Analysis Overview
SHA256
c719392010e985181bc9dd1dd5e6ae8a3e3717ef8f4a541554df57f725008d2f
Threat Level: Known bad
The file DDoS Panel V3.exe was found to be: Known bad.
Malicious Activity Summary
BitRAT
Bitrat family
Deletes itself
ACProtect 1.3x - 1.4x DLL software
Loads dropped DLL
UPX packed file
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Delays execution with timeout.exe
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-04 20:59
Signatures
Bitrat family
Analysis: behavioral3
Detonation Overview
Submitted
2023-03-04 20:59
Reported
2023-03-04 21:04
Platform
win10v2004-20230220-en
Max time kernel
262s
Max time network
265s
Command Line
Signatures
BitRAT
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheck\ue000" | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheckä„€" | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheck" | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheck\u2000" | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheck怀" | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheckက" | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheck䀀" | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheckȀ" | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2652 wrote to memory of 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe |
| PID 2652 wrote to memory of 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe |
| PID 2652 wrote to memory of 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe |
| PID 2652 wrote to memory of 4108 | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | C:\Windows\system32\cmd.exe |
| PID 2652 wrote to memory of 4108 | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | C:\Windows\system32\cmd.exe |
| PID 4108 wrote to memory of 4628 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\timeout.exe |
| PID 4108 wrote to memory of 4628 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\timeout.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe
"C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe"
C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
"C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe" -f torrc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wql1kFPm.bat" "
C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FR | 163.172.149.155:443 | tcp | |
| DE | 78.47.18.110:80 | tcp | |
| N/A | 127.0.0.1:49782 | tcp | |
| US | 8.8.8.8:53 | 110.18.47.78.in-addr.arpa | udp |
| DE | 46.4.66.178:9001 | tcp | |
| DE | 51.77.70.243:9001 | tcp | |
| HU | 79.172.193.65:443 | tcp | |
| US | 8.8.8.8:53 | 178.66.4.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.70.77.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.193.172.79.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| DE | 51.77.70.243:9001 | tcp | |
| HU | 79.172.193.65:443 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.160.111.145:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | 145.111.160.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.211.2.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.101.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| US | 20.189.173.12:443 | tcp | |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.74.101.95.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 34.160.111.145:443 | myexternalip.com | tcp |
| NL | 8.238.177.126:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 8.238.177.126:80 | tcp | |
| US | 34.160.111.145:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.160.111.145:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.160.111.145:443 | myexternalip.com | tcp |
| DE | 51.77.70.243:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
memory/2652-133-0x0000000000400000-0x0000000000C33000-memory.dmp
memory/2652-134-0x0000000074D30000-0x0000000074D69000-memory.dmp
C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\792c4c98\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\792c4c98\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\792c4c98\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
C:\Users\Admin\AppData\Local\792c4c98\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
C:\Users\Admin\AppData\Local\792c4c98\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
C:\Users\Admin\AppData\Local\792c4c98\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
memory/2660-164-0x0000000000210000-0x0000000000614000-memory.dmp
memory/2660-166-0x0000000074060000-0x0000000074084000-memory.dmp
