Malware Analysis Report

2025-01-03 05:22

Sample ID 230304-zs2vpaec3v
Target DDoS Panel V3.exe
SHA256 c719392010e985181bc9dd1dd5e6ae8a3e3717ef8f4a541554df57f725008d2f
Tags
bitrat persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c719392010e985181bc9dd1dd5e6ae8a3e3717ef8f4a541554df57f725008d2f

Threat Level: Known bad

The file DDoS Panel V3.exe was found to be: Known bad.

Malicious Activity Summary

bitrat persistence trojan upx

BitRAT

Bitrat family

Deletes itself

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

UPX packed file

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-04 20:59

Signatures

Bitrat family

bitrat

Analysis: behavioral3

Detonation Overview

Submitted

2023-03-04 20:59

Reported

2023-03-04 21:04

Platform

win10v2004-20230220-en

Max time kernel

262s

Max time network

265s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheck\ue000" C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheckä„€" C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheck" C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheck\u2000" C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheck怀" C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheckက" C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheck䀀" C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheckȀ" C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe

"C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe"

C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe

"C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe" -f torrc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wql1kFPm.bat" "

C:\Windows\system32\timeout.exe

timeout /t 5 /nobreak

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FR 163.172.149.155:443 tcp
DE 78.47.18.110:80 tcp
N/A 127.0.0.1:49782 tcp
US 8.8.8.8:53 110.18.47.78.in-addr.arpa udp
DE 46.4.66.178:9001 tcp
DE 51.77.70.243:9001 tcp
HU 79.172.193.65:443 tcp
US 8.8.8.8:53 178.66.4.46.in-addr.arpa udp
US 8.8.8.8:53 243.70.77.51.in-addr.arpa udp
US 8.8.8.8:53 65.193.172.79.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
DE 51.77.70.243:9001 tcp
HU 79.172.193.65:443 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:443 myexternalip.com tcp
US 8.8.8.8:53 145.111.160.34.in-addr.arpa udp
US 8.8.8.8:53 83.211.2.23.in-addr.arpa udp
US 8.8.8.8:53 9.101.122.92.in-addr.arpa udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 20.189.173.12:443 tcp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 34.160.111.145:443 myexternalip.com tcp
NL 8.238.177.126:80 tcp
US 93.184.220.29:80 tcp
NL 8.238.177.126:80 tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp
DE 51.77.70.243:9001 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/2652-133-0x0000000000400000-0x0000000000C33000-memory.dmp

memory/2652-134-0x0000000074D30000-0x0000000074D69000-memory.dmp

C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\792c4c98\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\792c4c98\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\792c4c98\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\792c4c98\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\792c4c98\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\792c4c98\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

memory/2660-164-0x0000000000210000-0x0000000000614000-memory.dmp

memory/2660-166-0x0000000074060000-0x0000000074084000-memory.dmp

memory/2660-165-0x0000000074160000-0x0000000074228000-memory.dmp

C:\Users\Admin\AppData\Local\792c4c98\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\792c4c98\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/2660-170-0x0000000073F50000-0x000000007405A000-memory.dmp

memory/2660-169-0x0000000073EC0000-0x0000000073F48000-memory.dmp

C:\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/2660-171-0x00000000015A0000-0x000000000186F000-memory.dmp

C:\Users\Admin\AppData\Local\792c4c98\tor\torrc

MD5 348f4efd675a7f6eb18dff7bf517685c
SHA1 ab2e60dea306eff37a2a7753d7c01b9f964022c4
SHA256 e537c238f7927e97bceb3e1c8c0dd2230af6d66aee5605674bca91df4ab7d31e
SHA512 c7761c2283f0d579a285e4bbebf01649967b0a542ba4dfe6ca7b97fcc51691befe12c114f9105372faeeebd010f941cb2c4a8fc3dbd7ad457fac9ee59cfcb19e

memory/2660-175-0x0000000074230000-0x0000000074279000-memory.dmp

memory/2660-176-0x0000000074090000-0x000000007415E000-memory.dmp

memory/2660-177-0x0000000073BF0000-0x0000000073EBF000-memory.dmp

C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdesc-consensus.tmp

MD5 24dbc125264068c816f7ebbd5623497b
SHA1 cce2cf96ce9929fb3412cf95ffab22bf66f56280
SHA256 6ca4e2fc8fe4fe06d26d1c192ad20d7b5c44d1b5edbcc0ef818b6388a8134953
SHA512 fdcc34b49a1137e6a723ea3f58b72b955cb61dbcc48d9c5b9c5f2fe2f67e1962fdaa3bab8651b0a292be1818016ada44adc04e54be1d90b1e314c9d566b96104

memory/2652-188-0x00000000737E0000-0x0000000073819000-memory.dmp

C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdescs.new

MD5 acaa2b0c8a941fa2f1effd572f6a221e
SHA1 f71bd72e23fb2df51f4acd27aeb195c7ddaf8a3b
SHA256 980d1a348aba451d825f1791e4ed59645edc2d8ebfc8667396df7eb4c898f213
SHA512 a9fa20120c9623a2932aac517c9130b2da194c6664de628fc5b55c10e3b721166e5e4bce1b4583c01eaff968c9f52f71a02aa4434c0365137b4ff4fc828947ae

