bitrat | 8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2

Resubmissions

26-04-2024 06:45

240426-hh76aaba6t 10

26-04-2024 06:44

26-04-2024 06:44

26-04-2024 06:44

26-04-2024 06:44

25-04-2024 13:09

Analysis

max time kernel
1796s
max time network
1798s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
Size

11.7MB
MD5

aad57aa4be27a48ebfe54e35f8bf31d9
SHA1

cec3a059f103e163e6bfd0cbaa446045add97a89
SHA256

8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2
SHA512

423ecb0e593e7e862ba6a6f6d04937fdde737d5373620a61918522d348c25a39c40e0909e7e5dd4c52b5f546e6f15751a27d8820db0f1a10b98db25103d757b1
SSDEEP

196608:YN4reUU8Lxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQx6xtw3iFFrS6X/fTV73c:YN4reUPLxwZ6v1CPwDv3uFteg2EeJUOy

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.31

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
BitRAT payload 2 IoCs

Processes:

resource yara_rule

behavioral4/memory/2072-0-0x0000000000400000-0x0000000000FBD000-memory.dmp family_bitrat
behavioral4/memory/2072-46-0x0000000000400000-0x0000000000FBD000-memory.dmp family_bitrat

resource	yara_rule
behavioral4/memory/2072-0-0x0000000000400000-0x0000000000FBD000-memory.dmp	family_bitrat
behavioral4/memory/2072-46-0x0000000000400000-0x0000000000FBD000-memory.dmp	family_bitrat

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll	acprotect
C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll	acprotect
C:\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll	acprotect
C:\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll	acprotect
C:\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

Executes dropped EXE 64 IoCs

Processes:

dllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

pid	process
628	dllhost.exe
4688	dllhost.exe
4104	dllhost.exe
1916	dllhost.exe
3000	dllhost.exe
948	dllhost.exe
4448	dllhost.exe
716	dllhost.exe
2544	dllhost.exe
180	dllhost.exe
4384	dllhost.exe
892	dllhost.exe
4576	dllhost.exe
2360	dllhost.exe
2160	dllhost.exe
2144	dllhost.exe
1844	dllhost.exe
516	dllhost.exe
3488	dllhost.exe
5032	dllhost.exe
180	dllhost.exe
2540	dllhost.exe
4120	dllhost.exe
2068	dllhost.exe
332	dllhost.exe
3624	dllhost.exe
3116	dllhost.exe
1844	dllhost.exe
3592	dllhost.exe
2568	dllhost.exe
4996	dllhost.exe
3688	dllhost.exe
3600	dllhost.exe
1532	dllhost.exe
1884	dllhost.exe
408	dllhost.exe
2660	dllhost.exe
4676	dllhost.exe
224	dllhost.exe
1572	dllhost.exe
1860	dllhost.exe
1796	dllhost.exe
1504	dllhost.exe
4080	dllhost.exe
1780	dllhost.exe
1856	dllhost.exe
2184	dllhost.exe
1136	dllhost.exe
4220	dllhost.exe
540	dllhost.exe
920	dllhost.exe
2128	dllhost.exe
1856	dllhost.exe
2524	dllhost.exe
3420	dllhost.exe
5092	dllhost.exe
3024	dllhost.exe
1000	dllhost.exe
4396	dllhost.exe
3440	dllhost.exe
700	dllhost.exe
4520	dllhost.exe
3696	dllhost.exe
4140	dllhost.exe

