Malware Analysis Report

2025-01-03 05:11

Sample ID 230303-vag1caaa4w
Target workkkkkkkk2.exe
SHA256 aba8bad15949bd79d6b47939afbe4a8febf82eab89527f42a08836da9022d7b8
Tags
bitrat persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aba8bad15949bd79d6b47939afbe4a8febf82eab89527f42a08836da9022d7b8

Threat Level: Known bad

The file workkkkkkkk2.exe was found to be: Known bad.

Malicious Activity Summary

bitrat persistence trojan upx

BitRAT

Bitrat family

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-03 16:47

Signatures

Bitrat family

bitrat

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-03 16:47

Reported

2023-03-03 16:49

Platform

win10-20230220-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1ë°€" C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1\uff00" C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\temp\test1 N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\2717123927\3950266016.pri C:\Windows\System32\fodhelper.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\ms-settings\shell\open\command C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\ms-settings\shell C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\ms-settings\shell\open C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\ms-settings\shell\open\command\DelegateExecute C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\ms-settings\shell\open\command C:\Users\Admin\AppData\Local\temp\test1 N/A
Key deleted \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\ms-settings\shell\open C:\Users\Admin\AppData\Local\temp\test1 N/A
Key deleted \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\ms-settings\shell C:\Users\Admin\AppData\Local\temp\test1 N/A
Key deleted \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\ms-settings C:\Users\Admin\AppData\Local\temp\test1 N/A
Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\ms-settings C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\ms-settings\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1 -uac 1228" C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\temp\test1 N/A
N/A N/A C:\Users\Admin\AppData\Local\temp\test1 N/A
N/A N/A C:\Users\Admin\AppData\Local\temp\test1 N/A
N/A N/A C:\Users\Admin\AppData\Local\temp\test1 N/A
N/A N/A C:\Users\Admin\AppData\Local\temp\test1 N/A
N/A N/A C:\Users\Admin\AppData\Local\temp\test1 N/A
N/A N/A C:\Users\Admin\AppData\Local\temp\test1 N/A
N/A N/A C:\Users\Admin\AppData\Local\temp\test1 N/A
N/A N/A C:\Users\Admin\AppData\Local\temp\test1 N/A
N/A N/A C:\Users\Admin\AppData\Local\temp\test1 N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\temp\test1 N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1228 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1228 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1228 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1228 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1228 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1228 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Windows\System32\fodhelper.exe
PID 1228 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Windows\System32\fodhelper.exe
PID 5048 wrote to memory of 4976 N/A C:\Windows\System32\fodhelper.exe C:\Users\Admin\AppData\Local\temp\test1
PID 5048 wrote to memory of 4976 N/A C:\Windows\System32\fodhelper.exe C:\Users\Admin\AppData\Local\temp\test1
PID 5048 wrote to memory of 4976 N/A C:\Windows\System32\fodhelper.exe C:\Users\Admin\AppData\Local\temp\test1
PID 4976 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\temp\test1 C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 4976 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\temp\test1 C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 4976 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\temp\test1 C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 4976 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\temp\test1 C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 4976 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\temp\test1 C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 4976 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\temp\test1 C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe

"C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe"

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

C:\Windows\System32\fodhelper.exe

"C:\Windows\System32\fodhelper.exe"

C:\Users\Admin\AppData\Local\temp\test1

"C:\Users\Admin\AppData\Local\temp\test1" -uac 1228

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
CZ 37.157.195.87:443 tcp
US 45.79.108.130:9001 tcp
N/A 127.0.0.1:49722 tcp
US 8.8.8.8:53 130.108.79.45.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
PL 151.115.47.4:443 tcp
US 66.206.0.82:9001 tcp
FI 65.108.3.114:1066 tcp
US 8.8.8.8:53 114.3.108.65.in-addr.arpa udp
US 8.8.8.8:53 4.47.115.151.in-addr.arpa udp
US 8.8.8.8:53 82.0.206.66.in-addr.arpa udp
US 66.206.0.82:9001 tcp
FI 65.108.3.114:1066 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:443 myexternalip.com tcp
US 8.8.8.8:53 145.111.160.34.in-addr.arpa udp
US 8.8.8.8:53 50.4.107.13.in-addr.arpa udp
US 8.8.8.8:53 116.172.5.23.in-addr.arpa udp
US 8.8.8.8:53 99.143.109.104.in-addr.arpa udp
US 20.42.65.90:443 tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49843 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 213.95.190.181:9001 tcp
N/A 127.0.0.1:49899 tcp
US 199.168.103.138:443 tcp
US 8.8.8.8:53 181.190.95.213.in-addr.arpa udp
US 8.8.8.8:53 138.103.168.199.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49968 tcp
N/A 127.0.0.1:45808 tcp