memory/2660-165-0x0000000074160000-0x0000000074228000-memory.dmp
C:\Users\Admin\AppData\Local\792c4c98\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
C:\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\792c4c98\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
C:\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
memory/2660-170-0x0000000073F50000-0x000000007405A000-memory.dmp
memory/2660-169-0x0000000073EC0000-0x0000000073F48000-memory.dmp
C:\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
memory/2660-171-0x00000000015A0000-0x000000000186F000-memory.dmp
C:\Users\Admin\AppData\Local\792c4c98\tor\torrc
| MD5 | 348f4efd675a7f6eb18dff7bf517685c |
| SHA1 | ab2e60dea306eff37a2a7753d7c01b9f964022c4 |
| SHA256 | e537c238f7927e97bceb3e1c8c0dd2230af6d66aee5605674bca91df4ab7d31e |
| SHA512 | c7761c2283f0d579a285e4bbebf01649967b0a542ba4dfe6ca7b97fcc51691befe12c114f9105372faeeebd010f941cb2c4a8fc3dbd7ad457fac9ee59cfcb19e |
memory/2660-175-0x0000000074230000-0x0000000074279000-memory.dmp
memory/2660-176-0x0000000074090000-0x000000007415E000-memory.dmp
memory/2660-177-0x0000000073BF0000-0x0000000073EBF000-memory.dmp
C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdesc-consensus.tmp
| MD5 | 24dbc125264068c816f7ebbd5623497b |
| SHA1 | cce2cf96ce9929fb3412cf95ffab22bf66f56280 |
| SHA256 | 6ca4e2fc8fe4fe06d26d1c192ad20d7b5c44d1b5edbcc0ef818b6388a8134953 |
| SHA512 | fdcc34b49a1137e6a723ea3f58b72b955cb61dbcc48d9c5b9c5f2fe2f67e1962fdaa3bab8651b0a292be1818016ada44adc04e54be1d90b1e314c9d566b96104 |
memory/2652-188-0x00000000737E0000-0x0000000073819000-memory.dmp
C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdescs.new
| MD5 | acaa2b0c8a941fa2f1effd572f6a221e |
| SHA1 | f71bd72e23fb2df51f4acd27aeb195c7ddaf8a3b |
| SHA256 | 980d1a348aba451d825f1791e4ed59645edc2d8ebfc8667396df7eb4c898f213 |
| SHA512 | a9fa20120c9623a2932aac517c9130b2da194c6664de628fc5b55c10e3b721166e5e4bce1b4583c01eaff968c9f52f71a02aa4434c0365137b4ff4fc828947ae |
memory/2660-201-0x0000000000210000-0x0000000000614000-memory.dmp
memory/2660-203-0x0000000074160000-0x0000000074228000-memory.dmp
memory/2660-204-0x0000000074060000-0x0000000074084000-memory.dmp
memory/2660-206-0x0000000073EC0000-0x0000000073F48000-memory.dmp
memory/2660-207-0x0000000073F50000-0x000000007405A000-memory.dmp
memory/2660-209-0x0000000000210000-0x0000000000614000-memory.dmp
memory/2660-210-0x00000000015A0000-0x000000000186F000-memory.dmp
memory/2660-217-0x0000000000210000-0x0000000000614000-memory.dmp
memory/2660-225-0x0000000000210000-0x0000000000614000-memory.dmp
memory/2660-233-0x0000000000210000-0x0000000000614000-memory.dmp
memory/2660-241-0x0000000000210000-0x0000000000614000-memory.dmp
memory/2660-249-0x0000000000210000-0x0000000000614000-memory.dmp
memory/2660-257-0x0000000000210000-0x0000000000614000-memory.dmp
memory/2660-265-0x0000000000210000-0x0000000000614000-memory.dmp
memory/2652-273-0x0000000074D30000-0x0000000074D69000-memory.dmp
memory/2660-338-0x0000000000210000-0x0000000000614000-memory.dmp
C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdesc-consensus
| MD5 | 24dbc125264068c816f7ebbd5623497b |
| SHA1 | cce2cf96ce9929fb3412cf95ffab22bf66f56280 |
| SHA256 | 6ca4e2fc8fe4fe06d26d1c192ad20d7b5c44d1b5edbcc0ef818b6388a8134953 |
| SHA512 | fdcc34b49a1137e6a723ea3f58b72b955cb61dbcc48d9c5b9c5f2fe2f67e1962fdaa3bab8651b0a292be1818016ada44adc04e54be1d90b1e314c9d566b96104 |
C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-certs
| MD5 | 02f508db7544135af39a99af351c2349 |
| SHA1 | 95386fc8a6804555928ddb4135ab241553dd0931 |
| SHA256 | 4fa11755280deed639b0fc1d06962c3bdee83233d775eaa7b6f1e459752afc23 |
| SHA512 | 0fa63c9cb873e3fc23edfe92023103ecbb1754c636f9ff416b24bbb9b1c2255acfa1dce122dc14cf6f427ee770df5aeb16d6a11bc6cc60b6a57f1d93860ed707 |
C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdescs.new
| MD5 | 0d72dbd9620800a60f7d51cdf161c68b |
| SHA1 | e7246dc7e97db357627785eb1bea76770e472052 |
| SHA256 | 3c5d473b011e7386c923681a6b96a9c86ed98363199756d5d323699457d4645a |
| SHA512 | c13fe5d5ad40f1eaac8fc8bb7de49ce25e5772c76cd303d84f2b3ce76ea90859f604955646e18da7323ee36bf28af88cf2904f577a3047409b01ea50da0bca16 |
C:\Users\Admin\AppData\Local\792c4c98\tor\data\unverified-microdesc-consensus
| MD5 | 24dbc125264068c816f7ebbd5623497b |
| SHA1 | cce2cf96ce9929fb3412cf95ffab22bf66f56280 |
| SHA256 | 6ca4e2fc8fe4fe06d26d1c192ad20d7b5c44d1b5edbcc0ef818b6388a8134953 |