Loads dropped DLL 64 IoCs

Processes:

dllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

pid	process
628	dllhost.exe
628	dllhost.exe
628	dllhost.exe
628	dllhost.exe
628	dllhost.exe
628	dllhost.exe
628	dllhost.exe
628	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4104	dllhost.exe
4104	dllhost.exe
4104	dllhost.exe
4104	dllhost.exe
4104	dllhost.exe
4104	dllhost.exe
4104	dllhost.exe
1916	dllhost.exe
1916	dllhost.exe
1916	dllhost.exe
1916	dllhost.exe
1916	dllhost.exe
1916	dllhost.exe
1916	dllhost.exe
1916	dllhost.exe
3000	dllhost.exe
3000	dllhost.exe
3000	dllhost.exe
3000	dllhost.exe
3000	dllhost.exe
3000	dllhost.exe
3000	dllhost.exe
948	dllhost.exe
948	dllhost.exe
948	dllhost.exe
948	dllhost.exe
948	dllhost.exe
948	dllhost.exe
948	dllhost.exe
4448	dllhost.exe
4448	dllhost.exe
4448	dllhost.exe
4448	dllhost.exe
4448	dllhost.exe
4448	dllhost.exe
4448	dllhost.exe
716	dllhost.exe
716	dllhost.exe
716	dllhost.exe
716	dllhost.exe
716	dllhost.exe
716	dllhost.exe
716	dllhost.exe
2544	dllhost.exe
2544	dllhost.exe
2544	dllhost.exe
2544	dllhost.exe
2544	dllhost.exe
2544	dllhost.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe	upx
C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll	upx
behavioral4/memory/628-19-0x0000000000550000-0x0000000000954000-memory.dmp	upx
C:\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll	upx
C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll	upx
C:\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll	upx
C:\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll	upx
C:\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll	upx
behavioral4/memory/628-34-0x00000000741D0000-0x0000000074298000-memory.dmp	upx
behavioral4/memory/628-35-0x0000000074180000-0x00000000741C9000-memory.dmp	upx
behavioral4/memory/628-36-0x0000000074150000-0x0000000074174000-memory.dmp	upx
behavioral4/memory/628-37-0x0000000073E80000-0x000000007414F000-memory.dmp	upx
behavioral4/memory/628-38-0x0000000073D70000-0x0000000073E7A000-memory.dmp	upx
behavioral4/memory/628-40-0x0000000073CE0000-0x0000000073D68000-memory.dmp	upx
behavioral4/memory/628-44-0x00000000742A0000-0x000000007436E000-memory.dmp	upx
behavioral4/memory/628-47-0x0000000000550000-0x0000000000954000-memory.dmp	upx
behavioral4/memory/628-48-0x00000000741D0000-0x0000000074298000-memory.dmp	upx
behavioral4/memory/628-51-0x0000000073E80000-0x000000007414F000-memory.dmp	upx
behavioral4/memory/628-55-0x0000000000550000-0x0000000000954000-memory.dmp	upx
behavioral4/memory/628-56-0x0000000000550000-0x0000000000954000-memory.dmp	upx
behavioral4/memory/628-73-0x0000000000550000-0x0000000000954000-memory.dmp	upx
behavioral4/memory/628-81-0x0000000000550000-0x0000000000954000-memory.dmp	upx
behavioral4/memory/628-90-0x0000000000550000-0x0000000000954000-memory.dmp	upx
behavioral4/memory/628-102-0x0000000000550000-0x0000000000954000-memory.dmp	upx
behavioral4/memory/628-110-0x0000000000550000-0x0000000000954000-memory.dmp	upx
behavioral4/memory/628-119-0x0000000000550000-0x0000000000954000-memory.dmp	upx