Files

memory/1228-121-0x0000000000400000-0x0000000000BD8000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/1228-135-0x00000000734B0000-0x00000000734EA000-memory.dmp

memory/1904-140-0x0000000000050000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\33245aa2\tor\torrc

MD5 3482761e23f1f48d90244a4296a61933
SHA1 c162137facb3af28f9366980c4dbfe64299deed9
SHA256 e59386eaf356582459af2a8061ac59358fb217c2e94e0845c6c39e9e5909679f
SHA512 8ec0e3bc73026cede5dd853223524a196b16e48fa55e4c62217fa9e36197ba586d98a7bfb7faa4c7948372691b5d084aff0ed6307be5ba80b547699767390eab

memory/1904-155-0x0000000072AD0000-0x0000000072B9E000-memory.dmp

memory/1904-156-0x00000000729B0000-0x00000000729F9000-memory.dmp

memory/1904-157-0x0000000072980000-0x00000000729A4000-memory.dmp

memory/1904-158-0x00000000726B0000-0x000000007297F000-memory.dmp

memory/1904-159-0x0000000001800000-0x0000000001ACF000-memory.dmp

memory/1904-160-0x0000000072A00000-0x0000000072AC8000-memory.dmp

memory/1904-161-0x00000000725A0000-0x00000000726AA000-memory.dmp

memory/1904-162-0x0000000072510000-0x0000000072598000-memory.dmp

memory/1228-165-0x0000000072220000-0x000000007225A000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\data\cached-microdesc-consensus.tmp

MD5 1756674bbccc3d724e7a08c08a6c62cb
SHA1 a98926c8d67e12881b0dbea28586c3be1c78aff2
SHA256 e412d1661645f7e462a71c0f31e50df3d396cb889dcb47b4f29740f581d518d3
SHA512 7b219c7f74572d7028f9389e69487238cfcfcdd03015672a156daaf69ba50f68249223190692e651153bc00f96dd5f2240752288b083c903b946a524eac6ed9c

C:\Users\Admin\AppData\Local\33245aa2\tor\data\cached-microdescs.new

MD5 2c58869e40fa2f71b00a557597874f14
SHA1 72647b5f2d8e55cf61777ee038a69075634781e9
SHA256 48592af602659dc322dd5957cdf108436f543856c53798c3cbc7c7cf204940b0
SHA512 8db0711223738e801248e51a6fdb3769a27be5525d5d94b1dacf551c48e37d67c78efde1a8dba83ca0891db74e1d92c3b0f34a7bcecdec817de0c769cd2f376c

memory/1904-180-0x0000000000050000-0x0000000000454000-memory.dmp

memory/1904-188-0x0000000000050000-0x0000000000454000-memory.dmp

memory/1904-194-0x0000000000050000-0x0000000000454000-memory.dmp

memory/1904-210-0x0000000000050000-0x0000000000454000-memory.dmp

memory/1904-218-0x0000000000050000-0x0000000000454000-memory.dmp

memory/1904-226-0x0000000000050000-0x0000000000454000-memory.dmp

memory/1904-234-0x0000000000050000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/704-251-0x0000000000050000-0x0000000000454000-memory.dmp

memory/704-252-0x00000000726B0000-0x000000007297F000-memory.dmp

memory/704-254-0x0000000072AD0000-0x0000000072B9E000-memory.dmp

memory/704-253-0x0000000072A00000-0x0000000072AC8000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\torrc