memory/2660-201-0x0000000000210000-0x0000000000614000-memory.dmp

memory/2660-203-0x0000000074160000-0x0000000074228000-memory.dmp

memory/2660-204-0x0000000074060000-0x0000000074084000-memory.dmp

memory/2660-206-0x0000000073EC0000-0x0000000073F48000-memory.dmp

memory/2660-207-0x0000000073F50000-0x000000007405A000-memory.dmp

memory/2660-209-0x0000000000210000-0x0000000000614000-memory.dmp

memory/2660-210-0x00000000015A0000-0x000000000186F000-memory.dmp

memory/2660-217-0x0000000000210000-0x0000000000614000-memory.dmp

memory/2660-225-0x0000000000210000-0x0000000000614000-memory.dmp

memory/2660-233-0x0000000000210000-0x0000000000614000-memory.dmp

memory/2660-241-0x0000000000210000-0x0000000000614000-memory.dmp

memory/2660-249-0x0000000000210000-0x0000000000614000-memory.dmp

memory/2660-257-0x0000000000210000-0x0000000000614000-memory.dmp

memory/2660-265-0x0000000000210000-0x0000000000614000-memory.dmp

memory/2652-273-0x0000000074D30000-0x0000000074D69000-memory.dmp

memory/2660-338-0x0000000000210000-0x0000000000614000-memory.dmp

C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdesc-consensus

MD5 24dbc125264068c816f7ebbd5623497b
SHA1 cce2cf96ce9929fb3412cf95ffab22bf66f56280
SHA256 6ca4e2fc8fe4fe06d26d1c192ad20d7b5c44d1b5edbcc0ef818b6388a8134953
SHA512 fdcc34b49a1137e6a723ea3f58b72b955cb61dbcc48d9c5b9c5f2fe2f67e1962fdaa3bab8651b0a292be1818016ada44adc04e54be1d90b1e314c9d566b96104

C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-certs

MD5 02f508db7544135af39a99af351c2349
SHA1 95386fc8a6804555928ddb4135ab241553dd0931
SHA256 4fa11755280deed639b0fc1d06962c3bdee83233d775eaa7b6f1e459752afc23
SHA512 0fa63c9cb873e3fc23edfe92023103ecbb1754c636f9ff416b24bbb9b1c2255acfa1dce122dc14cf6f427ee770df5aeb16d6a11bc6cc60b6a57f1d93860ed707

C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdescs.new

MD5 0d72dbd9620800a60f7d51cdf161c68b
SHA1 e7246dc7e97db357627785eb1bea76770e472052
SHA256 3c5d473b011e7386c923681a6b96a9c86ed98363199756d5d323699457d4645a
SHA512 c13fe5d5ad40f1eaac8fc8bb7de49ce25e5772c76cd303d84f2b3ce76ea90859f604955646e18da7323ee36bf28af88cf2904f577a3047409b01ea50da0bca16

C:\Users\Admin\AppData\Local\792c4c98\tor\data\unverified-microdesc-consensus

MD5 24dbc125264068c816f7ebbd5623497b
SHA1 cce2cf96ce9929fb3412cf95ffab22bf66f56280
SHA256 6ca4e2fc8fe4fe06d26d1c192ad20d7b5c44d1b5edbcc0ef818b6388a8134953
SHA512 fdcc34b49a1137e6a723ea3f58b72b955cb61dbcc48d9c5b9c5f2fe2f67e1962fdaa3bab8651b0a292be1818016ada44adc04e54be1d90b1e314c9d566b96104

C:\Users\Admin\AppData\Local\792c4c98\tor\data\state

MD5 560c094f683dae68936f320131c26558
SHA1 0dacc3698a7e72bc20bc0110ebfeb7b925b04ef9
SHA256 77a4f313e64ae7ac0dea216528d817262dbe966d726413a8c6434db53c73a005
SHA512 67c68c01d8ad05f0f0743990a237940802c20ea3ff35ad946648e2ae964a8f569f9550dd73379c26d54c94bcabccc88303215b4a32153d9daf8a022d460d397f

memory/2652-347-0x00000000737E0000-0x0000000073819000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Wql1kFPm.bat

MD5 48fd6fd5b940e598a087efd8afb69d6e
SHA1 1f07df9ac8ee28020b030e5ebebad35eea427910
SHA256 3b33a05baf95ecfe8e1d59caeda817d072207e43f451198caab66d5aa965eeb4
SHA512 8256db1a4cb22b06d90585fed2974c3b0f7c11002a3b36ea55d8a0ceeea2afc4e7cf74f1c89fc75e7e0e5bf81c7e60241ea0d91efbbe53378c2ac7dc0dcac5d6