behavioral4/memory/628-141-0x0000000000550000-0x0000000000954000-memory.dmp	upx
behavioral4/memory/4688-149-0x00000000742A0000-0x000000007436E000-memory.dmp	upx
behavioral4/memory/4688-150-0x0000000074180000-0x00000000741C9000-memory.dmp	upx
behavioral4/memory/4688-151-0x0000000074150000-0x0000000074174000-memory.dmp	upx
behavioral4/memory/4688-152-0x0000000073D70000-0x0000000073E7A000-memory.dmp	upx
behavioral4/memory/4688-153-0x0000000073CE0000-0x0000000073D68000-memory.dmp	upx
behavioral4/memory/4688-158-0x0000000073E80000-0x000000007414F000-memory.dmp	upx
behavioral4/memory/4688-177-0x0000000000550000-0x0000000000954000-memory.dmp	upx
behavioral4/memory/4688-186-0x00000000741D0000-0x0000000074298000-memory.dmp	upx
behavioral4/memory/4688-187-0x00000000742A0000-0x000000007436E000-memory.dmp	upx
behavioral4/memory/4104-245-0x00000000741D0000-0x0000000074298000-memory.dmp	upx
behavioral4/memory/4688-247-0x0000000000550000-0x0000000000954000-memory.dmp	upx
behavioral4/memory/4104-248-0x0000000074180000-0x00000000741C9000-memory.dmp	upx
behavioral4/memory/4104-246-0x00000000742A0000-0x000000007436E000-memory.dmp	upx
behavioral4/memory/4104-249-0x0000000074150000-0x0000000074174000-memory.dmp	upx
behavioral4/memory/4104-250-0x0000000073D70000-0x0000000073E7A000-memory.dmp	upx
behavioral4/memory/4104-253-0x0000000073CE0000-0x0000000073D68000-memory.dmp	upx
behavioral4/memory/4104-254-0x0000000073E80000-0x000000007414F000-memory.dmp	upx
behavioral4/memory/4104-270-0x0000000000550000-0x0000000000954000-memory.dmp	upx
behavioral4/memory/4104-279-0x00000000742A0000-0x000000007436E000-memory.dmp	upx
behavioral4/memory/4104-280-0x00000000741D0000-0x0000000074298000-memory.dmp	upx
behavioral4/memory/1916-314-0x0000000000550000-0x0000000000954000-memory.dmp	upx
behavioral4/memory/1916-325-0x0000000073E80000-0x000000007414F000-memory.dmp	upx
behavioral4/memory/1916-327-0x00000000741D0000-0x0000000074298000-memory.dmp	upx
behavioral4/memory/1916-328-0x00000000742A0000-0x000000007436E000-memory.dmp	upx
behavioral4/memory/4104-326-0x0000000000550000-0x0000000000954000-memory.dmp	upx
behavioral4/memory/1916-333-0x0000000073D70000-0x0000000073E7A000-memory.dmp	upx
behavioral4/memory/1916-334-0x0000000073CE0000-0x0000000073D68000-memory.dmp	upx
behavioral4/memory/1916-329-0x0000000074150000-0x0000000074174000-memory.dmp	upx
behavioral4/memory/1916-335-0x0000000074180000-0x00000000741C9000-memory.dmp	upx
behavioral4/memory/1916-347-0x0000000073E80000-0x000000007414F000-memory.dmp	upx
behavioral4/memory/1916-348-0x0000000000550000-0x0000000000954000-memory.dmp	upx
behavioral4/memory/1916-357-0x00000000741D0000-0x0000000074298000-memory.dmp	upx
behavioral4/memory/1916-358-0x00000000742A0000-0x000000007436E000-memory.dmp	upx
behavioral4/memory/3000-387-0x0000000000550000-0x0000000000954000-memory.dmp	upx
behavioral4/memory/3000-388-0x0000000073E80000-0x000000007414F000-memory.dmp	upx
behavioral4/memory/3000-390-0x00000000741D0000-0x0000000074298000-memory.dmp	upx