MD5 3482761e23f1f48d90244a4296a61933
SHA1 c162137facb3af28f9366980c4dbfe64299deed9
SHA256 e59386eaf356582459af2a8061ac59358fb217c2e94e0845c6c39e9e5909679f
SHA512 8ec0e3bc73026cede5dd853223524a196b16e48fa55e4c62217fa9e36197ba586d98a7bfb7faa4c7948372691b5d084aff0ed6307be5ba80b547699767390eab

memory/704-255-0x00000000729B0000-0x00000000729F9000-memory.dmp

memory/704-257-0x00000000725A0000-0x00000000726AA000-memory.dmp

memory/704-258-0x0000000072510000-0x0000000072598000-memory.dmp

memory/704-259-0x0000000000050000-0x0000000000454000-memory.dmp

memory/704-261-0x00000000726B0000-0x000000007297F000-memory.dmp

memory/704-262-0x0000000072A00000-0x0000000072AC8000-memory.dmp

memory/704-263-0x0000000072AD0000-0x0000000072B9E000-memory.dmp

memory/704-264-0x00000000729B0000-0x00000000729F9000-memory.dmp

memory/704-265-0x00000000725A0000-0x00000000726AA000-memory.dmp

memory/704-260-0x0000000072980000-0x00000000729A4000-memory.dmp

memory/1904-268-0x0000000000050000-0x0000000000454000-memory.dmp

memory/1228-286-0x00000000734B0000-0x00000000734EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\test1

MD5 b42af31cea64330d0465bed0510089c0
SHA1 3cd6c9277fe07111548e1030834c98e2412a380a
SHA256 aba8bad15949bd79d6b47939afbe4a8febf82eab89527f42a08836da9022d7b8
SHA512 138e37e9fea7a7fc50c9f1ddb61326825c5bda4418dace39024baa2062cebabe84f3df32bef41df937bb7427c948bd08830ef71d572941f5d23b4c87c9aa66f3

memory/4976-294-0x0000000073480000-0x00000000734BA000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/1904-301-0x0000000000050000-0x0000000000454000-memory.dmp

\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\33245aa2\tor\torrc

MD5 3482761e23f1f48d90244a4296a61933
SHA1 c162137facb3af28f9366980c4dbfe64299deed9
SHA256 e59386eaf356582459af2a8061ac59358fb217c2e94e0845c6c39e9e5909679f
SHA512 8ec0e3bc73026cede5dd853223524a196b16e48fa55e4c62217fa9e36197ba586d98a7bfb7faa4c7948372691b5d084aff0ed6307be5ba80b547699767390eab

C:\Users\Admin\AppData\Local\33245aa2\tor\data\state

MD5 5e9e6e4a8dbb660c3c290ee43a69dd82
SHA1 43e171140bb3d0b712bd2ee454f32e6bea7b28c2
SHA256 9b6c899210044f77c00fe04792067734185e5b7954e526bceaaac8f67b102604
SHA512 a283f31da33336db69cff0ebe84a6002e566a9e1db0c1bf33def1016133d8d4c4023e7adfd1bb444978417b084809d2eb5ac6639a85bf779747483c29ea74a90

C:\Users\Admin\AppData\Local\33245aa2\tor\data\cached-certs

MD5 18edb510a3caedeed72cab964c54b8ba
SHA1 0a70df70bd115c2e18c8facee6c7dafa0f91ac23
SHA256 ee3c71d6b3f8d47de4e3e6094d7278514faafc0da0c95dc4c064599dfc542c91
SHA512 d6e2ea5835244935c84a9653b7ca58aff99797e3c3055ee282416ad61e3a5ab997936a3f2d89eb40549559c5ae30c8fe128c5553ef2ecef25a24e26fb316a5db

C:\Users\Admin\AppData\Local\33245aa2\tor\data\cached-microdesc-consensus

MD5 1756674bbccc3d724e7a08c08a6c62cb
SHA1 a98926c8d67e12881b0dbea28586c3be1c78aff2
SHA256 e412d1661645f7e462a71c0f31e50df3d396cb889dcb47b4f29740f581d518d3
SHA512 7b219c7f74572d7028f9389e69487238cfcfcdd03015672a156daaf69ba50f68249223190692e651153bc00f96dd5f2240752288b083c903b946a524eac6ed9c

memory/4844-310-0x0000000000050000-0x0000000000454000-memory.dmp

memory/4844-311-0x00000000726B0000-0x000000007297F000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\data\cached-microdescs.new