| SHA512 | fdcc34b49a1137e6a723ea3f58b72b955cb61dbcc48d9c5b9c5f2fe2f67e1962fdaa3bab8651b0a292be1818016ada44adc04e54be1d90b1e314c9d566b96104 |
C:\Users\Admin\AppData\Local\792c4c98\tor\data\state
| MD5 | 560c094f683dae68936f320131c26558 |
| SHA1 | 0dacc3698a7e72bc20bc0110ebfeb7b925b04ef9 |
| SHA256 | 77a4f313e64ae7ac0dea216528d817262dbe966d726413a8c6434db53c73a005 |
| SHA512 | 67c68c01d8ad05f0f0743990a237940802c20ea3ff35ad946648e2ae964a8f569f9550dd73379c26d54c94bcabccc88303215b4a32153d9daf8a022d460d397f |
memory/2652-347-0x00000000737E0000-0x0000000073819000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Wql1kFPm.bat
| MD5 | 48fd6fd5b940e598a087efd8afb69d6e |
| SHA1 | 1f07df9ac8ee28020b030e5ebebad35eea427910 |
| SHA256 | 3b33a05baf95ecfe8e1d59caeda817d072207e43f451198caab66d5aa965eeb4 |
| SHA512 | 8256db1a4cb22b06d90585fed2974c3b0f7c11002a3b36ea55d8a0ceeea2afc4e7cf74f1c89fc75e7e0e5bf81c7e60241ea0d91efbbe53378c2ac7dc0dcac5d6 |
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-04 20:59
Reported
2023-03-04 21:04
Platform
win7-20230220-en
Max time kernel
169s
Max time network
260s
Command Line
Signatures
BitRAT
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheck" | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe
"C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe"
C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
"C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe" -f torrc
C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
"C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe" -f torrc
C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
"C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe" -f torrc
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gPeLJG08.bat" "
C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
Network
| Country | Destination | Domain | Proto |
| NL | 77.247.181.164:443 | tcp | |
| N/A | 127.0.0.1:49196 | tcp | |
| CZ | 37.157.195.87:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| FI | 185.100.86.182:8080 | tcp | |
| FR | 163.172.149.155:443 | tcp | |
| AT | 86.59.21.38:443 | tcp | |
| DE | 116.202.233.112:443 | tcp | |
| DE | 212.83.43.96:443 | tcp | |
| US | 67.219.182.195:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| DE | 116.202.233.112:443 | tcp | |
| DE | 212.83.43.96:443 | tcp | |
| N/A | 127.0.0.1:49307 | tcp | |
| N/A | 127.0.0.1:49339 | tcp | |
| SE | 193.11.114.46:9003 | tcp | |
| FR | 51.15.185.201:443 | tcp | |
| DE | 85.214.38.105:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| DE | 185.220.101.206:8443 | tcp | |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.160.111.145:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 92.122.101.8:80 | apps.identrust.com | tcp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.160.111.145:443 | myexternalip.com | tcp |
Files
memory/592-54-0x0000000000400000-0x0000000000C33000-memory.dmp
\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\792c4c98\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
\Users\Admin\AppData\Local\792c4c98\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\792c4c98\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
\Users\Admin\AppData\Local\792c4c98\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
C:\Users\Admin\AppData\Local\792c4c98\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
\Users\Admin\AppData\Local\792c4c98\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
memory/592-83-0x0000000003BA0000-0x0000000003FA4000-memory.dmp
C:\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\792c4c98\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
memory/592-87-0x0000000003BA0000-0x0000000003FA4000-memory.dmp
\Users\Admin\AppData\Local\792c4c98\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
C:\Users\Admin\AppData\Local\792c4c98\tor\torrc
| MD5 | 348f4efd675a7f6eb18dff7bf517685c |
| SHA1 | ab2e60dea306eff37a2a7753d7c01b9f964022c4 |
| SHA256 | e537c238f7927e97bceb3e1c8c0dd2230af6d66aee5605674bca91df4ab7d31e |
| SHA512 | c7761c2283f0d579a285e4bbebf01649967b0a542ba4dfe6ca7b97fcc51691befe12c114f9105372faeeebd010f941cb2c4a8fc3dbd7ad457fac9ee59cfcb19e |
memory/1564-90-0x0000000074510000-0x00000000747DF000-memory.dmp
memory/1564-88-0x0000000000E70000-0x0000000001274000-memory.dmp
memory/1564-91-0x00000000744C0000-0x0000000074509000-memory.dmp
memory/1564-94-0x00000000743F0000-0x00000000744B8000-memory.dmp
memory/1564-95-0x00000000742E0000-0x00000000743EA000-memory.dmp
memory/1564-96-0x0000000074250000-0x00000000742D8000-memory.dmp