Looks up external IP address via web service 35 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
505	myexternalip.com
641	myexternalip.com
696	myexternalip.com
650	myexternalip.com
657	myexternalip.com
663	myexternalip.com
598	myexternalip.com
613	myexternalip.com
620	myexternalip.com
627	myexternalip.com
690	myexternalip.com
232	myexternalip.com
512	myexternalip.com
584	myexternalip.com
722	myexternalip.com
677	myexternalip.com
702	myexternalip.com
526	myexternalip.com
634	myexternalip.com
671	myexternalip.com
577	myexternalip.com
709	myexternalip.com
304	myexternalip.com
543	myexternalip.com
570	myexternalip.com
536	myexternalip.com
562	myexternalip.com
606	myexternalip.com
481	myexternalip.com
489	myexternalip.com
549	myexternalip.com
716	myexternalip.com
233	myexternalip.com
354	myexternalip.com
497	myexternalip.com

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

pid	process
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

pid process

2072 8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exesvchost.exe

description pid process

Token: SeShutdownPrivilege 2072 8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
Token: SeManageVolumePrivilege 2024 svchost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

pid process

2072 8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
2072 8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

description	pid	process
Token: SeShutdownPrivilege	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
Token: SeManageVolumePrivilege	2024	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

description	pid	process	target process
PID 2072 wrote to memory of 628	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 628	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 628	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 4688	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 4688	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 4688	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 4104	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 4104	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 4104	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 1916	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 1916	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 1916	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 3000	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 3000	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 3000	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 948	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 948	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 948	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 4448	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 4448	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 4448	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 716	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 716	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 716	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 2544	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 2544	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 2544	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 180	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 180	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 180	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 4384	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 4384	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 4384	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 892	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 892	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 892	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 4576	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 4576	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 4576	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 2360	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 2360	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 2360	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 2160	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 2160	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 2160	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 2144	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 2144	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 2144	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 1844	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 1844	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 1844	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 516	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 516	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 516	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 3488	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 3488	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 3488	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 5032	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 5032	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 5032	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 180	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 180	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 180	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe
PID 2072 wrote to memory of 2540	2072	8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:628

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4688

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4104

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1916

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4448

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:716

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:180

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4384

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:892

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4576

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2360

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2160

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2144

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1844

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:516

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3488

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:5032

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:180

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2540

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4120

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2068

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:332

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3624

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3116

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1844

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3592

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2568

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4996

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3688

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3600

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1532

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1884

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:408

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2660

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4676

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:224

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1572

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1860

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1796

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1504

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4080

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1780

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1856

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2184

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1136

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4220

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:540

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:920

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2128

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1856

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2524

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3420

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:5092

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3024

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1000

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4396

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3440

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:700

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4520

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3696

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4140

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
PID:4052

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
PID:4028

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
PID:4396

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
2⤵
PID:4440

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Proxy

T1090

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs
Filesize
13KB

MD5
d4012b8e9af67e3c4c18a58b3353a89b

SHA1
ac0b1fdf8ec5ee5e982898b01eef9d91afb3cb16

SHA256
056668aa0202a7d69dd8890dc0403364bbd0d839cb4028d2b496314e04689eb5

SHA512
977565976b890900396d801aff7d7d162efbffac7e5e927dd3262ebb2745c8ca1ef1ebf6804f7c5ab164eaee18e610d2a14439ace0a9fe4a0e310ddac0d60eef

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus.tmp
Filesize
2.5MB

MD5
e0c532df4b63edb19c242ef478980308

SHA1
e62c4db641e976bac705db9d547d213ff2c49217

SHA256
895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7

SHA512
da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs
Filesize
18.7MB

MD5
6a8d3e31c48382f1ca9040aa0f712612

SHA1
1a57eab7d8f8f9a98d4d1b9e9cb85fd4548b8fa5

SHA256
6e70c56ae3d5a10573c3c7e6636e089c845713fbb9c5629a7c7fb93381827f6c

SHA512
2e0ed2152f96eab1685fb755cd07d20a5ae216c6fd0351b321acbf02004b4ddd32915591e28e0e0993515d197252bab2822353be75e73df1b9c1532bba86172d

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs
Filesize
7.0MB

MD5
8c0edbde097b4df4677e55400907ccf9

SHA1
0d80a7153892341efe0aa21129bd3549c53d0a2b

SHA256
4370af87433548266a76739e97d9537d06c3c409b936dda2bb6a4518d5195e7e

SHA512
d19cb0d6e33d2c320d3bdf14c26f4c5e871e377c6b4da148a738c66db04be288a946171990ccb9af248a12ed2555447c5a93576ec916b8cbf2a89ed983fc3066