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-04 20:59

Reported

2023-03-04 21:04

Platform

win7-20230220-en

Max time kernel

169s

Max time network

260s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheck" C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 592 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
PID 592 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
PID 592 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
PID 592 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
PID 592 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
PID 592 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
PID 592 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
PID 592 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
PID 592 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
PID 592 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
PID 592 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
PID 592 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
PID 592 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Windows\system32\cmd.exe
PID 592 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Windows\system32\cmd.exe
PID 592 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Windows\system32\cmd.exe
PID 592 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Windows\system32\cmd.exe
PID 1116 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1116 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1116 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe

"C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe"

C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe

"C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe" -f torrc

C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe

"C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe" -f torrc

C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe

"C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe" -f torrc

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gPeLJG08.bat" "

C:\Windows\system32\timeout.exe

timeout /t 5 /nobreak

Network

Country Destination Domain Proto
NL 77.247.181.164:443 tcp
N/A 127.0.0.1:49196 tcp
CZ 37.157.195.87:443 tcp
N/A 127.0.0.1:45808 tcp
FI 185.100.86.182:8080 tcp
FR 163.172.149.155:443 tcp
AT 86.59.21.38:443 tcp
DE 116.202.233.112:443 tcp
DE 212.83.43.96:443 tcp
US 67.219.182.195:443 tcp
N/A 127.0.0.1:45808 tcp
DE 116.202.233.112:443 tcp
DE 212.83.43.96:443 tcp
N/A 127.0.0.1:49307 tcp
N/A 127.0.0.1:49339 tcp
SE 193.11.114.46:9003 tcp
FR 51.15.185.201:443 tcp
DE 85.214.38.105:9001 tcp
N/A 127.0.0.1:45808 tcp
DE 185.220.101.206:8443 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:443 myexternalip.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 92.122.101.8:80 apps.identrust.com tcp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp

Files

memory/592-54-0x0000000000400000-0x0000000000C33000-memory.dmp

\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\792c4c98\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\792c4c98\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\792c4c98\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\792c4c98\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\792c4c98\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\792c4c98\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/592-83-0x0000000003BA0000-0x0000000003FA4000-memory.dmp

C:\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\792c4c98\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

memory/592-87-0x0000000003BA0000-0x0000000003FA4000-memory.dmp

\Users\Admin\AppData\Local\792c4c98\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\792c4c98\tor\torrc

MD5 348f4efd675a7f6eb18dff7bf517685c
SHA1 ab2e60dea306eff37a2a7753d7c01b9f964022c4
SHA256 e537c238f7927e97bceb3e1c8c0dd2230af6d66aee5605674bca91df4ab7d31e
SHA512 c7761c2283f0d579a285e4bbebf01649967b0a542ba4dfe6ca7b97fcc51691befe12c114f9105372faeeebd010f941cb2c4a8fc3dbd7ad457fac9ee59cfcb19e

memory/1564-90-0x0000000074510000-0x00000000747DF000-memory.dmp

memory/1564-88-0x0000000000E70000-0x0000000001274000-memory.dmp

memory/1564-91-0x00000000744C0000-0x0000000074509000-memory.dmp

memory/1564-94-0x00000000743F0000-0x00000000744B8000-memory.dmp

memory/1564-95-0x00000000742E0000-0x00000000743EA000-memory.dmp

memory/1564-96-0x0000000074250000-0x00000000742D8000-memory.dmp

memory/1564-97-0x0000000074180000-0x000000007424E000-memory.dmp

memory/1564-98-0x0000000074800000-0x0000000074824000-memory.dmp

memory/1564-99-0x0000000000E70000-0x0000000001274000-memory.dmp

memory/1564-100-0x0000000074510000-0x00000000747DF000-memory.dmp

memory/592-107-0x0000000003BA0000-0x0000000003FA4000-memory.dmp

memory/1564-108-0x0000000000E70000-0x0000000001274000-memory.dmp

memory/1564-109-0x0000000000E70000-0x0000000001274000-memory.dmp

C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdesc-consensus.tmp

MD5 6c55971e3175678078a19dfe82d3dafe
SHA1 ddd7c8e808c0e4a51233b06c298f9273e4719a0c
SHA256 7c1fa8ba63527b17c5c6381b90b23f274389deb850b6cec1293f6877f2a65934
SHA512 65f784874c537ac5dca060562b1ee2aa7a3d625bddf98eac39d95047ec8b265b517c90ddd3cdb3b3deca03e62b1a82e6defc93edd7194fe2dce1b6ee4798ad1d