memory/1564-97-0x0000000074180000-0x000000007424E000-memory.dmp
memory/1564-98-0x0000000074800000-0x0000000074824000-memory.dmp
memory/1564-99-0x0000000000E70000-0x0000000001274000-memory.dmp
memory/1564-100-0x0000000074510000-0x00000000747DF000-memory.dmp
memory/592-107-0x0000000003BA0000-0x0000000003FA4000-memory.dmp
memory/1564-108-0x0000000000E70000-0x0000000001274000-memory.dmp
memory/1564-109-0x0000000000E70000-0x0000000001274000-memory.dmp
C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdesc-consensus.tmp
| MD5 | 6c55971e3175678078a19dfe82d3dafe |
| SHA1 | ddd7c8e808c0e4a51233b06c298f9273e4719a0c |
| SHA256 | 7c1fa8ba63527b17c5c6381b90b23f274389deb850b6cec1293f6877f2a65934 |
| SHA512 | 65f784874c537ac5dca060562b1ee2aa7a3d625bddf98eac39d95047ec8b265b517c90ddd3cdb3b3deca03e62b1a82e6defc93edd7194fe2dce1b6ee4798ad1d |
C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-certs.tmp
| MD5 | b4b0a3e90d82921bd9abf4b6a5f7317a |
| SHA1 | 5b7e2750333dd6a1bb9625b9101b7a477cf8fdf9 |
| SHA256 | df3f276dc1c5ff7d59da4e8a76c87172bee1f1a6c93d2296587890227caa2a8b |
| SHA512 | f5d15efd5fb4f7d7be342e4f19c9898ec0d6460bf1318147aa9365bc46ca9c1e9890060c9ee75770dc8033ab5e00b99cf62c1580579f2ce776781b696c79630b |
memory/1564-134-0x0000000000E70000-0x0000000001274000-memory.dmp
C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdescs.new
| MD5 | b01b7925647739a0e40065aa142f23d2 |
| SHA1 | 057ee102db97e84bb256b3fbd1a960ef49efb4df |
| SHA256 | c5cb79f40498b10fc2154e116ce2112c3dbef1f9fde4cf1b3a11bcb6fbf16d3b |
| SHA512 | 9fb5798ecd91fc9f3dc63f00a54c37ec7a689b657da0f6dedcf5f28961a092d212cbc73a69acf588e15ac8956c4d8d0995a1dcc737f1b9d55cfe5ef332d77a9d |
memory/1564-151-0x0000000000E70000-0x0000000001274000-memory.dmp
memory/1564-159-0x0000000000E70000-0x0000000001274000-memory.dmp
\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
memory/1564-167-0x0000000000E70000-0x0000000001274000-memory.dmp
\Users\Admin\AppData\Local\792c4c98\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
\Users\Admin\AppData\Local\792c4c98\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
\Users\Admin\AppData\Local\792c4c98\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
\Users\Admin\AppData\Local\792c4c98\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\792c4c98\tor\torrc
| MD5 | 348f4efd675a7f6eb18dff7bf517685c |
| SHA1 | ab2e60dea306eff37a2a7753d7c01b9f964022c4 |
| SHA256 | e537c238f7927e97bceb3e1c8c0dd2230af6d66aee5605674bca91df4ab7d31e |
| SHA512 | c7761c2283f0d579a285e4bbebf01649967b0a542ba4dfe6ca7b97fcc51691befe12c114f9105372faeeebd010f941cb2c4a8fc3dbd7ad457fac9ee59cfcb19e |
memory/2004-188-0x0000000000E70000-0x0000000001274000-memory.dmp
memory/2004-190-0x0000000074510000-0x00000000747DF000-memory.dmp
memory/2004-192-0x00000000744C0000-0x0000000074509000-memory.dmp
memory/2004-193-0x00000000743F0000-0x00000000744B8000-memory.dmp
memory/2004-195-0x0000000074250000-0x00000000742D8000-memory.dmp
memory/2004-194-0x00000000742E0000-0x00000000743EA000-memory.dmp
memory/2004-196-0x0000000074180000-0x000000007424E000-memory.dmp
memory/2004-197-0x0000000074800000-0x0000000074824000-memory.dmp
memory/592-198-0x00000000047C0000-0x0000000004BC4000-memory.dmp
\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
\Users\Admin\AppData\Local\792c4c98\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
\Users\Admin\AppData\Local\792c4c98\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
\Users\Admin\AppData\Local\792c4c98\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
C:\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
\Users\Admin\AppData\Local\792c4c98\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
C:\Users\Admin\AppData\Local\792c4c98\tor\torrc
| MD5 | 348f4efd675a7f6eb18dff7bf517685c |
| SHA1 | ab2e60dea306eff37a2a7753d7c01b9f964022c4 |
| SHA256 | e537c238f7927e97bceb3e1c8c0dd2230af6d66aee5605674bca91df4ab7d31e |
| SHA512 | c7761c2283f0d579a285e4bbebf01649967b0a542ba4dfe6ca7b97fcc51691befe12c114f9105372faeeebd010f941cb2c4a8fc3dbd7ad457fac9ee59cfcb19e |
C:\Users\Admin\AppData\Local\792c4c98\tor\data\state
| MD5 | 8e62b4f267e82a3511fee7bdcd94617a |
| SHA1 | c8b8540fb26536f6137ff6fe32dd7025159bc6ac |
| SHA256 | 40021a52c0592bbebe68eb9d05cee2a6786fe0e2e7c39cdde13be8b819ee4eff |
| SHA512 | a0423821f07fa3afa77528768413c2402b75e8338aca2829d25d72fbb18e6baf271c4e28a1c6b43348306b6553be4ef5929f4f7c6127af15459e79472cb96393 |
C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdesc-consensus