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
Filesize
5.6MB

MD5
de4faedd6e7fc0e1c2b7963ac06a0fdc

SHA1
5ba568cc86b17694d9808603062958568c43b7de

SHA256
784479690a5d52b188b1d975c1050ae07aa518e885e71e029dd3ab66261c0770

SHA512
6763635b7328352fe4685c423a0592429e6b62b338e01e0894e780c486526074c78607b6a36f3f348df4c60ba75f9e0eeced2d8a67615ec604397f5ed83ba79d

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
Filesize
7.0MB

MD5
8a012881ab1d1b4e0f3c024eea5832b7

SHA1
abc292ddd73db93844ddafc70dd93000ef142e07

SHA256
c1ad82df4547abd090084e39febaded4bdbc1028403e36b6cec682f66c561cdb

SHA512
6a72251aa7a1b4ab40fe3bc60f5a14864d98f9dec4024d9aabf4cd99a9d941dab51cc9606f35447d082017b719b14d3d3cc09fdbf14521e3a181080893f27087

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
Filesize
11.6MB

MD5
7af8e1de8c1c5055d04da9698acc3e25

SHA1
f8b046b778120d268127edc77cc8aa9aab849897

SHA256
732936d96d0ebfdeeda7c502758013e14e577ffa987026fd456eb60e485e046a

SHA512
a2733f1b7b62778ac7b9ff434ab4b51a5346d6edfb849b90f1c69661196ff32a0c1e4eb6661fb8540cda77814b77020fc644335687cbdb9f7b7f2df0f9835e02

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\data\state
Filesize
8KB

MD5
0a2b7f161cfbfe1d3abc7c4ec365953b

SHA1
83087f843db2f278f5ea7d5f1fbecdba56494de1

SHA256
e218fca681c190c859e16004916770adc193ebb794926bd89141597e20416ad5

SHA512
5186739d9da221aabb80d4d065c64bb0d22e464f2df8e610120adf25f1df5b72a85403d3cc1fe5fbeb2b0ffd8f85ab4a1d2ea0d982963c3ae332065e7dd8ae7f

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\data\state
Filesize
9KB

MD5
6998db0985ad77dfe715916c51208e2a

SHA1
a6129359c9f7e1643af637dc2fb9ea377ff7317e

SHA256
972d5e50f669e7dacc3d11b1f293e6c868deda89a1519c323bf8d2eb7105e2a0

SHA512
4efed364da2b5eed31b8327ff8c028fe109adbb8fa040458d933333efae5bfbd10a0982f320a16495edae32cb307e0eea41a1128fa46ec02b202798960d63dcb

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\data\state
Filesize
9KB

MD5
63ac7047f63dc0bef07087e31eda59ce

SHA1
1432f828edc480554b18ffa1ac0c0523d5d7fd7c

SHA256
278a03e210d7939d9f74dc9bca2fe92e5dab6fa72758005de0a9791010517202

SHA512
ca6e47c76024c06a38c9d29a1707f7a8316f47b858fe53a2a60e7789a3621197e46f8864504bd594820a143b37b9b110fa0c8c0c5233d2098ab57e52aa1b243d

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll
Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll
Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll
Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll
Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll
Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\torrc
Filesize
139B

MD5
22ec9e4c1cdf6aca7b2997be93f46645

SHA1
df0a0e3373fc514518b70adfebc86c23c3f04bf8

SHA256
b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4

SHA512
d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94

Download Submit
C:\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
memory/628-73-0x0000000000550000-0x0000000000954000-memory.dmp