C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-certs.tmp

MD5 b4b0a3e90d82921bd9abf4b6a5f7317a
SHA1 5b7e2750333dd6a1bb9625b9101b7a477cf8fdf9
SHA256 df3f276dc1c5ff7d59da4e8a76c87172bee1f1a6c93d2296587890227caa2a8b
SHA512 f5d15efd5fb4f7d7be342e4f19c9898ec0d6460bf1318147aa9365bc46ca9c1e9890060c9ee75770dc8033ab5e00b99cf62c1580579f2ce776781b696c79630b

memory/1564-134-0x0000000000E70000-0x0000000001274000-memory.dmp

C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdescs.new

MD5 b01b7925647739a0e40065aa142f23d2
SHA1 057ee102db97e84bb256b3fbd1a960ef49efb4df
SHA256 c5cb79f40498b10fc2154e116ce2112c3dbef1f9fde4cf1b3a11bcb6fbf16d3b
SHA512 9fb5798ecd91fc9f3dc63f00a54c37ec7a689b657da0f6dedcf5f28961a092d212cbc73a69acf588e15ac8956c4d8d0995a1dcc737f1b9d55cfe5ef332d77a9d

memory/1564-151-0x0000000000E70000-0x0000000001274000-memory.dmp

memory/1564-159-0x0000000000E70000-0x0000000001274000-memory.dmp

\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/1564-167-0x0000000000E70000-0x0000000001274000-memory.dmp

\Users\Admin\AppData\Local\792c4c98\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\792c4c98\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\792c4c98\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\792c4c98\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\792c4c98\tor\torrc

MD5 348f4efd675a7f6eb18dff7bf517685c
SHA1 ab2e60dea306eff37a2a7753d7c01b9f964022c4
SHA256 e537c238f7927e97bceb3e1c8c0dd2230af6d66aee5605674bca91df4ab7d31e
SHA512 c7761c2283f0d579a285e4bbebf01649967b0a542ba4dfe6ca7b97fcc51691befe12c114f9105372faeeebd010f941cb2c4a8fc3dbd7ad457fac9ee59cfcb19e

memory/2004-188-0x0000000000E70000-0x0000000001274000-memory.dmp

memory/2004-190-0x0000000074510000-0x00000000747DF000-memory.dmp

memory/2004-192-0x00000000744C0000-0x0000000074509000-memory.dmp

memory/2004-193-0x00000000743F0000-0x00000000744B8000-memory.dmp

memory/2004-195-0x0000000074250000-0x00000000742D8000-memory.dmp

memory/2004-194-0x00000000742E0000-0x00000000743EA000-memory.dmp

memory/2004-196-0x0000000074180000-0x000000007424E000-memory.dmp

memory/2004-197-0x0000000074800000-0x0000000074824000-memory.dmp

memory/592-198-0x00000000047C0000-0x0000000004BC4000-memory.dmp

\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\792c4c98\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\792c4c98\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\792c4c98\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\792c4c98\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\792c4c98\tor\torrc

MD5 348f4efd675a7f6eb18dff7bf517685c
SHA1 ab2e60dea306eff37a2a7753d7c01b9f964022c4
SHA256 e537c238f7927e97bceb3e1c8c0dd2230af6d66aee5605674bca91df4ab7d31e
SHA512 c7761c2283f0d579a285e4bbebf01649967b0a542ba4dfe6ca7b97fcc51691befe12c114f9105372faeeebd010f941cb2c4a8fc3dbd7ad457fac9ee59cfcb19e

C:\Users\Admin\AppData\Local\792c4c98\tor\data\state

MD5 8e62b4f267e82a3511fee7bdcd94617a
SHA1 c8b8540fb26536f6137ff6fe32dd7025159bc6ac
SHA256 40021a52c0592bbebe68eb9d05cee2a6786fe0e2e7c39cdde13be8b819ee4eff
SHA512 a0423821f07fa3afa77528768413c2402b75e8338aca2829d25d72fbb18e6baf271c4e28a1c6b43348306b6553be4ef5929f4f7c6127af15459e79472cb96393

C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdesc-consensus

MD5 6c55971e3175678078a19dfe82d3dafe
SHA1 ddd7c8e808c0e4a51233b06c298f9273e4719a0c
SHA256 7c1fa8ba63527b17c5c6381b90b23f274389deb850b6cec1293f6877f2a65934
SHA512 65f784874c537ac5dca060562b1ee2aa7a3d625bddf98eac39d95047ec8b265b517c90ddd3cdb3b3deca03e62b1a82e6defc93edd7194fe2dce1b6ee4798ad1d

memory/592-218-0x00000000047C0000-0x0000000004BC4000-memory.dmp

memory/1584-219-0x0000000000370000-0x0000000000774000-memory.dmp

memory/1584-220-0x0000000074240000-0x000000007450F000-memory.dmp

memory/1584-221-0x0000000074790000-0x00000000747D9000-memory.dmp

memory/1584-222-0x00000000746C0000-0x0000000074788000-memory.dmp

memory/1584-223-0x00000000745B0000-0x00000000746BA000-memory.dmp

memory/1584-224-0x0000000074520000-0x00000000745A8000-memory.dmp

memory/1584-225-0x0000000074170000-0x000000007423E000-memory.dmp

memory/1584-226-0x0000000074140000-0x0000000074164000-memory.dmp

C:\Users\Admin\AppData\Local\792c4c98\tor\data\unverified-microdesc-consensus

MD5 6c55971e3175678078a19dfe82d3dafe
SHA1 ddd7c8e808c0e4a51233b06c298f9273e4719a0c
SHA256 7c1fa8ba63527b17c5c6381b90b23f274389deb850b6cec1293f6877f2a65934
SHA512 65f784874c537ac5dca060562b1ee2aa7a3d625bddf98eac39d95047ec8b265b517c90ddd3cdb3b3deca03e62b1a82e6defc93edd7194fe2dce1b6ee4798ad1d