| MD5 | 6c55971e3175678078a19dfe82d3dafe |
| SHA1 | ddd7c8e808c0e4a51233b06c298f9273e4719a0c |
| SHA256 | 7c1fa8ba63527b17c5c6381b90b23f274389deb850b6cec1293f6877f2a65934 |
| SHA512 | 65f784874c537ac5dca060562b1ee2aa7a3d625bddf98eac39d95047ec8b265b517c90ddd3cdb3b3deca03e62b1a82e6defc93edd7194fe2dce1b6ee4798ad1d |
memory/592-218-0x00000000047C0000-0x0000000004BC4000-memory.dmp
memory/1584-219-0x0000000000370000-0x0000000000774000-memory.dmp
memory/1584-220-0x0000000074240000-0x000000007450F000-memory.dmp
memory/1584-221-0x0000000074790000-0x00000000747D9000-memory.dmp
memory/1584-222-0x00000000746C0000-0x0000000074788000-memory.dmp
memory/1584-223-0x00000000745B0000-0x00000000746BA000-memory.dmp
memory/1584-224-0x0000000074520000-0x00000000745A8000-memory.dmp
memory/1584-225-0x0000000074170000-0x000000007423E000-memory.dmp
memory/1584-226-0x0000000074140000-0x0000000074164000-memory.dmp
C:\Users\Admin\AppData\Local\792c4c98\tor\data\unverified-microdesc-consensus
| MD5 | 6c55971e3175678078a19dfe82d3dafe |
| SHA1 | ddd7c8e808c0e4a51233b06c298f9273e4719a0c |
| SHA256 | 7c1fa8ba63527b17c5c6381b90b23f274389deb850b6cec1293f6877f2a65934 |
| SHA512 | 65f784874c537ac5dca060562b1ee2aa7a3d625bddf98eac39d95047ec8b265b517c90ddd3cdb3b3deca03e62b1a82e6defc93edd7194fe2dce1b6ee4798ad1d |
C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdescs.new
| MD5 | 114a685dcb7d14e14b1b86fab3acb623 |
| SHA1 | 65e947e211182846dece52b23a39c0f12646fe58 |
| SHA256 | 28cc93f7c0188f9b9434ce80d14fe99b632b9711c70c503f2b8b97f7a5bfbd19 |
| SHA512 | 54cf87f9d6cb006416f0eaaa7cd006bcff7cd826bffeeb937e7e80939204639b19484b9dfe16e87c17401d0393a0208067377be8326ad99e3da0cd5d929db75a |
memory/592-236-0x00000000047C0000-0x0000000004BC4000-memory.dmp
memory/1584-241-0x0000000000370000-0x0000000000774000-memory.dmp
memory/1584-249-0x0000000000370000-0x0000000000774000-memory.dmp
memory/592-258-0x00000000003A0000-0x00000000003AA000-memory.dmp
memory/592-259-0x00000000003A0000-0x00000000003AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabAFC.tmp
| MD5 | fc4666cbca561e864e7fdf883a9e6661 |
| SHA1 | 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5 |
| SHA256 | 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b |
| SHA512 | c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | e71c8443ae0bc2e282c73faead0a6dd3 |
| SHA1 | 0c110c1b01e68edfacaeae64781a37b1995fa94b |
| SHA256 | 95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72 |
| SHA512 | b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6 |
C:\Users\Admin\AppData\Local\Temp\TarC4A.tmp
| MD5 | be2bec6e8c5653136d3e72fe53c98aa3 |
| SHA1 | a8182d6db17c14671c3d5766c72e58d87c0810de |
| SHA256 | 1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd |
| SHA512 | 0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 921ea2bb5f89245e3d4e279b9feb40bb |
| SHA1 | 024cb12b48a712af43fbdb6fb544137dab0571a5 |
| SHA256 | 286d67029cdaecb404675bbe0e5211900d96bd16f89d4d53c40c6bd7f0e1ba24 |
| SHA512 | 835e7b86ed60bad9d4bd993f9c5911a00633fd51dc8d02d3329024b484ebfddf21218bf5f18d56b4b5479c75fd496c77327c6b01ad76705e996e6fbb5ad425aa |
memory/592-351-0x00000000003A0000-0x00000000003AA000-memory.dmp
memory/592-352-0x00000000003A0000-0x00000000003AA000-memory.dmp
memory/1584-441-0x0000000000370000-0x0000000000774000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gPeLJG08.bat
| MD5 | 9411d7553ab07f2ab56d8733a2910ea3 |
| SHA1 | 08b46f111433057eeb24f04e00987b469c7b3f37 |
| SHA256 | 39726f5194f675029ff50eec6a11acd46e1f41f8401d80d3b70bb5bc8b42884e |
| SHA512 | fa18b98b69e680bc7d8566e2bc874cebad80c92bbf5f03a5a96b8e7ed9bb0136faaba4b25d22e1f0791457b8d0a33261972e79cb485c7f868f9f9af3c37a2427 |
C:\Users\Admin\AppData\Local\Temp\gPeLJG08.bat
| MD5 | 9411d7553ab07f2ab56d8733a2910ea3 |
| SHA1 | 08b46f111433057eeb24f04e00987b469c7b3f37 |
| SHA256 | 39726f5194f675029ff50eec6a11acd46e1f41f8401d80d3b70bb5bc8b42884e |
| SHA512 | fa18b98b69e680bc7d8566e2bc874cebad80c92bbf5f03a5a96b8e7ed9bb0136faaba4b25d22e1f0791457b8d0a33261972e79cb485c7f868f9f9af3c37a2427 |
C:\Users\Admin\AppData\Local\792c4c98\tor\data\CACHED~3
| MD5 | d917f9c5b0d67616c4f49a4699bc9622 |
| SHA1 | 3415fbf4359d30dfb825a15156e90b3216c2e9eb |
| SHA256 | 4e0b223c18a44270303709e94a1da84b28f943f62999db4b805469393d5cfc8e |
| SHA512 | 6b79d717da860a1a9305f7674b52b61e719e9e5edd02f621c8c6679336ef535a0e6694983616c3dfca2a435c34165a579b5e11d94fc0125ef4a70d7396b17efc |
C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-04 20:59
Reported