Filesize
4.0MB

Download
memory/628-40-0x0000000073CE0000-0x0000000073D68000-memory.dmp

Filesize
544KB

Download
memory/628-81-0x0000000000550000-0x0000000000954000-memory.dmp

Filesize
4.0MB

Download
memory/628-47-0x0000000000550000-0x0000000000954000-memory.dmp

Filesize
4.0MB

Download
memory/628-48-0x00000000741D0000-0x0000000074298000-memory.dmp

Filesize
800KB

Download
memory/628-51-0x0000000073E80000-0x000000007414F000-memory.dmp

Filesize
2.8MB

Download
memory/628-55-0x0000000000550000-0x0000000000954000-memory.dmp

Filesize
4.0MB

Download
memory/628-56-0x0000000000550000-0x0000000000954000-memory.dmp

Filesize
4.0MB

Download
memory/628-37-0x0000000073E80000-0x000000007414F000-memory.dmp

Filesize
2.8MB

Download
memory/628-38-0x0000000073D70000-0x0000000073E7A000-memory.dmp

Filesize
1.0MB

Download
memory/628-19-0x0000000000550000-0x0000000000954000-memory.dmp

Filesize
4.0MB

Download
memory/628-43-0x0000000001680000-0x0000000001708000-memory.dmp

Filesize
544KB

Download
memory/628-64-0x0000000001680000-0x0000000001708000-memory.dmp

Filesize
544KB

Download
memory/628-90-0x0000000000550000-0x0000000000954000-memory.dmp

Filesize
4.0MB

Download
memory/628-102-0x0000000000550000-0x0000000000954000-memory.dmp

Filesize
4.0MB

Download
memory/628-110-0x0000000000550000-0x0000000000954000-memory.dmp

Filesize
4.0MB

Download
memory/628-119-0x0000000000550000-0x0000000000954000-memory.dmp

Filesize
4.0MB

Download
memory/628-36-0x0000000074150000-0x0000000074174000-memory.dmp

Filesize
144KB

Download
memory/628-141-0x0000000000550000-0x0000000000954000-memory.dmp

Filesize
4.0MB

Download
memory/628-35-0x0000000074180000-0x00000000741C9000-memory.dmp

Filesize
292KB

Download
memory/628-34-0x00000000741D0000-0x0000000074298000-memory.dmp

Filesize
800KB

Download
memory/628-44-0x00000000742A0000-0x000000007436E000-memory.dmp

Filesize
824KB

Download
memory/1916-325-0x0000000073E80000-0x000000007414F000-memory.dmp

Filesize
2.8MB

Download
memory/1916-314-0x0000000000550000-0x0000000000954000-memory.dmp

Filesize
4.0MB

Download
memory/1916-393-0x0000000000550000-0x0000000000954000-memory.dmp

Filesize
4.0MB

Download
memory/1916-358-0x00000000742A0000-0x000000007436E000-memory.dmp

Filesize
824KB

Download
memory/1916-359-0x0000000000FB0000-0x0000000000FF9000-memory.dmp

Filesize
292KB

Download
memory/1916-357-0x00000000741D0000-0x0000000074298000-memory.dmp

Filesize
800KB

Download
memory/1916-348-0x0000000000550000-0x0000000000954000-memory.dmp

Filesize
4.0MB

Download
memory/1916-347-0x0000000073E80000-0x000000007414F000-memory.dmp

Filesize
2.8MB

Download
memory/1916-335-0x0000000074180000-0x00000000741C9000-memory.dmp

Filesize
292KB

Download
memory/1916-329-0x0000000074150000-0x0000000074174000-memory.dmp

Filesize
144KB

Download
memory/1916-334-0x0000000073CE0000-0x0000000073D68000-memory.dmp

Filesize
544KB

Download
memory/1916-333-0x0000000073D70000-0x0000000073E7A000-memory.dmp

Filesize
1.0MB

Download
memory/1916-332-0x0000000000FB0000-0x0000000000FF9000-memory.dmp

Filesize
292KB

Download
memory/1916-328-0x00000000742A0000-0x000000007436E000-memory.dmp

Filesize
824KB

Download
memory/1916-327-0x00000000741D0000-0x0000000074298000-memory.dmp

Filesize
800KB

Download
memory/2072-302-0x00000000738D0000-0x0000000073909000-memory.dmp