MD5 627b0d8b525304f1889a386e1c48d9f7
SHA1 b18a6eb25bb9122192b25c6ab36d0a49b804c4f5
SHA256 3e298a00fc22d9e00cc36e3f7feff2e6225f1b2642d2adb75488f0434ac7781f
SHA512 6c2fc0ad72b5e064b2c8c949c7b35bdbc9d0d274bd2b0d2565e8bf3c0bd8e274c609b8df65da7218be8246c4bafb5ed437baa699b1a01bc7d0b3aaf34825b0e1

memory/4844-314-0x0000000072AD0000-0x0000000072B9E000-memory.dmp

memory/4844-316-0x0000000072980000-0x00000000729A4000-memory.dmp

memory/4844-315-0x00000000729B0000-0x00000000729F9000-memory.dmp

memory/4844-312-0x0000000072A00000-0x0000000072AC8000-memory.dmp

memory/4844-317-0x00000000725A0000-0x00000000726AA000-memory.dmp

memory/4844-318-0x0000000072510000-0x0000000072598000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\data\unverified-microdesc-consensus

MD5 1756674bbccc3d724e7a08c08a6c62cb
SHA1 a98926c8d67e12881b0dbea28586c3be1c78aff2
SHA256 e412d1661645f7e462a71c0f31e50df3d396cb889dcb47b4f29740f581d518d3
SHA512 7b219c7f74572d7028f9389e69487238cfcfcdd03015672a156daaf69ba50f68249223190692e651153bc00f96dd5f2240752288b083c903b946a524eac6ed9c

memory/4976-327-0x0000000072CD0000-0x0000000072D0A000-memory.dmp

memory/4844-336-0x0000000000050000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\33245aa2\tor\torrc

MD5 3482761e23f1f48d90244a4296a61933
SHA1 c162137facb3af28f9366980c4dbfe64299deed9
SHA256 e59386eaf356582459af2a8061ac59358fb217c2e94e0845c6c39e9e5909679f
SHA512 8ec0e3bc73026cede5dd853223524a196b16e48fa55e4c62217fa9e36197ba586d98a7bfb7faa4c7948372691b5d084aff0ed6307be5ba80b547699767390eab

memory/528-379-0x0000000000050000-0x0000000000454000-memory.dmp

memory/528-381-0x0000000072A00000-0x0000000072AC8000-memory.dmp

memory/528-383-0x00000000729B0000-0x00000000729F9000-memory.dmp

memory/528-382-0x0000000072AD0000-0x0000000072B9E000-memory.dmp

memory/528-384-0x0000000072980000-0x00000000729A4000-memory.dmp

memory/528-380-0x00000000726B0000-0x000000007297F000-memory.dmp

memory/528-386-0x0000000072510000-0x0000000072598000-memory.dmp

memory/528-385-0x00000000725A0000-0x00000000726AA000-memory.dmp

memory/4976-387-0x0000000072D00000-0x0000000072D3A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-03 16:47

Reported

2023-03-03 16:49

Platform

win7-20230220-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe

"C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe"

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
N/A 127.0.0.1:49194 tcp
DE 178.254.7.88:8443 tcp
DE 5.189.169.190:8080 tcp
N/A 127.0.0.1:45808 tcp
SK 5.252.23.42:9001 tcp
FR 2.56.247.59:9000 tcp
SE 98.128.175.41:9001 tcp
SE 98.128.175.41:9001 tcp
FR 2.56.247.59:9000 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:443 myexternalip.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
US 34.160.111.145:443 myexternalip.com tcp
US 34.160.111.145:443 myexternalip.com tcp
US 34.160.111.145:443 myexternalip.com tcp

Files

memory/1780-54-0x0000000000400000-0x0000000000BD8000-memory.dmp

\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\33245aa2\tor\torrc

MD5 3482761e23f1f48d90244a4296a61933
SHA1 c162137facb3af28f9366980c4dbfe64299deed9
SHA256 e59386eaf356582459af2a8061ac59358fb217c2e94e0845c6c39e9e5909679f
SHA512 8ec0e3bc73026cede5dd853223524a196b16e48fa55e4c62217fa9e36197ba586d98a7bfb7faa4c7948372691b5d084aff0ed6307be5ba80b547699767390eab

memory/1780-89-0x0000000003CF0000-0x00000000040F4000-memory.dmp

memory/1780-90-0x0000000003CF0000-0x00000000040F4000-memory.dmp

memory/672-91-0x0000000000DC0000-0x00000000011C4000-memory.dmp

memory/672-93-0x00000000750D0000-0x0000000075119000-memory.dmp

memory/672-94-0x0000000074AA0000-0x0000000074B68000-memory.dmp

memory/672-96-0x0000000075040000-0x00000000750C8000-memory.dmp

memory/672-95-0x0000000074990000-0x0000000074A9A000-memory.dmp

memory/672-97-0x00000000748C0000-0x000000007498E000-memory.dmp

memory/672-98-0x0000000075340000-0x0000000075364000-memory.dmp

memory/672-92-0x0000000074B70000-0x0000000074E3F000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\data\cached-microdesc-consensus.tmp