2023-03-04 21:04
Platform
win10-20230220-en
Max time kernel
167s
Max time network
182s
Command Line
Signatures
BitRAT
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheck" | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheckï°€" | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheckæ €" | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe
"C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe"
C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
"C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe" -f torrc
C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
"C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe" -f torrc
C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
"C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe" -f torrc
C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
"C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe" -f torrc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCu86abZ.bat" "
C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49730 | tcp | |
| NL | 192.87.28.82:9001 | tcp | |
| NL | 185.14.30.57:9001 | tcp | |
| US | 172.106.112.254:443 | tcp | |
| CA | 192.99.43.171:9001 | tcp | |
| US | 8.8.8.8:53 | 82.28.87.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.30.14.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.43.99.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.112.106.172.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| NL | 185.14.30.57:9001 | tcp | |
| US | 172.106.112.254:443 | tcp | |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.160.111.145:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | 145.111.160.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.21.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.211.2.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.101.122.92.in-addr.arpa | udp |
| US | 52.182.143.208:443 | tcp | |
| US | 8.8.8.8:53 | 2.77.109.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| N/A | 127.0.0.1:49864 | tcp | |
| N/A | 127.0.0.1:49903 | tcp | |
| DE | 188.68.56.181:9001 | tcp | |
| US | 8.8.8.8:53 | 181.56.68.188.in-addr.arpa | udp |
| UA | 176.107.176.31:443 | tcp | |
| US | 8.8.8.8:53 | 31.176.107.176.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.160.111.145:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.160.111.145:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50014 | tcp |
Files
memory/4240-120-0x0000000000400000-0x0000000000C33000-memory.dmp
memory/4240-121-0x00000000735B0000-0x00000000735EA000-memory.dmp
C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\792c4c98\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
\Users\Admin\AppData\Local\792c4c98\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\792c4c98\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
\Users\Admin\AppData\Local\792c4c98\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
C:\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\792c4c98\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
\Users\Admin\AppData\Local\792c4c98\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
\Users\Admin\AppData\Local\792c4c98\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
\Users\Admin\AppData\Local\792c4c98\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\792c4c98\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
memory/2472-151-0x0000000001080000-0x0000000001484000-memory.dmp
memory/2472-152-0x0000000072B00000-0x0000000072BC8000-memory.dmp
memory/2472-154-0x0000000072A80000-0x0000000072AA4000-memory.dmp
memory/2472-153-0x0000000072AB0000-0x0000000072AF9000-memory.dmp
C:\Users\Admin\AppData\Local\792c4c98\tor\torrc
| MD5 | 348f4efd675a7f6eb18dff7bf517685c |
| SHA1 | ab2e60dea306eff37a2a7753d7c01b9f964022c4 |
| SHA256 | e537c238f7927e97bceb3e1c8c0dd2230af6d66aee5605674bca91df4ab7d31e |
| SHA512 | c7761c2283f0d579a285e4bbebf01649967b0a542ba4dfe6ca7b97fcc51691befe12c114f9105372faeeebd010f941cb2c4a8fc3dbd7ad457fac9ee59cfcb19e |
memory/2472-156-0x0000000001690000-0x000000000195F000-memory.dmp
memory/2472-157-0x00000000727B0000-0x0000000072A7F000-memory.dmp
memory/2472-160-0x0000000072610000-0x0000000072698000-memory.dmp
memory/2472-161-0x00000000009E0000-0x0000000000A68000-memory.dmp
memory/2472-162-0x0000000072BD0000-0x0000000072C9E000-memory.dmp
memory/2472-163-0x00000000726A0000-0x00000000727AA000-memory.dmp
C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdesc-consensus.tmp
| MD5 | 24dbc125264068c816f7ebbd5623497b |
