478980308

SHA1
e62c4db641e976bac705db9d547d213ff2c49217

SHA256
895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7

SHA512
da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
Filesize
6.5MB

MD5
58f32456fe4600ee897e4bf0beab662e

SHA1
ee548e78797aa692444e56e1bd776923fa6936a9

SHA256
312775fafa859fc3621be31f9687359d667c110a254e948a173de9fb8ffa191c

SHA512
0d233ee2a2b93c55c19f1e5fef81edf49527ce9d13158f6fc10fe2d056546f278535180309601c8b3483e5d2538b8c71d6220ba9c266b34839e309a152c8a68b

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
Filesize
9.3MB

MD5
67eb0bc983d5327faa121bff983c667d

SHA1
84350489d1d1f3100839ae54953c4e27d5834d2e

SHA256
770b8c68307465ec519babb2dabcae4751fa8e9775068248570276b8596e8a41

SHA512
962f135233bca368ee4bdda170f19f52b80fe5632cf08901b16a59af52e97e16da2c4f7594ecf4deb878280503ae14ad3c39456de088d1df876ccce41515e632

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
Filesize
4.8MB

MD5
5f575431f7e62d3167cc2d302c2739f1

SHA1
9286844fff93aa97c515e9260ad4061821012b98

SHA256
5baa3e86b3f9aecda6801e2bdd1fbf290cefa09e57685908630f42d9cde5bac7

SHA512
dd7055a1873b452bccc6659731e89121b3253cb782feeda34cd35628f444c9c1f494a338449d5c1324fd0a0fe03d832af41a7a0e8b6c4af4d26cf5493964acb2

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\data\state
Filesize
7KB

MD5
53595bcee8aeb8667038288a537a8284

SHA1
ae6816e8128e202d219de9195299f394a6e6f612

SHA256
2558ee5ae2c43f7c7362e6b50bf206ef9f314556726581641aac115ed718b1fb

SHA512
c0a7627f2a90bcdf3621b9d6af1c5789fd1112090bcf9cbb7a690387d1163fd3f104fd8e5c7933be7ef6109339b3205e842b041c0d4879fa5e8860f26b6ff33c

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\data\state
Filesize
8KB

MD5
fb28e18cbcc519cb7a68527ce3093de3

SHA1
00ba773f5408cd2691e5c86cb1493f22d3ef956a

SHA256
692f362c1515d2a798c32dc60bedeef4da4af5769faffafcb8a6c6e1b178efde

SHA512
c1baa724e9bb628099fff803cd1b9c3fb5659759942e3190090fad1237afdb31ed983d5594d2d5e0348d60052db6f5738f808b11a6a9a62bebb9f11631306ce8

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll
Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll
Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\torrc
Filesize
139B

MD5
22ec9e4c1cdf6aca7b2997be93f46645

SHA1
df0a0e3373fc514518b70adfebc86c23c3f04bf8

SHA256
b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4

SHA512
d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94

Download Submit
\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll
Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll
Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll
Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
memory/888-298-0x0000000074120000-0x0000000074169000-memory.dmp

Filesize
292KB

Download
memory/888-299-0x00000000740F0000-0x0000000074114000-memory.dmp

Filesize
144KB

Download
memory/888-302-0x00000000736E0000-0x0000000073768000-memory.dmp

Filesize
544KB

Download
memory/888-305-0x0000000073950000-0x0000000073C1F000-memory.dmp

Filesize
2.8MB

Download
memory/888-306-0x0000000073610000-0x00000000736DE000-memory.dmp

Filesize
824KB

Download
memory/888-300-0x0000000073770000-0x000000007387A000-memory.dmp

Filesize
1.0MB

Download
memory/1240-34-0x0000000073600000-0x0000000073624000-memory.dmp

Filesize
144KB

Download
memory/1240-40-0x0000000001010000-0x0000000001098000-memory.dmp

Filesize
544KB

Download
memory/1240-31-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/1240-54-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/1240-55-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/1240-63-0x0000000001010000-0x0000000001098000-memory.dmp

Filesize
544KB

Download
memory/1240-45-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/1240-72-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/1240-80-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/1240-32-0x0000000073680000-0x000000007374E000-memory.dmp

Filesize
824KB

Download
memory/1240-89-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/1240-100-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/1240-108-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/1240-116-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/1240-33-0x0000000073630000-0x0000000073679000-memory.dmp

Filesize
292KB

Download
memory/1240-39-0x0000000073460000-0x00000000734E8000-memory.dmp

Filesize
544KB

Download
memory/1240-47-0x0000000073680000-0x000000007374E000-memory.dmp

Filesize
824KB

Download
memory/1240-41-0x0000000001DB0000-0x000000000207F000-memory.dmp

Filesize
2.8MB

Download
memory/1240-42-0x0000000073190000-0x000000007345F000-memory.dmp

Filesize
2.8MB

Download
memory/1240-149-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/1240-43-0x0000000073750000-0x0000000073818000-memory.dmp