Filesize
228KB

Download
memory/2072-282-0x0000000074E20000-0x0000000074E59000-memory.dmp

Filesize
228KB

Download
memory/2072-188-0x0000000073B40000-0x0000000073B79000-memory.dmp

Filesize
228KB

Download
memory/2072-89-0x0000000074E40000-0x0000000074E79000-memory.dmp

Filesize
228KB

Download
memory/2072-45-0x00000000738D0000-0x0000000073909000-memory.dmp

Filesize
228KB

Download
memory/2072-46-0x0000000000400000-0x0000000000FBD000-memory.dmp

Filesize
11.7MB

Download
memory/2072-1-0x0000000074E20000-0x0000000074E59000-memory.dmp

Filesize
228KB

Download
memory/2072-0-0x0000000000400000-0x0000000000FBD000-memory.dmp

Filesize
11.7MB

Download
memory/2072-281-0x00000000729C0000-0x00000000729F9000-memory.dmp

Filesize
228KB

Download
memory/2072-371-0x0000000074E40000-0x0000000074E79000-memory.dmp

Filesize
228KB

Download
memory/3000-394-0x0000000074180000-0x00000000741C9000-memory.dmp

Filesize
292KB

Download
memory/3000-387-0x0000000000550000-0x0000000000954000-memory.dmp

Filesize
4.0MB

Download
memory/3000-388-0x0000000073E80000-0x000000007414F000-memory.dmp

Filesize
2.8MB

Download
memory/3000-390-0x00000000741D0000-0x0000000074298000-memory.dmp

Filesize
800KB

Download
memory/3000-392-0x00000000742A0000-0x000000007436E000-memory.dmp

Filesize
824KB

Download
memory/3000-396-0x0000000074150000-0x0000000074174000-memory.dmp

Filesize
144KB

Download
memory/4104-245-0x00000000741D0000-0x0000000074298000-memory.dmp

Filesize
800KB

Download
memory/4104-249-0x0000000074150000-0x0000000074174000-memory.dmp

Filesize
144KB

Download
memory/4104-253-0x0000000073CE0000-0x0000000073D68000-memory.dmp

Filesize
544KB

Download
memory/4104-250-0x0000000073D70000-0x0000000073E7A000-memory.dmp

Filesize
1.0MB

Download
memory/4104-254-0x0000000073E80000-0x000000007414F000-memory.dmp

Filesize
2.8MB

Download
memory/4104-248-0x0000000074180000-0x00000000741C9000-memory.dmp

Filesize
292KB

Download
memory/4104-326-0x0000000000550000-0x0000000000954000-memory.dmp

Filesize
4.0MB

Download
memory/4104-246-0x00000000742A0000-0x000000007436E000-memory.dmp

Filesize
824KB

Download
memory/4104-270-0x0000000000550000-0x0000000000954000-memory.dmp

Filesize
4.0MB

Download
memory/4104-279-0x00000000742A0000-0x000000007436E000-memory.dmp

Filesize
824KB

Download
memory/4104-280-0x00000000741D0000-0x0000000074298000-memory.dmp

Filesize
800KB

Download
memory/4688-187-0x00000000742A0000-0x000000007436E000-memory.dmp

Filesize
824KB

Download
memory/4688-151-0x0000000074150000-0x0000000074174000-memory.dmp

Filesize
144KB

Download
memory/4688-158-0x0000000073E80000-0x000000007414F000-memory.dmp

Filesize
2.8MB

Download
memory/4688-152-0x0000000073D70000-0x0000000073E7A000-memory.dmp

Filesize
1.0MB

Download
memory/4688-150-0x0000000074180000-0x00000000741C9000-memory.dmp

Filesize
292KB

Download
memory/4688-177-0x0000000000550000-0x0000000000954000-memory.dmp

Filesize
4.0MB

Download
memory/4688-186-0x00000000741D0000-0x0000000074298000-memory.dmp

Filesize
800KB

Download
memory/4688-149-0x00000000742A0000-0x000000007436E000-memory.dmp

Filesize
824KB

Download
memory/4688-153-0x0000000073CE0000-0x0000000073D68000-memory.dmp

Filesize
544KB

Download
memory/4688-247-0x0000000000550000-0x0000000000954000-memory.dmp

Filesize
4.0MB

Download