| SHA1 | cce2cf96ce9929fb3412cf95ffab22bf66f56280 |
| SHA256 | 6ca4e2fc8fe4fe06d26d1c192ad20d7b5c44d1b5edbcc0ef818b6388a8134953 |
| SHA512 | fdcc34b49a1137e6a723ea3f58b72b955cb61dbcc48d9c5b9c5f2fe2f67e1962fdaa3bab8651b0a292be1818016ada44adc04e54be1d90b1e314c9d566b96104 |
memory/4240-175-0x0000000072320000-0x000000007235A000-memory.dmp
C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdescs.new
| MD5 | 04eb501894305da7de5a75320a63444c |
| SHA1 | a26f43cd1d07e072e4759d98f14cee356d0ef455 |
| SHA256 | fec96152b242816ba664d1cc4b4c096d957d12cce6aba06de37c17eb4fd746ad |
| SHA512 | a934d9de33323193bfffa8e00cf9eb37fdca0675a88d2948ffc49ba8ea7d70d49f3979fca912dbf65dee8b931624abf314f907095fc145254ec949b70d5a56f3 |
memory/2472-186-0x0000000001080000-0x0000000001484000-memory.dmp
memory/2472-188-0x0000000072B00000-0x0000000072BC8000-memory.dmp
memory/2472-191-0x00000000727B0000-0x0000000072A7F000-memory.dmp
memory/2472-194-0x0000000001080000-0x0000000001484000-memory.dmp
memory/2472-195-0x00000000009E0000-0x0000000000A68000-memory.dmp
memory/2472-196-0x0000000001080000-0x0000000001484000-memory.dmp
memory/2472-212-0x0000000001080000-0x0000000001484000-memory.dmp
memory/2472-220-0x0000000001080000-0x0000000001484000-memory.dmp
memory/2472-228-0x0000000001080000-0x0000000001484000-memory.dmp
memory/2472-236-0x0000000001080000-0x0000000001484000-memory.dmp
memory/2472-244-0x0000000001080000-0x0000000001484000-memory.dmp
memory/2472-252-0x0000000001080000-0x0000000001484000-memory.dmp
memory/4240-260-0x00000000735B0000-0x00000000735EA000-memory.dmp
\Users\Admin\AppData\Local\792c4c98\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
\Users\Admin\AppData\Local\792c4c98\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
\Users\Admin\AppData\Local\792c4c98\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\792c4c98\tor\torrc
| MD5 | 348f4efd675a7f6eb18dff7bf517685c |
| SHA1 | ab2e60dea306eff37a2a7753d7c01b9f964022c4 |
| SHA256 | e537c238f7927e97bceb3e1c8c0dd2230af6d66aee5605674bca91df4ab7d31e |
| SHA512 | c7761c2283f0d579a285e4bbebf01649967b0a542ba4dfe6ca7b97fcc51691befe12c114f9105372faeeebd010f941cb2c4a8fc3dbd7ad457fac9ee59cfcb19e |
\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
\Users\Admin\AppData\Local\792c4c98\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
memory/2472-282-0x00000000009E0000-0x0000000000A68000-memory.dmp
memory/2472-284-0x0000000001080000-0x0000000001484000-memory.dmp
memory/3260-287-0x0000000001080000-0x0000000001484000-memory.dmp
memory/3260-290-0x0000000072B00000-0x0000000072BC8000-memory.dmp
memory/3260-289-0x00000000727B0000-0x0000000072A7F000-memory.dmp
memory/3260-292-0x0000000072BD0000-0x0000000072C9E000-memory.dmp
memory/3260-293-0x0000000072AB0000-0x0000000072AF9000-memory.dmp
memory/3260-294-0x0000000072A80000-0x0000000072AA4000-memory.dmp
memory/3260-296-0x00000000726A0000-0x00000000727AA000-memory.dmp
memory/3260-295-0x0000000072610000-0x0000000072698000-memory.dmp
C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
\Users\Admin\AppData\Local\792c4c98\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
\Users\Admin\AppData\Local\792c4c98\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
\Users\Admin\AppData\Local\792c4c98\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
\Users\Admin\AppData\Local\792c4c98\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\792c4c98\tor\torrc
| MD5 | 348f4efd675a7f6eb18dff7bf517685c |
| SHA1 | ab2e60dea306eff37a2a7753d7c01b9f964022c4 |
| SHA256 | e537c238f7927e97bceb3e1c8c0dd2230af6d66aee5605674bca91df4ab7d31e |
| SHA512 | c7761c2283f0d579a285e4bbebf01649967b0a542ba4dfe6ca7b97fcc51691befe12c114f9105372faeeebd010f941cb2c4a8fc3dbd7ad457fac9ee59cfcb19e |
C:\Users\Admin\AppData\Local\792c4c98\tor\data\state
| MD5 | 92754888729a99aacc44ab40bfdb0033 |
| SHA1 | 538bdf472ecff3e89882178485c8a218043ccdf2 |
| SHA256 | a362a85ff15e71574b5da3c47530cdf67eb25fdecc537c1a34c9c1e66526b71e |
| SHA512 | 877c5629e014582f626a0e55d55117cb660bccbc0fd2aaa799244306620365a588322b6b0de702c8fcf08bab8ced93d21a61f04366c8ac58ab225a7f279143d8 |
C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-certs
| MD5 | 2c09cc56df3f63e07ca923e886d6a8cc |
| SHA1 | 68555cecfc4a0e6a06e35e34310d107967d09956 |
| SHA256 | 1b29cf50ae61f3db77dc4145ff4e83ed380d0784e4459d2eada5f75961d01157 |
| SHA512 | b8f26b099a41953b72b3f4cb957062575da7409cd9c4819d66985cee804e87bbcc447169bc1facf41a9a024e1a83562503aa072ca1a2e163c9babfea712b1f30 |