C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdescs.new

MD5 114a685dcb7d14e14b1b86fab3acb623
SHA1 65e947e211182846dece52b23a39c0f12646fe58
SHA256 28cc93f7c0188f9b9434ce80d14fe99b632b9711c70c503f2b8b97f7a5bfbd19
SHA512 54cf87f9d6cb006416f0eaaa7cd006bcff7cd826bffeeb937e7e80939204639b19484b9dfe16e87c17401d0393a0208067377be8326ad99e3da0cd5d929db75a

memory/592-236-0x00000000047C0000-0x0000000004BC4000-memory.dmp

memory/1584-241-0x0000000000370000-0x0000000000774000-memory.dmp

memory/1584-249-0x0000000000370000-0x0000000000774000-memory.dmp

memory/592-258-0x00000000003A0000-0x00000000003AA000-memory.dmp

memory/592-259-0x00000000003A0000-0x00000000003AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabAFC.tmp

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 e71c8443ae0bc2e282c73faead0a6dd3
SHA1 0c110c1b01e68edfacaeae64781a37b1995fa94b
SHA256 95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512 b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

C:\Users\Admin\AppData\Local\Temp\TarC4A.tmp

MD5 be2bec6e8c5653136d3e72fe53c98aa3
SHA1 a8182d6db17c14671c3d5766c72e58d87c0810de
SHA256 1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA512 0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 921ea2bb5f89245e3d4e279b9feb40bb
SHA1 024cb12b48a712af43fbdb6fb544137dab0571a5
SHA256 286d67029cdaecb404675bbe0e5211900d96bd16f89d4d53c40c6bd7f0e1ba24
SHA512 835e7b86ed60bad9d4bd993f9c5911a00633fd51dc8d02d3329024b484ebfddf21218bf5f18d56b4b5479c75fd496c77327c6b01ad76705e996e6fbb5ad425aa

memory/592-351-0x00000000003A0000-0x00000000003AA000-memory.dmp

memory/592-352-0x00000000003A0000-0x00000000003AA000-memory.dmp

memory/1584-441-0x0000000000370000-0x0000000000774000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gPeLJG08.bat

MD5 9411d7553ab07f2ab56d8733a2910ea3
SHA1 08b46f111433057eeb24f04e00987b469c7b3f37
SHA256 39726f5194f675029ff50eec6a11acd46e1f41f8401d80d3b70bb5bc8b42884e
SHA512 fa18b98b69e680bc7d8566e2bc874cebad80c92bbf5f03a5a96b8e7ed9bb0136faaba4b25d22e1f0791457b8d0a33261972e79cb485c7f868f9f9af3c37a2427

C:\Users\Admin\AppData\Local\Temp\gPeLJG08.bat

MD5 9411d7553ab07f2ab56d8733a2910ea3
SHA1 08b46f111433057eeb24f04e00987b469c7b3f37
SHA256 39726f5194f675029ff50eec6a11acd46e1f41f8401d80d3b70bb5bc8b42884e
SHA512 fa18b98b69e680bc7d8566e2bc874cebad80c92bbf5f03a5a96b8e7ed9bb0136faaba4b25d22e1f0791457b8d0a33261972e79cb485c7f868f9f9af3c37a2427

C:\Users\Admin\AppData\Local\792c4c98\tor\data\CACHED~3

MD5 d917f9c5b0d67616c4f49a4699bc9622
SHA1 3415fbf4359d30dfb825a15156e90b3216c2e9eb
SHA256 4e0b223c18a44270303709e94a1da84b28f943f62999db4b805469393d5cfc8e
SHA512 6b79d717da860a1a9305f7674b52b61e719e9e5edd02f621c8c6679336ef535a0e6694983616c3dfca2a435c34165a579b5e11d94fc0125ef4a70d7396b17efc

C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-04 20:59

Reported

2023-03-04 21:04

Platform

win10-20230220-en

Max time kernel

167s

Max time network

182s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheck" C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheckï°€" C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\HealthCheck = "C:\\Users\\Admin\\AppData\\Local\\appdata\\HealthCheckæ €" C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4240 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
PID 4240 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
PID 4240 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
PID 4240 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
PID 4240 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
PID 4240 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
PID 4240 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
PID 4240 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
PID 4240 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
PID 4240 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
PID 4240 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
PID 4240 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe
PID 4240 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Windows\system32\cmd.exe
PID 4240 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe C:\Windows\system32\cmd.exe
PID 3220 wrote to memory of 3344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3220 wrote to memory of 3344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe

"C:\Users\Admin\AppData\Local\Temp\DDoS Panel V3.exe"

C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe

"C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe" -f torrc

C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe

"C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe" -f torrc

C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe

"C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe" -f torrc

C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe

"C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe" -f torrc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCu86abZ.bat" "

C:\Windows\system32\timeout.exe

timeout /t 5 /nobreak

Network

Country Destination Domain Proto
N/A 127.0.0.1:49730 tcp
NL 192.87.28.82:9001 tcp
NL 185.14.30.57:9001 tcp
US 172.106.112.254:443 tcp
CA 192.99.43.171:9001 tcp
US 8.8.8.8:53 82.28.87.192.in-addr.arpa udp
US 8.8.8.8:53 57.30.14.185.in-addr.arpa udp
US 8.8.8.8:53 171.43.99.192.in-addr.arpa udp
US 8.8.8.8:53 254.112.106.172.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
NL 185.14.30.57:9001 tcp
US 172.106.112.254:443 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:443 myexternalip.com tcp
US 8.8.8.8:53 145.111.160.34.in-addr.arpa udp
US 8.8.8.8:53 126.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 83.211.2.23.in-addr.arpa udp
US 8.8.8.8:53 19.101.122.92.in-addr.arpa udp
US 52.182.143.208:443 tcp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
N/A 127.0.0.1:49864 tcp
N/A 127.0.0.1:49903 tcp
DE 188.68.56.181:9001 tcp
US 8.8.8.8:53 181.56.68.188.in-addr.arpa udp
UA 176.107.176.31:443 tcp
US 8.8.8.8:53 31.176.107.176.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50014 tcp

Files

memory/4240-120-0x0000000000400000-0x0000000000C33000-memory.dmp

memory/4240-121-0x00000000735B0000-0x00000000735EA000-memory.dmp

C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\792c4c98\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\792c4c98\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\792c4c98\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\792c4c98\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\792c4c98\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\792c4c98\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\792c4c98\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\792c4c98\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\792c4c98\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

memory/2472-151-0x0000000001080000-0x0000000001484000-memory.dmp

memory/2472-152-0x0000000072B00000-0x0000000072BC8000-memory.dmp

memory/2472-154-0x0000000072A80000-0x0000000072AA4000-memory.dmp

memory/2472-153-0x0000000072AB0000-0x0000000072AF9000-memory.dmp

C:\Users\Admin\AppData\Local\792c4c98\tor\torrc

MD5 348f4efd675a7f6eb18dff7bf517685c
SHA1 ab2e60dea306eff37a2a7753d7c01b9f964022c4
SHA256 e537c238f7927e97bceb3e1c8c0dd2230af6d66aee5605674bca91df4ab7d31e
SHA512 c7761c2283f0d579a285e4bbebf01649967b0a542ba4dfe6ca7b97fcc51691befe12c114f9105372faeeebd010f941cb2c4a8fc3dbd7ad457fac9ee59cfcb19e

memory/2472-156-0x0000000001690000-0x000000000195F000-memory.dmp

memory/2472-157-0x00000000727B0000-0x0000000072A7F000-memory.dmp

memory/2472-160-0x0000000072610000-0x0000000072698000-memory.dmp

memory/2472-161-0x00000000009E0000-0x0000000000A68000-memory.dmp

memory/2472-162-0x0000000072BD0000-0x0000000072C9E000-memory.dmp

memory/2472-163-0x00000000726A0000-0x00000000727AA000-memory.dmp

C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdesc-consensus.tmp

MD5 24dbc125264068c816f7ebbd5623497b
SHA1 cce2cf96ce9929fb3412cf95ffab22bf66f56280
SHA256 6ca4e2fc8fe4fe06d26d1c192ad20d7b5c44d1b5edbcc0ef818b6388a8134953
SHA512 fdcc34b49a1137e6a723ea3f58b72b955cb61dbcc48d9c5b9c5f2fe2f67e1962fdaa3bab8651b0a292be1818016ada44adc04e54be1d90b1e314c9d566b96104

memory/4240-175-0x0000000072320000-0x000000007235A000-memory.dmp

C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdescs.new

MD5 04eb501894305da7de5a75320a63444c
SHA1 a26f43cd1d07e072e4759d98f14cee356d0ef455
SHA256 fec96152b242816ba664d1cc4b4c096d957d12cce6aba06de37c17eb4fd746ad
SHA512 a934d9de33323193bfffa8e00cf9eb37fdca0675a88d2948ffc49ba8ea7d70d49f3979fca912dbf65dee8b931624abf314f907095fc145254ec949b70d5a56f3