MD5 1756674bbccc3d724e7a08c08a6c62cb
SHA1 a98926c8d67e12881b0dbea28586c3be1c78aff2
SHA256 e412d1661645f7e462a71c0f31e50df3d396cb889dcb47b4f29740f581d518d3
SHA512 7b219c7f74572d7028f9389e69487238cfcfcdd03015672a156daaf69ba50f68249223190692e651153bc00f96dd5f2240752288b083c903b946a524eac6ed9c

C:\Users\Admin\AppData\Local\33245aa2\tor\data\cached-microdescs.new

MD5 1adf0721fd5bb554d1d5cc8501eaf009
SHA1 36a974b4675fa5597c4ca6cb86882e008c2d520f
SHA256 c4b4e58639898fad6e06e98bfbcfd23afeb5c587be17f9600c13ac04af7f7e53
SHA512 89887ff8755074dcdc570b085659f5d41667cbaad991e4b46e843299a37e60654b0737d6708eb0d9d26ccee189350860165d91048b265b535e9e4b5578244427

memory/672-125-0x0000000000DC0000-0x00000000011C4000-memory.dmp

memory/1780-133-0x0000000003CF0000-0x00000000040F4000-memory.dmp

memory/672-134-0x0000000000DC0000-0x00000000011C4000-memory.dmp

memory/672-135-0x0000000000DC0000-0x00000000011C4000-memory.dmp

memory/1780-143-0x00000000003B0000-0x00000000003BA000-memory.dmp

memory/1780-144-0x00000000003B0000-0x00000000003BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA5D4.tmp

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

C:\Users\Admin\AppData\Local\Temp\TarA692.tmp

MD5 73b4b714b42fc9a6aaefd0ae59adb009
SHA1 efdaffd5b0ad21913d22001d91bf6c19ecb4ac41
SHA256 c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd
SHA512 73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 78537a9e10dcf304c7988d14fff998ae
SHA1 ebec3192fc8e243e76a736f77ae02ac022948563
SHA256 812cea3303fc01ef5798cf87a5903fab61608c59b90d29895ef51fb14aedd370
SHA512 87c18a32abad6655ee4cef77c5629d2c7786a7c4a5c869884000cb46d8eb43a3ccc3bf408841f959a85771a59e923af38254d9afa6e2b8f2de9aba915f2bcd6b

memory/672-222-0x0000000000DC0000-0x00000000011C4000-memory.dmp

memory/1780-230-0x00000000003B0000-0x00000000003BA000-memory.dmp

memory/1780-231-0x00000000003B0000-0x00000000003BA000-memory.dmp

memory/672-232-0x0000000000DC0000-0x00000000011C4000-memory.dmp

memory/672-240-0x0000000000DC0000-0x00000000011C4000-memory.dmp

memory/672-284-0x0000000000DC0000-0x00000000011C4000-memory.dmp

memory/672-292-0x0000000000DC0000-0x00000000011C4000-memory.dmp

memory/672-300-0x0000000000DC0000-0x00000000011C4000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-03-03 16:47

Reported

2023-03-03 16:49

Platform

win10v2004-20230221-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe

"C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe"

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
RU 213.141.138.174:9001 tcp
N/A 127.0.0.1:49779 tcp
FR 51.254.147.57:443 tcp
MX 132.248.241.5:9101 tcp
US 8.8.8.8:53 5.241.248.132.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
MD 194.180.191.93:9001 tcp
FI 95.217.39.117:4443 tcp
DE 46.38.240.66:9001 tcp
US 8.8.8.8:53 117.39.217.95.in-addr.arpa udp
US 8.8.8.8:53 93.191.180.194.in-addr.arpa udp
US 8.8.8.8:53 66.240.38.46.in-addr.arpa udp
FI 95.217.39.117:4443 tcp
MD 194.180.191.93:9001 tcp
US 20.189.173.2:443 tcp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:443 myexternalip.com tcp
US 8.8.8.8:53 145.111.160.34.in-addr.arpa udp
US 8.8.8.8:53 116.172.5.23.in-addr.arpa udp
US 8.8.8.8:53 99.143.109.104.in-addr.arpa udp
NL 173.223.113.164:443 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
NL 8.238.177.126:80 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 34.160.111.145:443 myexternalip.com tcp
US 34.160.111.145:443 myexternalip.com tcp
US 34.160.111.145:443 myexternalip.com tcp