C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdesc-consensus
| MD5 | 24dbc125264068c816f7ebbd5623497b |
| SHA1 | cce2cf96ce9929fb3412cf95ffab22bf66f56280 |
| SHA256 | 6ca4e2fc8fe4fe06d26d1c192ad20d7b5c44d1b5edbcc0ef818b6388a8134953 |
| SHA512 | fdcc34b49a1137e6a723ea3f58b72b955cb61dbcc48d9c5b9c5f2fe2f67e1962fdaa3bab8651b0a292be1818016ada44adc04e54be1d90b1e314c9d566b96104 |
memory/5080-316-0x0000000001080000-0x0000000001484000-memory.dmp
memory/5080-318-0x00000000729D0000-0x0000000072C9F000-memory.dmp
C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdescs.new
| MD5 | 91281b9036f6f330d9c21cb30cfb88d2 |
| SHA1 | b8a450928c91dbac543aced215fec60c2972c8a2 |
| SHA256 | b3e7132bbe680eb2a7b538e1f2d9ff51723554e1002a08d787e6064059d1688a |
| SHA512 | 4998a06f0fede579110649a642974d90d5afd1f145ae7a6e209c9d4633c81340d4c1139f704b2270a96d5e1418460fdaf8e19177eecd19c3e3d6fe2a1e679b66 |
memory/5080-319-0x0000000072900000-0x00000000729C8000-memory.dmp
memory/5080-320-0x0000000072830000-0x00000000728FE000-memory.dmp
memory/5080-321-0x00000000727B0000-0x00000000727D4000-memory.dmp
memory/5080-322-0x0000000000E90000-0x0000000000ED9000-memory.dmp
memory/5080-323-0x00000000726A0000-0x00000000727AA000-memory.dmp
memory/5080-325-0x0000000072610000-0x0000000072698000-memory.dmp
memory/5080-324-0x0000000000E90000-0x0000000000ED9000-memory.dmp
memory/5080-326-0x0000000000E90000-0x0000000000ED9000-memory.dmp
memory/5080-327-0x0000000000E90000-0x0000000000ED9000-memory.dmp
memory/5080-328-0x00000000727E0000-0x0000000072829000-memory.dmp
C:\Users\Admin\AppData\Local\792c4c98\tor\data\unverified-microdesc-consensus
| MD5 | 24dbc125264068c816f7ebbd5623497b |
| SHA1 | cce2cf96ce9929fb3412cf95ffab22bf66f56280 |
| SHA256 | 6ca4e2fc8fe4fe06d26d1c192ad20d7b5c44d1b5edbcc0ef818b6388a8134953 |
| SHA512 | fdcc34b49a1137e6a723ea3f58b72b955cb61dbcc48d9c5b9c5f2fe2f67e1962fdaa3bab8651b0a292be1818016ada44adc04e54be1d90b1e314c9d566b96104 |
memory/5080-345-0x0000000001080000-0x0000000001484000-memory.dmp
memory/5080-346-0x0000000000E90000-0x0000000000ED9000-memory.dmp
memory/5080-347-0x0000000000E90000-0x0000000000ED9000-memory.dmp
memory/5080-349-0x0000000000E90000-0x0000000000ED9000-memory.dmp
memory/5080-348-0x0000000000E90000-0x0000000000ED9000-memory.dmp
memory/5080-398-0x0000000001080000-0x0000000001484000-memory.dmp
\Users\Admin\AppData\Local\792c4c98\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
\Users\Admin\AppData\Local\792c4c98\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdescs
| MD5 | ad3d2fba62054e05f30fb3f8ad03ce4a |
| SHA1 | 1682d1a8df84e7b94ad8de7c5b532031eaa3af6e |
| SHA256 | 3084576780fadf47abc443862c0be5177089b52e3e9669fef32dd4322aad9335 |
| SHA512 | fd885b9d58d16fea83d8538baf6ede93c55da54cc629187e653f1ee26b066a28cec06e6697dc524c5916cd025783a8e2fe08e467f4a271a466a7bca79524b169 |
\Users\Admin\AppData\Local\792c4c98\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
\Users\Admin\AppData\Local\792c4c98\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
memory/4240-413-0x0000000072320000-0x000000007235A000-memory.dmp
C:\Users\Admin\AppData\Local\792c4c98\tor\torrc
| MD5 | 348f4efd675a7f6eb18dff7bf517685c |
| SHA1 | ab2e60dea306eff37a2a7753d7c01b9f964022c4 |
| SHA256 | e537c238f7927e97bceb3e1c8c0dd2230af6d66aee5605674bca91df4ab7d31e |
| SHA512 | c7761c2283f0d579a285e4bbebf01649967b0a542ba4dfe6ca7b97fcc51691befe12c114f9105372faeeebd010f941cb2c4a8fc3dbd7ad457fac9ee59cfcb19e |
memory/2120-415-0x00000000729D0000-0x0000000072C9F000-memory.dmp
memory/2120-417-0x0000000072900000-0x00000000729C8000-memory.dmp
memory/2120-414-0x0000000001080000-0x0000000001484000-memory.dmp
memory/2120-418-0x0000000072830000-0x00000000728FE000-memory.dmp
memory/2120-421-0x00000000727E0000-0x0000000072829000-memory.dmp
memory/2120-425-0x00000000726A0000-0x00000000727AA000-memory.dmp
memory/2120-427-0x0000000072610000-0x0000000072698000-memory.dmp
memory/2120-423-0x00000000727B0000-0x00000000727D4000-memory.dmp
memory/2120-430-0x0000000001080000-0x0000000001484000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ZCu86abZ.bat
| MD5 | b8a05c63f0ff6173e55e91d04fe77e88 |
| SHA1 | 2cdabcc2d8ffb7b89def5a719a9ef3c92abf8b65 |
| SHA256 | 70ae306a11ecf503f66d18e146fb27655199e0184732cb805779a0d5a95f1958 |
| SHA512 | 6cdc85dc597280f07d618ac44a7c79fd185ebb74356c1038d4c6246f9b952f0608bfcdcf66c7c132a7a6ad300c1b4babfaa6de0841ecb26a18c24e37e0c16fb8 |
memory/2120-431-0x00000000729D0000-0x0000000072C9F000-memory.dmp