memory/2472-186-0x0000000001080000-0x0000000001484000-memory.dmp

memory/2472-188-0x0000000072B00000-0x0000000072BC8000-memory.dmp

memory/2472-191-0x00000000727B0000-0x0000000072A7F000-memory.dmp

memory/2472-194-0x0000000001080000-0x0000000001484000-memory.dmp

memory/2472-195-0x00000000009E0000-0x0000000000A68000-memory.dmp

memory/2472-196-0x0000000001080000-0x0000000001484000-memory.dmp

memory/2472-212-0x0000000001080000-0x0000000001484000-memory.dmp

memory/2472-220-0x0000000001080000-0x0000000001484000-memory.dmp

memory/2472-228-0x0000000001080000-0x0000000001484000-memory.dmp

memory/2472-236-0x0000000001080000-0x0000000001484000-memory.dmp

memory/2472-244-0x0000000001080000-0x0000000001484000-memory.dmp

memory/2472-252-0x0000000001080000-0x0000000001484000-memory.dmp

memory/4240-260-0x00000000735B0000-0x00000000735EA000-memory.dmp

\Users\Admin\AppData\Local\792c4c98\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\792c4c98\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\792c4c98\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\792c4c98\tor\torrc

MD5 348f4efd675a7f6eb18dff7bf517685c
SHA1 ab2e60dea306eff37a2a7753d7c01b9f964022c4
SHA256 e537c238f7927e97bceb3e1c8c0dd2230af6d66aee5605674bca91df4ab7d31e
SHA512 c7761c2283f0d579a285e4bbebf01649967b0a542ba4dfe6ca7b97fcc51691befe12c114f9105372faeeebd010f941cb2c4a8fc3dbd7ad457fac9ee59cfcb19e

\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\792c4c98\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/2472-282-0x00000000009E0000-0x0000000000A68000-memory.dmp

memory/2472-284-0x0000000001080000-0x0000000001484000-memory.dmp

memory/3260-287-0x0000000001080000-0x0000000001484000-memory.dmp

memory/3260-290-0x0000000072B00000-0x0000000072BC8000-memory.dmp

memory/3260-289-0x00000000727B0000-0x0000000072A7F000-memory.dmp

memory/3260-292-0x0000000072BD0000-0x0000000072C9E000-memory.dmp

memory/3260-293-0x0000000072AB0000-0x0000000072AF9000-memory.dmp

memory/3260-294-0x0000000072A80000-0x0000000072AA4000-memory.dmp

memory/3260-296-0x00000000726A0000-0x00000000727AA000-memory.dmp

memory/3260-295-0x0000000072610000-0x0000000072698000-memory.dmp

C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\792c4c98\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\792c4c98\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\792c4c98\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\792c4c98\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\792c4c98\tor\torrc

MD5 348f4efd675a7f6eb18dff7bf517685c
SHA1 ab2e60dea306eff37a2a7753d7c01b9f964022c4
SHA256 e537c238f7927e97bceb3e1c8c0dd2230af6d66aee5605674bca91df4ab7d31e
SHA512 c7761c2283f0d579a285e4bbebf01649967b0a542ba4dfe6ca7b97fcc51691befe12c114f9105372faeeebd010f941cb2c4a8fc3dbd7ad457fac9ee59cfcb19e

C:\Users\Admin\AppData\Local\792c4c98\tor\data\state

MD5 92754888729a99aacc44ab40bfdb0033
SHA1 538bdf472ecff3e89882178485c8a218043ccdf2
SHA256 a362a85ff15e71574b5da3c47530cdf67eb25fdecc537c1a34c9c1e66526b71e
SHA512 877c5629e014582f626a0e55d55117cb660bccbc0fd2aaa799244306620365a588322b6b0de702c8fcf08bab8ced93d21a61f04366c8ac58ab225a7f279143d8

C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-certs

MD5 2c09cc56df3f63e07ca923e886d6a8cc
SHA1 68555cecfc4a0e6a06e35e34310d107967d09956
SHA256 1b29cf50ae61f3db77dc4145ff4e83ed380d0784e4459d2eada5f75961d01157
SHA512 b8f26b099a41953b72b3f4cb957062575da7409cd9c4819d66985cee804e87bbcc447169bc1facf41a9a024e1a83562503aa072ca1a2e163c9babfea712b1f30

C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdesc-consensus

MD5 24dbc125264068c816f7ebbd5623497b
SHA1 cce2cf96ce9929fb3412cf95ffab22bf66f56280
SHA256 6ca4e2fc8fe4fe06d26d1c192ad20d7b5c44d1b5edbcc0ef818b6388a8134953
SHA512 fdcc34b49a1137e6a723ea3f58b72b955cb61dbcc48d9c5b9c5f2fe2f67e1962fdaa3bab8651b0a292be1818016ada44adc04e54be1d90b1e314c9d566b96104

memory/5080-316-0x0000000001080000-0x0000000001484000-memory.dmp

memory/5080-318-0x00000000729D0000-0x0000000072C9F000-memory.dmp

C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdescs.new

MD5 91281b9036f6f330d9c21cb30cfb88d2
SHA1 b8a450928c91dbac543aced215fec60c2972c8a2
SHA256 b3e7132bbe680eb2a7b538e1f2d9ff51723554e1002a08d787e6064059d1688a
SHA512 4998a06f0fede579110649a642974d90d5afd1f145ae7a6e209c9d4633c81340d4c1139f704b2270a96d5e1418460fdaf8e19177eecd19c3e3d6fe2a1e679b66