Files

memory/1264-133-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1264-134-0x0000000074FE0000-0x0000000075019000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

memory/868-167-0x0000000000BB0000-0x0000000000FB4000-memory.dmp

memory/868-168-0x0000000074460000-0x000000007452E000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\torrc

MD5 3482761e23f1f48d90244a4296a61933
SHA1 c162137facb3af28f9366980c4dbfe64299deed9
SHA256 e59386eaf356582459af2a8061ac59358fb217c2e94e0845c6c39e9e5909679f
SHA512 8ec0e3bc73026cede5dd853223524a196b16e48fa55e4c62217fa9e36197ba586d98a7bfb7faa4c7948372691b5d084aff0ed6307be5ba80b547699767390eab

memory/868-169-0x0000000074410000-0x0000000074459000-memory.dmp

memory/868-173-0x0000000074340000-0x0000000074408000-memory.dmp

memory/868-174-0x0000000074070000-0x000000007433F000-memory.dmp

memory/868-175-0x0000000002240000-0x000000000250F000-memory.dmp

memory/868-176-0x0000000073F60000-0x000000007406A000-memory.dmp

memory/868-177-0x0000000073ED0000-0x0000000073F58000-memory.dmp

memory/868-178-0x0000000000B10000-0x0000000000B98000-memory.dmp

memory/868-179-0x0000000073EA0000-0x0000000073EC4000-memory.dmp

memory/1264-180-0x0000000073B70000-0x0000000073BA9000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\data\cached-microdesc-consensus.tmp

MD5 1756674bbccc3d724e7a08c08a6c62cb
SHA1 a98926c8d67e12881b0dbea28586c3be1c78aff2
SHA256 e412d1661645f7e462a71c0f31e50df3d396cb889dcb47b4f29740f581d518d3
SHA512 7b219c7f74572d7028f9389e69487238cfcfcdd03015672a156daaf69ba50f68249223190692e651153bc00f96dd5f2240752288b083c903b946a524eac6ed9c

memory/868-195-0x0000000000BB0000-0x0000000000FB4000-memory.dmp

memory/868-196-0x0000000074460000-0x000000007452E000-memory.dmp

memory/868-199-0x0000000074340000-0x0000000074408000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\data\cached-microdescs.new

MD5 238c4925afa6d6e91d8ad6a731c29b6a
SHA1 4b9a2dd89f57bcb1655f214209dd217ed9c4c4be
SHA256 0ac3026b101dfa3db9e9a5ef2e696948c53eb071d1b1716658a3e2a1abb05626
SHA512 ead0b04ec16bbe75d9958b5eaf0c8a0fd9cec825733299ec4ba379220df46d6eb73569d645103b6bd3a3dc2770f19c927c80e5390f17919eae113697f47e9971

memory/868-207-0x0000000000BB0000-0x0000000000FB4000-memory.dmp

memory/868-210-0x0000000002240000-0x000000000250F000-memory.dmp

memory/868-211-0x0000000000B10000-0x0000000000B98000-memory.dmp

memory/868-212-0x0000000000BB0000-0x0000000000FB4000-memory.dmp

memory/868-224-0x0000000000BB0000-0x0000000000FB4000-memory.dmp

memory/868-238-0x0000000000BB0000-0x0000000000FB4000-memory.dmp

memory/868-246-0x0000000000BB0000-0x0000000000FB4000-memory.dmp

memory/868-254-0x0000000000BB0000-0x0000000000FB4000-memory.dmp

memory/868-262-0x0000000000BB0000-0x0000000000FB4000-memory.dmp

memory/868-270-0x0000000000BB0000-0x0000000000FB4000-memory.dmp

memory/1264-278-0x0000000074FE0000-0x0000000075019000-memory.dmp