Filesize
800KB

Download
memory/1240-35-0x00000000734F0000-0x00000000735FA000-memory.dmp

Filesize
1.0MB

Download
memory/2360-324-0x0000000074130000-0x000000007416A000-memory.dmp

Filesize
232KB

Download
memory/2360-325-0x0000000073370000-0x00000000733AA000-memory.dmp

Filesize
232KB

Download
memory/2360-44-0x0000000072EA0000-0x0000000072EDA000-memory.dmp

Filesize
232KB

Download
memory/2360-88-0x0000000073A30000-0x0000000073A6A000-memory.dmp

Filesize
232KB

Download
memory/2360-0-0x0000000000400000-0x0000000000FBD000-memory.dmp

Filesize
11.7MB

Download
memory/2360-53-0x0000000000400000-0x0000000000FBD000-memory.dmp

Filesize
11.7MB

Download
memory/2360-196-0x0000000073370000-0x00000000733AA000-memory.dmp

Filesize
232KB

Download
memory/2360-1-0x0000000074130000-0x000000007416A000-memory.dmp

Filesize
232KB

Download
memory/3428-269-0x0000000073610000-0x00000000736DE000-memory.dmp

Filesize
824KB

Download
memory/3428-266-0x0000000073880000-0x0000000073948000-memory.dmp

Filesize
800KB

Download
memory/3428-287-0x0000000073950000-0x0000000073C1F000-memory.dmp

Filesize
2.8MB

Download
memory/3428-285-0x0000000073770000-0x000000007387A000-memory.dmp

Filesize
1.0MB

Download
memory/3428-286-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/3428-284-0x0000000074120000-0x0000000074169000-memory.dmp

Filesize
292KB

Download
memory/3428-283-0x0000000073610000-0x00000000736DE000-memory.dmp

Filesize
824KB

Download
memory/3428-282-0x0000000073880000-0x0000000073948000-memory.dmp

Filesize
800KB

Download
memory/3428-275-0x00000000740F0000-0x0000000074114000-memory.dmp

Filesize
144KB

Download
memory/3428-270-0x0000000074120000-0x0000000074169000-memory.dmp

Filesize
292KB

Download
memory/3428-273-0x00000000736E0000-0x0000000073768000-memory.dmp

Filesize
544KB

Download
memory/3428-253-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/3428-265-0x0000000073950000-0x0000000073C1F000-memory.dmp

Filesize
2.8MB

Download
memory/3428-271-0x0000000073770000-0x000000007387A000-memory.dmp

Filesize
1.0MB

Download
memory/4292-173-0x0000000073880000-0x0000000073948000-memory.dmp

Filesize
800KB

Download
memory/4292-181-0x0000000073610000-0x00000000736DE000-memory.dmp

Filesize
824KB

Download
memory/4292-267-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/4292-177-0x0000000073770000-0x000000007387A000-memory.dmp

Filesize
1.0MB

Download
memory/4292-209-0x0000000073610000-0x00000000736DE000-memory.dmp

Filesize
824KB

Download
memory/4292-207-0x0000000073950000-0x0000000073C1F000-memory.dmp

Filesize
2.8MB

Download
memory/4292-206-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/4292-197-0x0000000073880000-0x0000000073948000-memory.dmp

Filesize
800KB

Download
memory/4292-175-0x0000000074120000-0x0000000074169000-memory.dmp

Filesize
292KB

Download
memory/4292-176-0x00000000740F0000-0x0000000074114000-memory.dmp

Filesize
144KB

Download
memory/4292-178-0x00000000736E0000-0x0000000073768000-memory.dmp

Filesize
544KB

Download
memory/4292-172-0x0000000073950000-0x0000000073C1F000-memory.dmp

Filesize
2.8MB

Download
memory/4556-161-0x0000000073600000-0x0000000073624000-memory.dmp

Filesize
144KB

Download
memory/4556-159-0x0000000073750000-0x0000000073818000-memory.dmp

Filesize
800KB

Download
memory/4556-160-0x0000000073680000-0x000000007374E000-memory.dmp

Filesize
824KB

Download
memory/4556-158-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/4556-148-0x0000000073460000-0x00000000734E8000-memory.dmp

Filesize
544KB

Download
memory/4556-150-0x0000000073190000-0x000000007345F000-memory.dmp

Filesize
2.8MB

Download
memory/4556-146-0x00000000734F0000-0x00000000735FA000-memory.dmp

Filesize
1.0MB

Download
memory/4556-137-0x0000000073750000-0x0000000073818000-memory.dmp

Filesize
800KB

Download
memory/4556-144-0x0000000073600000-0x0000000073624000-memory.dmp

Filesize
144KB

Download
memory/4556-140-0x0000000073630000-0x0000000073679000-memory.dmp

Filesize
292KB

Download
memory/4556-139-0x0000000073680000-0x000000007374E000-memory.dmp

Filesize
824KB

Download