memory/5080-319-0x0000000072900000-0x00000000729C8000-memory.dmp

memory/5080-320-0x0000000072830000-0x00000000728FE000-memory.dmp

memory/5080-321-0x00000000727B0000-0x00000000727D4000-memory.dmp

memory/5080-322-0x0000000000E90000-0x0000000000ED9000-memory.dmp

memory/5080-323-0x00000000726A0000-0x00000000727AA000-memory.dmp

memory/5080-325-0x0000000072610000-0x0000000072698000-memory.dmp

memory/5080-324-0x0000000000E90000-0x0000000000ED9000-memory.dmp

memory/5080-326-0x0000000000E90000-0x0000000000ED9000-memory.dmp

memory/5080-327-0x0000000000E90000-0x0000000000ED9000-memory.dmp

memory/5080-328-0x00000000727E0000-0x0000000072829000-memory.dmp

C:\Users\Admin\AppData\Local\792c4c98\tor\data\unverified-microdesc-consensus

MD5 24dbc125264068c816f7ebbd5623497b
SHA1 cce2cf96ce9929fb3412cf95ffab22bf66f56280
SHA256 6ca4e2fc8fe4fe06d26d1c192ad20d7b5c44d1b5edbcc0ef818b6388a8134953
SHA512 fdcc34b49a1137e6a723ea3f58b72b955cb61dbcc48d9c5b9c5f2fe2f67e1962fdaa3bab8651b0a292be1818016ada44adc04e54be1d90b1e314c9d566b96104

memory/5080-345-0x0000000001080000-0x0000000001484000-memory.dmp

memory/5080-346-0x0000000000E90000-0x0000000000ED9000-memory.dmp

memory/5080-347-0x0000000000E90000-0x0000000000ED9000-memory.dmp

memory/5080-349-0x0000000000E90000-0x0000000000ED9000-memory.dmp

memory/5080-348-0x0000000000E90000-0x0000000000ED9000-memory.dmp

memory/5080-398-0x0000000001080000-0x0000000001484000-memory.dmp

\Users\Admin\AppData\Local\792c4c98\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\792c4c98\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\792c4c98\tor\data\cached-microdescs

MD5 ad3d2fba62054e05f30fb3f8ad03ce4a
SHA1 1682d1a8df84e7b94ad8de7c5b532031eaa3af6e
SHA256 3084576780fadf47abc443862c0be5177089b52e3e9669fef32dd4322aad9335
SHA512 fd885b9d58d16fea83d8538baf6ede93c55da54cc629187e653f1ee26b066a28cec06e6697dc524c5916cd025783a8e2fe08e467f4a271a466a7bca79524b169

\Users\Admin\AppData\Local\792c4c98\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\792c4c98\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\792c4c98\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\792c4c98\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\792c4c98\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\792c4c98\tor\WebSvc.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/4240-413-0x0000000072320000-0x000000007235A000-memory.dmp

C:\Users\Admin\AppData\Local\792c4c98\tor\torrc

MD5 348f4efd675a7f6eb18dff7bf517685c
SHA1 ab2e60dea306eff37a2a7753d7c01b9f964022c4
SHA256 e537c238f7927e97bceb3e1c8c0dd2230af6d66aee5605674bca91df4ab7d31e
SHA512 c7761c2283f0d579a285e4bbebf01649967b0a542ba4dfe6ca7b97fcc51691befe12c114f9105372faeeebd010f941cb2c4a8fc3dbd7ad457fac9ee59cfcb19e

memory/2120-415-0x00000000729D0000-0x0000000072C9F000-memory.dmp

memory/2120-417-0x0000000072900000-0x00000000729C8000-memory.dmp

memory/2120-414-0x0000000001080000-0x0000000001484000-memory.dmp

memory/2120-418-0x0000000072830000-0x00000000728FE000-memory.dmp

memory/2120-421-0x00000000727E0000-0x0000000072829000-memory.dmp

memory/2120-425-0x00000000726A0000-0x00000000727AA000-memory.dmp

memory/2120-427-0x0000000072610000-0x0000000072698000-memory.dmp

memory/2120-423-0x00000000727B0000-0x00000000727D4000-memory.dmp

memory/2120-430-0x0000000001080000-0x0000000001484000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZCu86abZ.bat

MD5 b8a05c63f0ff6173e55e91d04fe77e88
SHA1 2cdabcc2d8ffb7b89def5a719a9ef3c92abf8b65
SHA256 70ae306a11ecf503f66d18e146fb27655199e0184732cb805779a0d5a95f1958
SHA512 6cdc85dc597280f07d618ac44a7c79fd185ebb74356c1038d4c6246f9b952f0608bfcdcf66c7c132a7a6ad300c1b4babfaa6de0841ecb26a18c24e37e0c16fb8

memory/2120-431-0x00000000729D0000-0x0000000072C9F000-memory.dmp